Simon Glairy is a veteran in the insurance and Insurtech space, specializing in the intersection of artificial intelligence and enterprise risk management. As UK firms grapple with a digital landscape where AI tools are ubiquitous but oversight remains fragmented, his insights provide a crucial roadmap for balancing technological progress with fiscal and operational safety. This discussion explores the widening gap between AI adoption and governance, the critical vulnerabilities in modern supply chains, and the evolving financial consequences of digital breaches.
With AI adoption reaching nearly 100% while only about a third of firms have formal governance, how do you manage this imbalance? What specific steps should leaders take to close this oversight gap without slowing down innovation?
It is a striking reality that 97% of UK firms are now using or exploring AI, yet only 35% have a formal governance policy in place. To manage this imbalance, leaders must recognize that speed without safety creates a fragile foundation that can crumble under the first sign of a cyber threat. The first step is to implement a living governance framework that evolves alongside the technology, ensuring that innovation doesn’t outpace the legal and ethical guardrails required for stability. We need to move away from viewing oversight as a “check-the-box” activity and instead weave it into the very fabric of the development cycle to prevent catastrophic oversights. By establishing clear usage boundaries now, firms can avoid the frantic, expensive scramble to retrofit security after a major incident has already occurred.
Three-quarters of businesses express concern about vendor AI risks, yet fewer than 30% audit their third-party systems. Why does this disconnect exist, and what metrics should a company prioritize when evaluating a supplier’s AI security?
There is a palpable sense of anxiety in the market, with 75% of businesses worried about vendor AI risks, yet there is a baffling disconnect where only 28% actually audit those third-party systems. This gap often exists because many companies feel overwhelmed by the technical complexity of their partners’ tech stacks or fear that intrusive audits might damage commercial relationships. When evaluating a supplier, metrics should shift toward total transparency in data handling and the frequency of their own internal AI security stress tests. Relying on blind trust in an era of 12,000 confirmed worldwide breaches is no longer a viable strategy for any firm that values its long-term integrity. It is time to treat third-party security as a non-negotiable component of the procurement process rather than an optional afterthought.
The share of businesses experiencing cyber events is rising, with many incidents linked directly to suppliers. How should companies restructure their supply chain contracts, and what specific vetting procedures can prevent a breach at a partner from compromising the main network?
With 59% of cyber incidents now linked to suppliers—and 22% of companies reporting that most or all of their attacks involve a third party—the traditional, hands-off contract is effectively dead. Businesses must restructure these agreements to include mandatory, real-time security reporting and “right-to-audit” clauses that are actually exercised on a regular basis. Vetting procedures need to be more than just static questionnaires; they should involve active technical testing and isolated network environments for vendor access to ensure a breach at a partner doesn’t cascade into the main network. The feeling of vulnerability is very real for many executives, but it can be mitigated by treating every supplier as a potential entry point that requires its own hardened perimeter. Taking these aggressive steps helps ensure that a failure in one link of the chain doesn’t lead to a total systemic collapse.
With the average cost of a data breach exceeding $4.4 million and revenue losses climbing, how should firms shift their financial planning? Can you share a scenario where a strong incident response plan significantly mitigated these heavy financial losses?
When the average cost of a breach hits $4.44 million, financial planning must move from a defensive posture to an integrated risk-recovery model. The fact that 59% of firms hit by an incident now suffer direct revenue loss—a significant jump from 50% the previous year—shows that these aren’t just IT issues, but existential business threats. I have seen scenarios where a robust Incident Response Plan, which 82% of firms now possess, turned a potential total shutdown into a manageable 24-hour disruption. Without that plan, the 22% of firms currently suffering more than a full day of downtime can quickly see their recovery costs and reputational damage spiral out of control. Investing in a plan that details exactly who does what during the first golden hour of a breach is the most cost-effective financial strategy a firm can adopt.
Nearly a quarter of cyber incidents now involve AI-driven phishing or business email compromise. How are these sophisticated attacks evolving, and what training protocols can employees follow to distinguish AI-generated threats from legitimate communication?
We are seeing a new frontier of threat where 23% of cyber events are believed to leverage AI, manifesting in sophisticated phishing and business email compromise schemes. These attacks are no longer the clumsy, misspelled emails of the past; they are polished, personalized, and incredibly convincing because they use AI to mimic specific writing styles. Training protocols must move beyond static slideshows and into live simulations that mimic these AI-generated threats, teaching employees to look for subtle anomalies in communication patterns or unexpected requests for sensitive data. When 49% of AI-leveraged incidents involve phishing, the human element remains the most critical—and often most fragile—line of defense in the entire organization. We must empower staff to be skeptics, providing them with the sensory tools to spot the “uncanny valley” of a deepfake or a synthetic email.
Most organizations are increasing their cybersecurity budgets beyond the rate of inflation while maintaining insurance coverage. How should this capital be allocated between technology upgrades and insurance premiums to provide the most robust defense against emerging threats?
With 79% of businesses planning to increase their cybersecurity budgets—and 32% of them by more than the rate of inflation—the focus should be on creating a balanced ecosystem of prevention and protection. Capital should not just be dumped into the newest software; it needs to be split between hardening internal infrastructure and maintaining robust insurance coverage, which currently sits at a steady 76% penetration. This investment strategy provides a financial safety net for when the inevitable happens, ensuring that the firm can survive the “day after” a major breach. It is about buying peace of mind while simultaneously building the walls higher against increasingly complex malware and cloud misconfigurations. A robust defense is never just about one or the other; it is the synergy between high-tech prevention and high-quality financial risk transfer.
What is your forecast for AI governance?
My forecast is that the next 12 to 18 months will see a massive shift from voluntary guidelines to mandatory regulatory compliance as the gap between technology and oversight becomes a public liability. As 82% of UK businesses express ongoing worry about future threats, the pressure on the 65% of firms currently lacking a formal policy will become unbearable from both a legal and an insurance perspective. We will likely see a surge in “AI-specific” insurance riders and a standardization of vendor auditing that mirrors the rigor of traditional financial audits. Companies that fail to close the oversight gap now will find themselves uninsurable or facing insurmountable legal liabilities as the market finally demands accountability for the AI tools that have become so commonplace.
