With July marking peak cyber insurance renewal season, thousands of organizations are receiving updated policies that require immediate attention—not just for coverage review but for secure storage. 

This timing is critical: Over the past six months alone, we've witnessed multiple incidents where threat actors obtained copies of cyber insurance policies from client networks and weaponized that information during ransom negotiations. These attackers used coverage details to calibrate their demands, turning the very documents meant to protect organizations into tactical advantages for cybercriminals. 

Your cyber insurance policy is designed to protect your business when attackers strike, but what happens when the policy itself becomes the target?

Enterprise-grade protection for critical documents

Fortunately, this is a solvable problem. Securing your cyber insurance policy requires the same rigor you'd apply to protecting customer data or financial records. 

First, start with the basics. Organizations should limit the number of copies of the policy that exist, because the more copies available, the more likely one is to get into the wrong hands. Then, tightly restrict who has access to the policy – really only someone on your risk team or your finance team needs to know how to locate it. And make sure they know that if they do need to share it with someone, it should only be shared via encrypted email or secure file transfer.

Consider these additional methods to protect your policy:

1. Store the documents in a purpose-built digital vault

Consider enterprise digital vault platforms specifically designed for sensitive document management.

These specialized solutions provide institutional-grade security with advanced encryption protocols that go beyond what standard cloud storage offers. Secure sharing workflows eliminate risky email attachments by providing controlled, authenticated access to documents without exposing them to email security vulnerabilities.

Built-in compliance tools for retention policies and regulatory requirements help ensure you meet legal obligations for document storage and disposal. Granular permission controls including view-only access and watermarking give you fine-tuned control over how documents can be used and shared.

Integration capabilities with existing business processes ensure that enhanced security doesn't disrupt your operational workflows.

2. Store the data in an encrypted state

Move beyond basic cloud storage to solutions that offer end-to-end encryption where even the provider cannot access your data.

The foundation starts with AES-256 encryption for data at rest and TLS for data in transit, ensuring your documents remain protected both while stored and during transfer. Equally important are customer-managed encryption keys stored separately from the data, giving you complete control over who can decrypt your files.

Look for services that offer zero-knowledge architecture, ensuring provider staff cannot view your files even if they wanted to. Finally, verify compliance certifications like ISO 27001, SOC 2, and GDPR readiness to ensure your chosen platform meets enterprise security standards.

Pro tip: Avoid consumer-grade cloud services for business documents. The convenience isn't worth the security trade-offs.

3. Control who can access the stored data

Implement robust access management that goes beyond simple passwords.

Start with role-based access control (RBAC) limiting document access to essential personnel only, ensuring that each user can only access documents relevant to their role and responsibilities. Multi-factor authentication (MFA) for all accounts with document access provides a crucial second layer of defense, significantly reducing the risk of compromised credentials leading to unauthorized access.

Single sign-on (SSO) integration for centralized identity management streamlines administration while maintaining security standards across your organization. Comprehensive audit trails tracking all access attempts and activities provide visibility into who accessed what and when, enabling rapid detection of suspicious behavior.

Finally, regular access reviews to remove orphaned accounts and unnecessary permissions ensure that former employees or users who no longer need access can't inadvertently create security gaps.

Regulatory alignment and compliance

Your document security strategy should also align with established frameworks:

For U.S. Organizations:

• Follow NIST Cybersecurity Framework guidelines for data protection
• Implement controls consistent with sector-specific regulations (HIPAA, GLBA, etc.)
• Consider NIST SP 800-171 Rev. 3 requirements if handling sensitive government data

For European Operations:

• Ensure GDPR compliance for any personal data in policy documents
• Implement "appropriate technical and organizational measures," including encryption
• Establish data retention policies and secure deletion procedures
• Verify that cloud providers offer GDPR-compliant Data Processing Agreements

Your insurance documents deserve insurance-grade security

Cyber insurance exists to protect your business when security controls fail. Shouldn't the policy itself be protected with the same rigor you apply to your most valuable digital assets?

By treating your cyber insurance documents as the high-value targets they truly are, you eliminate a potential attack vector while ensuring these critical protections remain available when you need them most. In an era where every document can become a weapon in the wrong hands, securing your insurance policies isn't just good practice—it's essential risk management.

Cybercriminals already understand the value of your insurance documents. The question is: do you?

Meet Richard Macias. He is 65 years old, born on Dec. 18, 1959. He lives at 2721 Prospect St. in Marlton, N.J.

