While artificial intelligence (AI) has captured headlines – for good or ill – it’s often mischaracterized as the primary cyber threat. In reality, AI is not a cyber risk in and of itself; it’s a force multiplier that amplifies existing risks across the enterprise.
According to Meredith Schnur (pictured), cyber practice leader for Marsh in the US and Canada, the true drivers of cyber claims in 2025 are more nuanced and systemic.
Speaking to Insurance Business, she outlined the five most significant drivers of cyber claims currently shaping the insurance landscape: non-breach privacy claims, supply chain events, organized criminal groups, non-malicious incidents, and the amplification effects of AI.
For decades, privacy-related cyber claims largely focused on breaches: unauthorized access to data and the resulting liability. But over the past two years, the terrain has shifted dramatically, according to Schnur.
Regulatory scrutiny is no longer limited to breaches; it now encompasses how companies collect, store, use, and share data, even when no data leak occurs.
“We’re seeing huge regulatory activity, from active states to new and old federal legislation,” Schnur said.
A key example is the surge in litigation around pixel tracking and Video Privacy Protection Act (VPPA) violations. Even legacy statutes are gaining new relevance as plaintiffs explore novel privacy angles.
In 2024 alone, Schnur said Marsh logged over 2,000 cyber-related claims, with roughly 75% still unresolved. Many of these claims fall under the non-breach privacy umbrella.
"The challenge with these claims is that they tend to have a much longer tail than something like ransomware, which is fast-moving and high-pressure,” Schnur said. “These privacy claims are starting to survive motions to dismiss, and that's a game-changer.”
As courts become more receptive to these arguments, companies across all sectors, not just traditional media or healthcare, are increasingly exposed.
Since the landmark SolarWinds attack in 2020, supply chain vulnerabilities have escalated both in frequency and impact. The MOVEit vulnerability in late 2023 and subsequent incidents involving Change Healthcare, CrowdStrike, and Oracle illustrate the growing interdependency between vendors and clients.
The ripple effects are profound, creating not only operational disruption but also a cascade of insurance claims across industries. Despite the scale of these incidents, Schnur said that they haven’t yet triggered changes in underwriting behavior.
She said that while reinsurers flagged systemic risk in 2023, total losses have not been material enough to transform pricing models or policy language.
Still, awareness is rising, and both carriers and clients are more focused than ever on managing vendor risk.
“These events are front and center. Some of these overlap with other risks, too. They're not mutually exclusive,” Schnur said.
While geopolitical dynamics remain relevant, Schnur’s core concern with cybercriminals is their increasing sophistication. Threat actors like Scattered Spider, a notorious group of hackers linked to the recent ransomware attacks on UK retail giant Marks & Spencer, exemplify this trend.
Some groups are able to disappear and reemerge in new geographies with evolved tactics. “They’re maturing faster than we are,” Schnur said. “They regroup, adapt, and reattack.”
Whether driven by financial motives or ideology, these actors are also leveraging advanced tools and social engineering with alarming effectiveness.
The insurance market has responded by encouraging stronger endpoint protection, multi-factor authentication, and incident response planning. But the cat-and-mouse game continues, with attackers consistently finding new angles of entry.
Cyber threats aren’t always malicious. In 2024, the most significant cyber incident to date stemmed not from a hacker but from a software update error. A CrowdStrike patch inadvertently caused massive system outages for clients around the world.
“That event changed the conversation,” Schnur said. “What that showed is that cyber policies don’t just cover malicious acts, they also cover non-malicious and unintentional ones.”
However, Schnur found a silver lining in that hugely disruptive event: it prompted cyber insureds to ask whether unintentional and non-malicious acts were covered. “The answer is yes – if you have a well-crafted policy,” she said. “So, this is now a major area of focus.”
Perhaps the most misunderstood element in today’s cyber risk equation is AI. Whether it’s deepfakes compromising executives, AI-powered phishing scams, or synthetic identity fraud, the technology intensifies existing exposures rather than creating wholly new ones.
This distinction is crucial, according to Schnur. Most insureds are not developing AI models from scratch but deploying commercial tools that layer over their existing operations. As a result, AI exacerbates vulnerabilities tied to privacy, supply chain, criminal exploitation, and unintentional disruptions.
“Unless you're developing the models themselves, using AI simply amplifies existing risks,” Schnur said.
Despite these growing and evolving risks, the cyber insurance market has shown resilience.
Claims severity has risen, especially with high-profile systemic events and persistent privacy litigation. At the same time, Schnur said, underwriting practices have become more refined, and clients, particularly those in the mid-market and enterprise tiers, are significantly more cyber-savvy than they were five years ago.
“The market hasn’t panicked,” Schnur said. “Yes, we’ve had some big losses, but not enough to derail profitability or provoke wholesale changes in coverage.”
Indeed, one of the most positive developments has been the increased collaboration between insurers, brokers, and clients. Underwriters are developing more bespoke coverage, while brokers are spending more time analyzing the fine print, especially around exclusions and ambiguous language.
Clients, in turn, are investing in internal cybersecurity maturity, building stronger governance frameworks, and preparing for scenarios far beyond ransomware. However, one risk still drives significant concern, something brokers should help address as cyber threats diversify and expand.
"They’re more comfortable with cyber risk, but (at the same time) are still totally uncomfortable with it,” said Schnur. “They’re still learning how to be comfortable in the uncomfortable.”
