Vendor risk remains cyber insurance's biggest missed issue

Cyber specialists say supply chain exposure, AI exclusions and quantum threats are reshaping underwriting on both sides of the Atlantic

Vendor risk remains cyber insurance's biggest missed issue

Cyber

By Bryony Garlick

Vendor risk, AI exclusions and quantum computing are emerging as some of the biggest questions facing cyber insurance, specialists said during InsuranceFest 2026 in Santa Monica on July 16, as many of the same issues become increasingly familiar to UK brokers and underwriters.

Speaking during the panel discussion Winning the Cyber Battle with Clients, moderator Keith Savino of Emergence Insurance was joined by Garrett Droege of Willis, Nadia Hoyte of USI Insurance Services and Fitz Swain of RT Specialty to discuss where cyber cover is evolving and where insureds continue to underestimate their exposure.

Although the discussion focused on the US market, many of the themes mirror challenges already facing UK insurers as supply chain risk, AI adoption and emerging technologies reshape cyber underwriting.

Vendor risk remains the biggest concern

Droege argued that third-party exposure continues to be one of the most overlooked cyber risks because many organisations mistakenly assume cyber risk transfers to their suppliers.

"A lot of people think they're outsourcing that – like someone else has the data and so we don't have to worry about it," he said. "If you look up any major event, it almost always involves [a] third party who was in the system that left a back door open somewhere."

Hoyte said organisations often conduct initial due diligence but fail to understand how far their exposure extends through the wider supply chain.

"Very often... they don't necessarily always extend it to who their critical vendors are, what they do for them," she said, adding that many companies rely on a supplier's SOC attestation instead of mapping contractual relationships further down the chain.

The issue is becoming increasingly relevant for UK insurers as businesses adopt AI tools across their supply chains. Recent research suggests many UK firms remain concerned about vendor-related cyber threats, while relatively few actively assess how suppliers are using AI or managing cyber risk.

AI is creating new coverage questions

Panellists also highlighted growing uncertainty around AI-related exposures as insurers refine policy wordings and underwriting.

Swain said carriers are increasingly introducing AI-specific exclusions into errors and omissions policies, particularly where businesses rely on AI-generated outputs without meaningful human oversight.

"You're starting to see a lot of AI exclusions which are specifically targeting using AI outputs without human intervention," he said, pointing to court filings built on fabricated case law as one example of the risks insurers are beginning to address.

He also warned that cyber and general liability policies are increasingly creating gaps for insureds.

"Now on a lot of GL policies you've got cyber exclusions, so if this comes at fault of that, you're not getting any coverage from your GL carrier in that scenario."

Hoyte questioned whether broad exclusions were the right response, arguing insurers should instead develop more sophisticated underwriting questions around how organisations deploy AI.

The discussion comes as UK insurers adapt to a principles-based regulatory framework rather than a standalone AI Act. Existing guidance from the Information Commissioner's Office and UK GDPR requirements remain central to assessing AI-related cyber exposures, while many insurers are reviewing how emerging AI risks should be reflected within policy wordings.

The panel also returned to a longstanding issue in cyber insurance: the difference between headline policy limits and significantly lower sub-limits for risks such as social engineering and funds transfer fraud. Similar discussions are already taking place in the UK market as business email compromise losses continue to drive claims.

Quantum risk moves closer

Looking further ahead, Droege said brokers should already be preparing clients for the transition to post-quantum cryptography using guidance published by the US National Institute of Standards and Technology (NIST). He described the potential impact in stark terms.

"If we get a quantum computer in the hands of a bad actor... all of your passwords are gone. So it is the end of the world."

Swain agreed that today's encryption standards would quickly become obsolete.

"Current encryption is out immediately."

While commercially viable quantum attacks remain some way off, UK organisations already have a roadmap for preparing. The National Cyber Security Centre has published a phased transition to post-quantum cryptography through to 2035, giving brokers and insurers a practical framework for conversations that many expect will become increasingly important over the next decade.

 

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!