Aon has called for stronger cyber risk management practices following an April 2026 open letter from the UK government warning that AI is now capable of finding software weaknesses and writing exploits at a speed and scale that would have been impossible even a year ago. Rob Kemp, CEO of Commercial Risk in the UK for Aon, said the firm's Global Risk Management Survey found cyber attacks and data breaches remain the top enterprise risk in 2026, expected to continue into 2028, with many businesses describing themselves as only somewhat prepared - citing fragmented governance and limited testing of AI-driven incident scenarios. Some organisations are still treating AI as a future issue and delaying critical cyber risk management strategies, Kemp said.
Aon said AI has not changed the fundamentals of cyber risk management but has significantly increased the scale and likelihood of attacks. It is encouraging businesses to focus on core controls - patching, vulnerability remediation, staff training on phishing and social engineering - and stress-test them against AI-enabled scenarios, including checking whether existing policies respond to AI-related incidents.
The same AI capabilities accelerating attacks - faster reconnaissance, automated exploitation, harder-to-trace attack chains - also make it harder to quickly attribute an attack to a specific actor. That attribution difficulty is directly relevant to how the Lloyd's market structures cyber coverage. The LMA's LMA5567A/B clauses, updated in 2026, shift the exclusion test for state-backed cyberattacks away from attributing an attack to a state and toward whether it caused significant impairment at a national infrastructure level - refining exclusions first introduced in 2022 following the Russia-Ukraine war rather than retreating from writing the class. The wording update reflects a practical recognition that attribution-based exclusion tests become harder to apply as attack speed and obfuscation both increase.
The UK cyber insurance market remains highly competitive despite the evolving threat environment. Marsh's 2026 UK cyber outlook describes rising demand and expanded insurer capacity keeping premiums relatively low, with new products addressing AI-specific risk beginning to emerge. The UK's Cyber Security and Resilience Bill is expected to expand mandatory security and incident reporting requirements to a wider range of managed service providers, data centres and critical suppliers during 2026 - broadening the population of organisations with formal cyber obligations at the same moment AI is making the underlying threat more severe. High-profile incidents including the 2025 cyberattack on Jaguar Land Rover have driven rising cyber insurance awareness among UK businesses, including smaller enterprises historically underinsured against cyber risk.
The gap between rising AI-enabled threats and still-developing governance - in both corporate risk management and insurance market exclusion wordings - suggests insurers and risk managers alike are still catching up to a threat moving faster than either side's frameworks.