When the heads of western intelligence agencies issue a joint statement, people pay attention. When they say the threat is measured in months - not years - the insurance profession needs to sit up and take notice.
That's exactly what happened on Sunday, when the leaders of the Five Eyes cybersecurity agencies, including the UK's own Richard Horne, CEO of the National Cyber Security Centre, signed off on a three-page document with a blunt title: The AI Shift in Cyber Risk: Why Leaders Must Act Now.
The central finding: frontier AI models are about to "fundamentally transform both offensive and defensive cyber capabilities." Their timeline? "Not years, it is months."
This isn't a theoretical warning. It's a fire alarm.
AI has handed threat actors a serious upgrade. Attacks are faster, more sophisticated, and capable of hitting more targets at once. The gap between a vulnerability being discovered and being weaponised, a window that used to give security teams breathing room, is shrinking fast.
"AI is not a future consideration, it is already here," the statement reads. "It lowers barriers for malicious actors and increases the speed and complexity of attacks, shrinking the window between vulnerability discovery and exploitation ever more quickly."
The advisory was co-signed by the heads of CISA and the NSA in the US, Canada's Centre for Cyber Security, and the cyber agencies of Australia and New Zealand. Five nations, one message: this is urgent.
The statement also made clear that breaches will happen, and that being ready to contain the damage matters more now than trying to stop every attack. "Preparedness helps you contain them quickly and prevent escalation into major operational and financial crises," the agencies wrote.
The UK cyber insurance market has been through a long soft cycle. Rates have been falling, competition has been fierce, and some carriers have been underwriting as if the risk environment were broadly stable.
It isn't. Executives at major insurers and reinsurers have acknowledged the market has yet to fully price in the risks posed by AI-enabled attacks, despite a string of near misses involving cloud outages, ransomware and third-party vendor failures.
Adrien Robinson of The Hartford told Insurance Business earlier this year that cyber pricing felt "a little disconnected" from the actual trajectory of risk, drawing a comparison with the long-ignored gap between climate science and natural catastrophe pricing. We know how that story ended.
Jeffrey Gonlin, chief underwriter at Emergence Insurance, speaking to Insurance Business Australia earlier this month, put the stakes in starker terms. AI-driven cyber criminality, he argued, is not a new threat category so much as an accelerant applied to existing ones. "It might be that AI just makes everybody a super cyber criminal, and that turbocharges everything," he said.
The Five Eyes warning could be the moment that shifts the conversation at underwriting committees across the London market.
It's not just pricing. It's coverage itself that's at stake.
George Grimshaw at Clear Group warned in April that if frontier AI models end up in the wrong hands, "the frequency and severity of the claims can just shoot up massively." He also flagged the possibility of AI-enabled attack exclusions appearing in cyber wordings, and, in a worst-case scenario, a Lloyd's-level intervention treating AI-driven attacks as a systemic risk, along the lines of what the market did with war exclusions.
If that happens, a large chunk of future attacks - the very attacks the Five Eyes are warning about - could fall outside the scope of standard policies. That's a problem for clients and a credibility problem for the profession.
Ed Ventham of Assured urged clients not to lose sight of fundamentals, but his more pointed message was on coverage. "As it stands, we have not seen any exclusions brought in for AI - however we would encourage businesses to be asking for AI to be affirmatively covered within their policy to avoid any potential knee-jerk changes from a potential upcoming and heightened risk landscape."
The Five Eyes advisory sets out five practical steps that translate directly into client conversations.
Reduce attack surfaces. Patch faster. Deal with legacy systems, the statement calls them "strategic liabilities," not just technical debt. Tighten identity and access controls. And plan for incidents before they hit.
Brokers having these conversations now, and helping clients evidence their controls, will be better placed when the market hardens. Those who aren't will have some awkward calls to make.
QBE research found 75% of UK businesses are worried about cyber risks from their suppliers' use of AI, but only 28% have taken steps to audit those third parties. That gap is exactly the kind of thing that ends up in a claims file.
The Five Eyes agencies put it plainly: "Leaders who act now will reduce exposure, strengthen resilience, and build confidence with customers, partners, and investors. Those who delay will face growing and avoidable risk."
Consider that considerably more than a nudge.