Richard is 5-foot-7 and weighs 237 pounds. He works as a radar controller, and his mother's maiden name is Walters. Richard has an email address (richardtmacias@jourrapide.com), a phone number (856-596-####), and a Social Security number (136-18-####). He pays for most of his purchases with his Visa card (4532-3836-4287-####, expiring on 4/2028, with a security code of 056).

Richard is also completely made up. 

It took less than a minute to create Richard Macias on a site that will deliver a spreadsheet of thousands of synthetic identities with detailed personal information directly to your inbox – for free. The website's FAQ asserts: "We do not condone, support, or encourage illegal activity of any kind." Information is pulled from available public databases in random combinations. Using the street address as an example, this randomness means, "Odds are that the generated street address is not valid," according to the FAQ.

A different free artificial intelligence (AI) program provided a photo of Richard outside New Jersey's famous theme park, Six Flags Great Adventure. That took less than five minutes.

When he looked a little lonely, that same AI added a troupe of grandkids.

Richard's creators used their knowledge of the dark web and other nefarious corners of the internet to find illicit services that, for a small fee, could produce convincing fake documents such as driver's licenses, passports, bank statements, and medical records.

That effort to bring Richard to some form of life stopped short of committing actual fraud. But many don't stop.

The scale of the problem

The life insurance industry loses an estimated $74.7 billion to fraud each year. The fastest growing form of this fraud involves synthetic identities – fictitious personas like Richard Macias built from a mix of real and fabricated information. 

The cost of synthetic identity fraud in the financial industry has grown from approximately $8 billion in 2020 to more than $30 billion today, a nearly 300% increase in just five years. The Federal Reserve estimates that synthetic identity fraud now accounts for 80%-85% of all identity fraud cases. 

Life insurance fraud is a particular target for ne'er-do-wells using synthetic identities. Fraudsters have been known to secure life insurance policies on these fake identities and then "kill them off" to collect benefits. Children younger than 15 years old and elderly populations are particularly vulnerable, as their Social Security numbers are either unused for years or not actively monitored.

Connections to organized crime

These schemes are occasionally mentioned as being part of organized crime efforts. While specific statistics on fraudulent death claims tied to organized crime are limited, life insurance fraud represents a massive cost center, with experts warning AI will make it easier and faster to create realistic fake identities – and harder for insurance companies to detect them. 

For example, a recent case in India exposed a multi-state syndicate labeled an "insurance mafia" that created fraudulent life insurance policies for terminally ill or deceased individuals. This group used fake identities and forged documents to siphon the equivalent of $64 million or more from major insurers. 

The challenge with synthetic identity fraud in life insurance is that it can appear to be a victimless crime. Richard Macias and the thousands of synthetic identities that apply for insurance products via the web are not real people, so it can appear that no human being would be harmed in fraudulently creating their profiles – at least initially. This makes these particular schemes incredibly attractive to organized crime groups, which prefer to stay under the radar while raking in millions of dollars in ill-gotten gains.

Of course, these schemes are not victimless. Recouping losses from fraudulent claims drives up premiums for everyone, costing the average family $400-$700 a year in additional premiums, the FBI estimates. 

AI could make this easier and more costly. But it is also making it easier for insurers to fight back.

Building an AI defense system

SEE GRAPHIC ANIMATION HERE.

The same technological advances bad actors are weaponizing to commit fraud, insurance companies can turn into a highly advanced fraud-detection shield. 

Insurers are using new technology, including AI, to fight fraud in numerous innovative and powerful ways. For example:

• Omnichannel verification – Vetting individuals across multiple channels (digital, phone, in-person) to confirm their authenticity.
• Machine learning – Analyzing patterns in claims and application data to detect anomalies indicative of synthetic identities or coordinated fraud schemes.
• Biometric authentication – Using facial recognition, voice analysis, and fingerprint scanning to verify the identity of policyholders and claimants.
• Cross-industry data sharing – Collaborating with other insurers, banks, and law enforcement to identify and track synthetic identities and organized crime activity.
• Continuous monitoring – Real-time, 24-hour monitoring of transactions and claims for suspicious activity, enabling faster detection and response.

But less than one-third of respondents in the 2024 U.S. Life Insurance Fraud Survey, conducted by RGA and MIB, indicated they are using algorithms or analytics tools to flag questionable underwriting applications. 

