Aon has called for stronger cyber risk management practices as artificial intelligence rapidly reshapes the threat landscape, following an April 2026 open letter from the UK government warning that AI cyber capabilities are advancing faster than previously expected.
The government's letter to UK business leaders said AI is now capable of finding weaknesses in software and writing code to exploit them at a speed and scale that would have been impossible even a year ago.
Aon said AI can amplify existing cyber risks by automating reconnaissance, generating highly tailored phishing and social engineering campaigns, and enabling larger-scale attacks, with capabilities once limited to well-resources threat actors becoming increasingly accessible to less sophisticated actors.
Rob Kemp, CEO of Commercial Risk in the UK for Aon, said the firm's recent Global Risk Management Survey found cyber-attacks and data breaches remain the top enterprise risk in 2026, a trend expected to continue into 2028.
He said many businesses describe themselves as only somewhat prepared at best, citing fragmented governance and limited testing of AI-driven incident scenarios, while some organisations are still treating AI as a future issue and delaying critical cyber risk management strategies.
Aon said AI has not changed the fundamentals of cyber risk management but has significantly increased the scale and likelihood of attacks, and is encouraging businesses to focus on core controls and stress-test them against AI-enabled scenarios.
The firm's recommended actions span getting core IT hygiene right, including patching, vulnerability remediation and decommissioning end-of-life systems, alongside regular staff training on phishing and social engineering. It also advised reassessing cyber resilience and insurance by updating loss scenarios and checking whether existing policies respond to AI-related incidents, updating threat modelling to map AI-enabled attacks against existing controls, strengthening board-level governance through a dedicated AI risk dashboard, and testing incident response plans through tabletop exercises involving legal and insurance partners.
The same AI capabilities Aon is warning about, faster reconnaissance and exploitation, also make it harder to quickly attribute an attack to a specific actor, a problem the Lloyd's market is already grappling with in how it structures cyber coverage.
The Lloyd's Market Association's LMA5567A/B clauses, updated in 2026, shift the test for excluding state-backed cyberattacks away from simply attributing an attack to a state and towards whether the attack caused significant impairment at a national infrastructure level, refining exclusions first introduced in 2022 following the Russia-Ukraine war rather than retreating from writing the class altogether.
The broader UK cyber insurance market remains highly competitive even as these risks evolve. Marsh's 2026 UK cyber outlook has described rising demand and expanded insurer capacity keeping premiums relatively low, with new products addressing AI-specific risk beginning to emerge.
That soft pricing sits alongside tightening regulation, with the UK's Cyber Security and Resilience Bill expected to expand mandatory security and incident reporting requirements to a wider range of managed service providers, data centres and critical suppliers during 2026. High-profile incidents, including the 2025 cyberattack on Jaguar Land Rover, have been cited as a key driver of rising cyber insurance awareness among UK businesses, including smaller enterprises historically underinsured against cyber risk.
"Many businesses describe themselves as 'somewhat prepared' at best, citing fragmented governance and limited testing of AI-driven incident scenarios," Kemp said, adding that some organisations are still viewing AI as a future issue and delaying the implementation of critical cyber risk management strategies.
That gap between rising AI-enabled threats and still-developing governance is exactly what the London market's own exclusion wordings are now being recalibrated to address, suggesting insurers and risk managers alike are still catching up to a threat that is moving faster than either side's frameworks.