I’m thrilled to sit down with Simon Glairy, a renowned expert in insurance and Insurtech, particularly known for his deep insights into risk management and AI-driven risk assessment. With cyber threats evolving at an unprecedented pace, Simon’s expertise offers a critical perspective on how businesses can navigate this complex landscape. In our conversation, we explore the shifting nature of cyber risks, the expanding role of cyber insurance, common vulnerabilities businesses face, and the impact of emerging technologies like AI on cybersecurity. We also delve into strategies for managing third-party risks and the specific challenges certain industries encounter in this digital age.
How have cyber risks transformed for businesses in recent years, and what specific threats are keeping companies on edge?
Cyber risks have undergone a dramatic shift in recent years, largely due to the increasing sophistication and frequency of attacks. Ransomware has become the dominant concern, surpassing even large-scale data breaches of sensitive information, which used to be the primary focus. We’re seeing more advanced phishing, spoofing, and business email compromise attacks that target organizations across all sectors. The speed at which threat actors adapt to new defenses is staggering—they’re constantly innovating to bypass the latest security measures. This means businesses are not just worried about financial loss but also operational disruption and reputational damage from these evolving threats.
What role does cyber insurance play in today’s business world, and how has it grown beyond just financial protection?
Cyber insurance has become a cornerstone of modern business risk management, evolving far beyond a simple financial safety net. Today, it’s about partnership and prevention as much as it is about payouts. Many policies now include proactive services, like guidance on securing networks or prioritizing security investments, as well as robust response support when an incident occurs. It’s integrated into a company’s broader cybersecurity strategy, helping to shape incident response plans and risk mitigation efforts. Essentially, cyber insurance is a tool that not only helps recover from an attack but also works to prevent one in the first place by embedding itself into the organization’s security culture.
What are some persistent vulnerabilities that businesses still struggle with when it comes to cyber risks?
Despite growing awareness, businesses often fall short in a few key areas. Human error remains a huge vulnerability—whether it’s inadequate employee training or poor cyber hygiene, like clicking on phishing links. Vendor exposures are another weak spot, as third-party connections can open unexpected doors to attackers. While companies are getting more cyber-savvy, the gap lies in consistent implementation. It’s not enough to have security controls in place; they need continuous monitoring and updates. Without embedding cybersecurity into the company’s culture—across hiring, vendor management, and daily operations—these vulnerabilities persist.
What common mistakes do you see businesses making that increase their exposure to cyber attacks?
One of the biggest mistakes is failing to test and maintain baseline security measures. For example, many companies have backup systems in place but don’t regularly test them, only to find they don’t work when needed most. Similarly, patching systems or decommissioning old tech often gets delayed or overlooked, leaving gaps for attackers to exploit. Another surprising error is insufficient follow-through on training—employees might go through phishing exercises, but if there’s no reinforcement or safe way to report mistakes, the lessons don’t stick. It’s not just about having a plan; it’s about living and breathing it through regular practice and accountability.
How can businesses better address the cyber risks posed by third-party vendors?
Managing third-party risks starts with treating them as if they’re your own. Businesses need to conduct thorough due diligence before onboarding vendors, ensuring strict contractual requirements for security controls and service level agreements. Segmenting vendor access to your network is critical—don’t give them free rein. I also advocate for having backup or redundant vendors in place for critical functions. This way, if one vendor is compromised, you can quickly switch to another without major disruption. It’s about minimizing impact through preparation and viewing vendor risk as an extension of your own security posture.
Are there particular industries that seem to be more at risk for cyber attacks, and if so, why?
Absolutely, certain industries stand out as prime targets. Healthcare, for instance, is often hit due to the sensitive data they hold and the regulatory pressures they face, making them ripe for extortion. Power and utility companies are also vulnerable because of their critical role in infrastructure—disrupting them can cause widespread chaos, which some threat actors now aim for beyond just financial gain. We’re seeing a shift in motivation from pure profit to causing operational destruction or public fear. Industries with high-value data or systemic importance are increasingly in the crosshairs, and their underfunded security budgets in some cases only worsen the risk.
How is artificial intelligence reshaping the cybersecurity landscape for businesses, both as a threat and a defense?
AI is a double-edged sword in cybersecurity. On one hand, threat actors are using it to automate attacks, exploit vulnerabilities faster, and scale their impact, particularly with ransomware. It’s accelerating the evolution of threats in ways we’ve never seen before. On the flip side, AI is a powerful defensive tool. It helps companies detect threats more quickly, respond efficiently, and strengthen overall resilience. Businesses are using AI to scale internal protections, speed up communication during incidents, and enhance business continuity plans. The key is staying proactive—since attackers are leveraging AI, defenders must keep pace by adopting it as well.
What’s your forecast for the future of cybersecurity and cyber insurance over the next few years?
Looking ahead, I expect cybersecurity to become even more integrated into every facet of business operations as threats continue to evolve at breakneck speed. Ransomware will likely grow in sophistication, and we’ll see more systemic attacks targeting shared exposures, like third-party vendors critical to multiple industries. Cyber insurance will need to adapt by offering even more tailored, proactive solutions—think deeper partnerships with clients to build resilience before an attack happens. I also anticipate AI will play a bigger role on both sides, with defenders using it to predict and prevent incidents while attackers find new ways to exploit it. The next few years will demand agility, collaboration, and a shift from mere recovery to true resilience.
