As cyber threats escalate in frequency and complexity, the gap between risk exposure and insurance protection is widening. Jennifer Wilson (pictured), head of cyber at Newfront, said the market remains constrained by inconsistent policy language and slow adaptation to emerging risks. That disconnect is becoming more pronounced as artificial intelligence accelerates both attack sophistication and underwriting uncertainty. For brokers and risk leaders, the implications are increasingly material.
At the core of the issue is a lack of standardization across insurers, which continues to complicate policy comparisons and coverage decisions. Wilson said each carrier approaches cyber risk with its own definitions, limits, and exclusions, making it difficult to align policies against a consistent benchmark. “It’s very difficult to compare apples to apples from one quote to another,” she said. The result is a fragmented landscape where coverage gaps are often hidden in plain sight.
This inconsistency is compounded by the pace of change in cyber risk itself. Policies are being updated more frequently, but not always fast enough to reflect real-world threats. “Insurance moves slowly, and it’s very difficult to get policy language to meet up with the current types of attacks we’re seeing,” Wilson said. The absence of clear, affirmative language around AI-related exposures illustrates the challenge, leaving brokers negotiating bespoke terms on a case-by-case basis.
A significant contributor to these gaps is the reliance on non-specialist brokers. Many organizations continue to place cyber coverage through generalist advisors who may lack the depth required to interpret evolving policy language. Wilson said this creates a structural vulnerability in the market. “Because cyber is specialized and constantly evolving, the best way to properly protect your business is to work with a broker that has dedicated cyber expertise rather than a generalist broker,” she said.
The issue is not simply technical complexity but the frequency of change. Policy revisions that once occurred every few years are now happening quarterly. Without continuous engagement in the cyber market, both brokers and clients risk missing critical shifts in coverage terms. “If you’re not in it daily, you’re going to miss something,” Wilson said.
At the same time, underwriting expectations are expanding beyond traditional cybersecurity controls. Insurers are increasingly focused on business practices, particularly around data usage and privacy. The rise in third-party litigation tied to data collection and consent has introduced new scrutiny. Underwriters are now asking detailed questions about how organizations collect, store, and share information, reflecting a broader shift from technical controls to governance and disclosure.
This shift is forcing organizations to rethink their approach to cyber risk. Meeting baseline security requirements is no longer sufficient to secure or maintain coverage. Wilson said companies need to adopt a more integrated, enterprise-wide perspective. “They shouldn’t be relying on cybersecurity controls alone,” she said.
Effective risk management now requires coordination across legal, compliance, IT, and executive leadership. Employee training, particularly around phishing and wire fraud, remains a critical line of defense. At the same time, incident response planning has emerged as a defining factor in both resilience and insurability.
Wilson emphasized the importance of pre-breach preparation, including clear protocols and alignment with insurers and legal counsel. “A company knowing what they’re going to do and who they’re going to call in the event of a cyber attack” is essential, she said. This includes pre-selecting panel firms and conducting conflict checks in advance to avoid delays during an incident.
One recurring failure point is the absence of a defined position on ransomware payments. Without a clear strategy, organizations can lose valuable time during an attack, exacerbating both operational and reputational damage. Wilson described a healthcare case where internal indecision prolonged the crisis while threat actors escalated pressure on patients. The episode underscores how operational readiness can directly influence claim outcomes and business continuity.
The evolution of cyber insurance is likely to be shaped by the industry’s response to AI. While some have proposed standalone AI policies, Wilson argued that such an approach is impractical. “AI is not a separate coverage type. It’s a process,” she said.
Instead, the future of coverage will depend on embedding AI considerations into existing policies across multiple lines. This includes not only cyber policies but also professional liability, general liability, and employment practices coverage. As AI becomes integral to business operations, its risks will manifest in diverse ways, from discrimination claims to bodily injury scenarios involving automated systems.
The industry faces a structural challenge: aligning coverage with a threat landscape that is both dynamic and difficult to model. For brokers and risk managers, the priority is shifting from price optimization to strategic risk transfer. In that environment, expertise, preparation, and policy clarity will determine who is adequately protected—and who is not.