More than 70% of insurers said they are interested in using data analytics or technology-based tools to detect fraudulent applications, but only 5% of carriers currently use AI as part of the fight, and only 24% are actively exploring AI solutions.

Looked at in full, insurers are potentially falling behind in the AI arms race and ceding too much of the battlefield to those who would use AI for harm.

Conclusion: Eliminating Richard Macias

Proving Richard Macias to be fake is not difficult. A search of Google Maps reveals there is no Prospect Street in Marlton, N.J.; calling his phone number leads to the rapid busy signal of an out-of-service line; trying to buy groceries with his Visa card will leave bare cupboards.

That said, it is increasingly easy to create fake people with addresses, phone numbers, and credit cards that can pass for the real thing and be tapped to commit costly fraud that hurts insurance companies' reputations – and their customers' wallets.

The key for insurers is to use the very tools that criminals weaponize to augment the fraud-detection skills of their employees and create a potent one-two counterpunch against illegal activity. One smart path forward is for insurers to partner with experts in technology-driven anti-fraud solutions to rapidly scale their fraud-fighting arsenal to meet the growing challenge.

You can register for the 13th Annual RGA Fraud Conference here: https://events.bizzabo.com/715418

For many, especially those from a previous generation, cyber insurance feels like a kind of solace: a safety net to catch all the threats tied to technologies they don't fully understand. 

This often leads them to treat the insurance contract as a formality, signing without scrutiny, effectively writing insurers a blank check. The hope is that coverage will be a cure-all and push the specter of cyber intrusions, malware infections and ransomware out of mind.

It's hard to blame them. Cybercrime is rising each year, and cyber defenses are struggling to keep up. It's not just that attacks are growing in volume and creativity. The surface area for intrusion is expanding exponentially. Much of that is because companies today rely on a dense web of third-party vendors, each one a potential threat vector. And with new data privacy legislation, the financial penalties for being hacked can be crippling and the reputational damage long-lasting. So, when an insurer says, "We'll cover it," it's easy to be lulled into a sense of security even though the coverage has limitations. 

Yet if executives brought in their CISOs, legal teams, or outside cybersecurity advisors to comb through and translate the fine print, they'd be surprised by the number of exclusions they'd still be liable for, had they signed blindly.

Even phrases that seem straightforward, such as "immutable backup," can hide unexpected exclusions. A monthly backup may not suffice, and if a company doesn't know the required frequency or scope, they may find themselves unable to recoup losses when an attack hits.

The goal of translating these contracts isn't to strong-arm insurers or discredit the policies; rather, it's to become a better insured. That relationship is symbiotic. Insurers aren't out to trick you, but their business depends on pricing risk accurately. They benefit when you understand the exclusions and work to close the gaps. A safer client is a better client.

Not at War, But Still Not Covered?

If an executive asks the CISO to sit down and walk through the exclusions one by one, they might pause at the wartime exemption and laugh it off. Fair enough, they think. If we're ever at war, we'll take our chances. After all, the cyber policy only makes up, at most, 20% of the company's broader insurance stack. There are other priorities to manage.

But even an easily dismissed clause like the wartime exemption can come into play. The definitions of "war" and "terrorism" are more fluid than most assume. Ukraine is at war with Russia; the U.S., while supplying arms, is not. If a Russian state-backed actor hacks a U.S. company, does that count as wartime activity? This question has been debated across the cybersecurity and legal communities, and the answer may depend more on contract language than common sense.

The Most Overlooked Exclusion in Cyber Insurance

If legal teams, CISOs, and back-end engineers are going to tunnel into one exclusion, fully translate it, parse it, and map its implications, it should be the vendor clause. This is where the most hidden risk lies. When third-party providers go down, insurers often won't cover the fallout. Understanding where that exposure lives, and how to plug the gaps, pays the biggest dividends.

As noted, most organizations rely on a web of third-party vendors. Some of these vendors aren't pre-approved by the insurer. If one of them is responsible for a breach or outage, coverage may be denied. Often, these are the very vendors that matter most: the ones deeply embedded in your infrastructure, the ones who know your systems inside and out. Faced with that reality, executives may simply shrug and say, We've made our bed, we have to sleep in it.

What might surprise executives is that even vendors on the insurer's pre-approved list aren't always covered. So once the policy is signed and operations shift to approved providers, any miscommunication, friction between vendors, or threat that swims upstream can still leave the company fully liable.

