Vendor risk remains cyber insurance's biggest missed issue

Cyber specialists say supply chain exposure, AI exclusions and quantum threats are reshaping cyber underwriting

Vendor risk remains cyber insurance's biggest missed issue

Cyber

By Bryony Garlick

Vendor risk, AI exclusions and quantum computing are emerging as some of the biggest questions facing cyber insurance, specialists said during InsuranceFest 2026 in Santa Monica on July 16.

Speaking during the panel discussion Winning the Cyber Battle with Clients, moderator Keith Savino, CEO of Emergence Insurance, was joined by Garrett Droege, Fintech and Digital Asset Leader at WTW, Nadia Hoyte, Cyber National Practice Advisor at USI Insurance Services, and Fitz Swain, Vice President at RT Specialty, to discuss where cyber cover is evolving and where insureds continue to underestimate their exposure.

Vendor risk remains the biggest concern

Droege argued that third-party exposure continues to be one of the most overlooked cyber risks because many organisations mistakenly assume cyber risk transfers to their suppliers.

"A lot of people think they're outsourcing that – like someone else has the data and so we don't have to worry about it," he said. "If you look up any major event, it almost always involves [a] third party who was in the system that left a back door open somewhere."

Hoyte said organisations often conduct initial due diligence but fail to understand how far their exposure extends through the wider supply chain.

"Very often... they don't necessarily always extend it to who their critical vendors are, what they do for them," she said, adding that many companies rely on a supplier's SOC attestation instead of mapping contractual relationships further down the chain.

As businesses become increasingly reliant on third-party technology providers, insurers are paying closer attention to supply chain exposure and vendor oversight as key underwriting considerations.

AI is creating new coverage questions

Panellists also highlighted growing uncertainty around AI-related exposures as insurers refine policy wordings and underwriting.

Swain said carriers are increasingly introducing AI-specific exclusions into errors and omissions policies, particularly where businesses rely on AI-generated outputs without meaningful human oversight.

"You're starting to see a lot of AI exclusions which are specifically targeting using AI outputs without human intervention," he said, pointing to court filings built on fabricated case law as one example of the risks insurers are beginning to address.

He also warned that cyber and general liability policies are increasingly creating gaps for insureds.

"Now on a lot of GL policies you've got cyber exclusions, so if this comes at fault of that, you're not getting any coverage from your GL carrier in that scenario."

Hoyte questioned whether broad exclusions were the right response, arguing insurers should instead develop more sophisticated underwriting questions around how organisations deploy AI.

The discussion comes as US insurers assess AI-related exposures against a fast-evolving regulatory landscape, with states such as Colorado introducing AI-specific legislation while federal guidance continues to develop.

The panel also returned to a longstanding issue in cyber insurance: the difference between headline policy limits and significantly lower sub-limits for risks such as social engineering and funds transfer fraud.

Quantum risk moves closer

Looking further ahead, Droege said brokers should already be preparing clients for the transition to post-quantum cryptography using guidance published by the US National Institute of Standards and Technology (NIST). He described the potential impact in stark terms.

"If we get a quantum computer in the hands of a bad actor... all of your passwords are gone. So it is the end of the world."

Swain agreed that today's encryption standards would quickly become obsolete.

"Current encryption is out immediately."

While commercially viable quantum attacks remain some way off, Droege encouraged brokers to begin conversations now using the National Institute of Standards and Technology's roadmap for post-quantum cryptography as a practical framework for clients.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!