AI is outpacing cyber governance, London insurers warn

TL;DR:

  • Aon is urging stronger cyber risk management after an April government letter warned AI can now find software weaknesses and write exploits at previously impossible speed.
  • Lloyd’s updated LMA5567A/B clauses shift state-attack exclusions from attributing an attack to a state towards measuring national-level infrastructure impairment.
  • The Cyber Security and Resilience Bill is set to widen mandatory reporting to more managed service providers, data centres and critical suppliers during 2026.

The gap between AI-accelerated cyber attacks and the frameworks meant to govern them is widening, according to the London insurance market. Aon’s UK commercial risk chief Rob Kemp says the firm’s Global Risk Management Survey has cyber attacks and data breaches as the top enterprise risk through to 2028, with many businesses describing themselves as only somewhat prepared — citing fragmented governance and limited testing of AI-driven incident scenarios.

Aon’s argument is that AI has not changed the fundamentals of cyber risk, but has sharply increased the scale and likelihood of attacks. Its prescription is unglamorous: patching, vulnerability remediation and phishing training, stress-tested against AI-enabled scenarios — including checking whether existing insurance policies actually respond to AI-related incidents.

The same capabilities speeding up attacks — faster reconnaissance, automated exploitation, harder-to-trace attack chains — also make attribution slower. That matters for coverage. The Lloyd’s Market Association’s LMA5567A/B clauses, updated this year, move the exclusion test for state-backed attacks away from attributing an attack to a state and towards whether it significantly impaired national infrastructure — a practical admission that attribution-based tests break down as attacks get faster and better obfuscated.

A competitive market despite the threat

Premiums remain relatively low, with Marsh’s 2026 UK outlook describing rising demand met by expanded insurer capacity and the first AI-specific products emerging. Awareness is growing too, helped by high-profile incidents such as the 2025 Jaguar Land Rover attack — a pattern consistent with the stubborn 43% UK breach rate reported this week. Smaller UK enterprises, historically underinsured against cyber risk, are increasingly buying cover.

Looking forward

The Cyber Security and Resilience Bill should bring many more managed service providers, data centres and critical suppliers under formal security and reporting obligations this year — just as AI raises the underlying threat. For UK firms, the practical takeaway is Aon’s: treat AI-enabled attack scenarios as a present-day test of controls and policy wordings, not a future issue.