What should you do? First, understand concretely which vendors are excluded from coverage. Once that's acknowledged, it becomes your responsibility to ensure full operational cohesion with those vendors.

What Getting It Right Actually Looks Like

Here's an example. A mid-sized fintech company reviews its cyber insurance contract and, after weighing its options, decides to replace its long-standing cloud service provider with one from the insurer's pre-approved list to take advantage of a steep premium reduction.

Later, as the company parses the contract more carefully, they notice a crucial detail: Even the new cloud provider, despite being pre-approved, falls under an exception if compromised. The company quickly sheds any illusion that pre-approval means blanket protection. Instead of treating the move as a box checked, they double down, working closely with the vendor to harden defenses and ensure shared accountability.

In practice, this means ensuring the cloud team has full architectural awareness of the organization's environment: how data flows, where the dependencies live, and which systems are mission-critical. The organization coordinates tightly with incident response partners and forensic vendors and ensures data storage and backup providers are fully aligned on recovery protocols, access controls, and breach escalation procedures.

The organization might even bring in third-party cybersecurity experts to conduct an unbiased assessment. The consultants quickly spot a blind spot: "Your cloud service provider has access to critical production systems, but there's no centralized visibility into their activity. If something goes wrong on their end, your internal team wouldn't see it until it's too late." The fix? Implement cross-account logging and unified SIEM integration, so cloud activity is monitored alongside on-prem systems. That way, if a threat emerges, internal and vendor teams can respond in sync.

Next, the organization runs tabletop exercises, simulating cyber threats and rehearsing how to neutralize them. The result isn't just faster incident response; it also greases the wheels of day-to-day operations and reduces finger-pointing when something does go wrong. The insurer takes note, aided by the third-party cybersecurity firm serving as a credible intermediary. That expert vouches for their proactive posture, and it pays off: Premiums go down.

Months later, a malware-laced file slips through a compromised vendor's integration and lands in the organization's cloud environment. But the alert fires instantly, thanks to shared SIEM visibility. The cloud provider isolates the infected workload within seconds, while the company's internal team coordinates with their incident response vendor to confirm containment. The breach is neutralized, the response is airtight, and the premium doesn't budge.

Pre-Existing Threats, Intentional Acts, and the New AI Grey Zone

Some threats are already embedded in the system, quiet, patient, waiting. That's why prior acts or retroactive exclusions exist. If an attacker slipped into your network months before coverage began and the breach only surfaces after the policy is active, you might be out of luck. It's the cybersecurity equivalent of a pre-existing condition in health insurance. Therefore, many companies now engage third-party cybersecurity firms to conduct compromise assessments, validating that no threat actors remain. It's not just about peace of mind. That level of diligence often translates to more favorable premiums.

Other exclusions hinge on intent. Insider threats, like a disgruntled CISO leaking credentials or sabotaging systems, are often carved out. Think of it as the digital version of setting your own car on fire and expecting a payout. Insurers want to know that the threat came from the outside, and that you did everything you could to prevent it.

Some exclusions are more mundane but still matter. Lost or stolen devices, for example, are often excluded, though the rise of remote wipe capabilities has made this less of a pressing concern. Still, if your company laptop disappears with sensitive files on it, don't assume your policy will cover the fallout unless the language says so.

And then there's the frontier: AI-related data leaks. These aren't widely excluded, yet. But as tools like ChatGPT and other LLMs become part of daily workflows, insurers are eyeing them closely. If an employee drops sensitive information into a public model, that data may end up in places you can't control, and the insurer may argue you willingly exposed it. AI data lakes are notoriously hard to secure. Expect more policies to start carving out this risk within the next 12 to 18 months.

The CISO's Role: Translator, Not Bystander

CISOs are still too often sidelined in cyber insurance discussions, treated as technical advisors rather than core stakeholders. But completing a cyber insurance application requires fluency in both business operations and technical architecture, and the CISO should serve as the bridge between the two. That role becomes even more critical in a post-SolarWinds world, where executive liability has come sharply into focus. Misstatements about risk posture can resurface in court, not just at renewal. And while the CISO may not be the one negotiating premiums, they're often the one who pays the price when the fine print goes unread.

The Blurring Line Between Defense and Coverage

Some cybersecurity firms are beginning to offer more than just assessments and remediation, they're offering guarantees. The idea is simple: "Implement all 12 recommended controls, let us manage them, and we'll backstop you against a breach." In some cases, it's a straight guarantee. In others, the firm operates a captive insurance model, using its own capital to cover potential losses.

These models are gaining traction, particularly among smaller businesses that may not qualify for traditional cyber insurance. In the background, the shift is being enabled by managing general agents (MGAs), which are contracted firms that can underwrite policies on behalf of established insurers. The shift blurs the line between consultant and carrier. It's a fast-evolving space, but the message is clear: Cybersecurity and coverage are converging, and the firms managing your risk may soon be the ones pricing it, too.

Think Like a Private Equity Firm 

The most effective way to approach cyber insurance is to think like a private equity firm evaluating an acquisition target. Would I acquire my own company? It would need to be lean, every layer justified, with clean systems and low risk.

Becoming a better insured starts with hygiene. Run security assessments. Document your controls. Work with outside experts when needed. A third-party validation of your security program doesn't just look good on paper, it lowers perceived risk and often premiums alongside it.

Too many companies also spend too much in the wrong places. Redundancy in tools -- three threat intel feeds doing the same job, for instance -- won't help you in a breach and won't win points with insurers. Rationalize your stack. Eliminate overlap. Show that your budget is disciplined and purposeful.

And while it's rare to hear this from anyone in the security world: Yes, you can be overinsured. A 50-person firm with a six-month business interruption clause and coverage against nation-state threats probably isn't optimizing its spending. Know your risk tolerance, and match coverage to real exposure, not paranoia.

Finally, don't get lost chasing every headline. The goal isn't to defend against theoretical quantum attacks. It's to reduce the number of ways someone can get in today. Threat intelligence matters. But securing your entry points, and knowing which ones insurers care about, matters more.

An interesting conversation has been playing out online about whether the many efficiencies promised by generative AI can fix homeowners insurance, which has been barely profitable in the U.S. for more than a decade, even after investment income. 

The short answer is no, not even if AI cuts personnel costs by 20%. Rate boosts will only provide limited benefit, too, given that homeowners already feel overcharged and that many regulators side with them, even as natural disasters increasingly imperil all of us.

But the long answer is interesting. It points to other areas, notably preventing damage from water and fire, where homeowners insurers could take huge chunks out of their expenses.

Let's have a look, based on one of our friend Matteo Carbone's famous deep dives into the numbers.

The online conversation began with a lament that, while technology has made so many industries more efficient, expenses for homeowners insurers have held steady at around a hefty 30% of premiums. Commenters offered some justifications, based on high customer acquisition costs and on the complexity of insurance vs. other industries -- seat 17A is identical to seat 18A, but my homeowners policy is likely quite different from yours. 

Matteo then weighed in with a long post. I encourage you to read the whole piece, but I'll summarize here.

He shows that homeowners insurers in the U.S. had an underwriting loss of 1.6% during the decade that ended in 2023. In other words, claims plus expenses exceeded the amount of premiums collected. After the income from the investment of those premiums, the industry produced a profit of 0.7%. Not great. 

Cutting expenses would seem to be an obvious way to improve profitability, and Gen AI promises enormous gains in profitability. Reducing head count could result -- even though just about every company in every industry says they are trying to help employees, not replace them with AI. 

But Matteo calculates that personnel only account for maybe nine percentages points of the roughly 30% of premiums that go to pay overhead expenses. So even a 20% reduction in headcount -- an optimistic assumption that almost no insurer would voice -- would barely erase that 1.6% underwriting loss. 

That's the bad news. The good news is that Matteo didn't stop there. He kept digging into the numbers and identified "15 points on the combined ratio that can be addressed with fire protection solutions and 21 points that can be addressed with water escape prevention solutions."

Based on his work running the IOT Insurance Observatory, he singled out Whisker Labs for its work on fire prevention and Ondo for its innovations in preventing water leaks.

I wholeheartedly agree with his thrust. 

Whisker Labs has become the poster child for the Predict & Prevent focus at ITL and at our parent organization, The Institutes. It provides a device called a Ting that you simply plug into a wall socket, and it detects anomalies in the flow of electricity that indicate a fire danger, so the problem can be fixed before a problem can occur. The Ting has proved to be so effective that dozens of insurers are providing it to customers for free. It is in more than 1 million homes in the U.S. and has prevented thousands of fires. 

We've covered Whisker Labs at some length, beginning with this conversation I had with CEO Rob Marshall in 2023. He updated us on his progress with an article last month, while providing advice on how to correct policyholders' misconceptions about electrical fires. 

As for Ondo, Matteo provides the transcript of a long interview with the CEO, in which he says some insurers have reduced their claims related to water escape damage by 70%. 

I'll do the math for you: A 70% reduction in 21% (the amount of premiums that Matteo says go toward covering water escape damage claims) would be nearly a 15-point improvement in the combined ratio. Suddenly, homeowners insurance could be very profitable at current rates. 

I'm not saying by any means that we're there yet. Water sensors are at an earlier stage than Ting's fire-detection technology. But I'm encouraged by the breadth of innovation on water sensors and on the highly promising -- if early -- results. For instance, for this month's ITL Focus, on the IOT, I interviewed an executive at bolt, who said their pilot had demonstrated "a significant reduction in losses, with up to 55% total premium impact. More than 40% of that comes from avoided loss events, and the remainder is driven by reduced severity, which can be as much as 28%."

As I said in my commentary for ITL Focus, we may be reaching a tipping point with water sensors, based on the results being delivered by Ondo, bolt, and others. We may be at the point where lots of insurers will give away sensors, knowing they'll be reducing claims (while delighting customers). And "free" is a magic word. Once we get to "free," deployment will really take off. 

We shouldn't give up on AI, of course. Every bit of efficiency matters, but I agree with Matteo that the big gains for homeowners insurers lie elsewhere.

Cheers,

Paul

Generative AI is rapidly reshaping how businesses process information, make decisions, and serve customers. It’s also amplifying a long-standing challenge: fraud in vehicle insurance claims.

Fraud in auto claims costs the U.S. property and casualty sector an estimated $45 billion annually, according to the Coalition Against Insurance Fraud. That burden adds up to about $700 in extra premiums for each household (PropertyCasualty360, May 2024). 

And the problem is evolving quickly: The Guardian reported a 300% increase in AI-manipulated vehicle images submitted to one U.K. insurer in just one year (The Guardian, May 2024). If that stat holds true, it makes deterring auto claims fraud that much more urgent an issue to address, especially because of how bad actors can use generative AI to manipulate claims submissions.

With GenAI, bad actors can fabricate auto claims scenarios with alarming realism, doctoring photos, swapping license plates, or creating deepfake “walkaround” videos of damage that never occurred. In one case, fraudsters digitally altered a van’s image lifted from social media to add a cracked bumper, submitting it with a fake invoice for over $1,000 in damages. Investigators discovered the untouched original online, exposing the deception (The Guardian, May 2024). 

Tools like metadata analysis or image forensics aren’t foolproof fail safes: metadata can be stripped or spoofed, and forensic models can struggle to keep up with the pace of new generative techniques. Meanwhile, manual claim reviews can be slow and costly to scale.

Insurtech applications of solutions like UVeye exemplify how trust can be embedded directly into the claims process. Their approach uses a three-layer system to validate vehicle condition: Multi-camera scans capture detailed, frame-by-frame imagery; encrypted digital fingerprints create a tamper-proof record; and third-party oversight adds impartiality to the verification process. 

This isn’t just about detecting fraud after the fact; it’s about creating deterrence. By establishing a trusted vehicle history, verifying damage through a third-party, and automating assessments, this approach could reduce false claims and streamline workflows—driving both accuracy and efficiency, while also safeguarding integrity. Taken all together, these elements shift the claims process from one that reacts to deception to one that could neutralize it—while also creating a faster, fairer experience for legitimate claimants.

No single solution can address this risk on its own; collaboration among stakeholders across the risk management and insurance ecosystem is essential. That’s why The Institutes’ RiskStream Collaborative is developing scalable, systemic tools like RAPID X, which enables secure, private, permissioned exchange of first-notice-of-loss data among carriers during a mutual event. At the same time, RiskStream’s AI Council brings together insurers, insurtechs, and research organizations to identify common AI use cases, such as fraud prevention, and to promote ethical, multiparty solutions that protect private data.

Together, these initiatives form the backbone of a more resilient claims ecosystem, one built on trusted data, shared standards, and aligned incentives. As generative AI continues to reshape the landscape, the industry must meet this moment with bold, coordinated action. 

Combating fraud is only the beginning. The real opportunity lies in transforming claims into a faster, fairer, and more secure experience for all stakeholders: insurers, service providers, and most importantly, policyholders.

Works Cited

Coalition Against Insurance Fraud, 2023 Annual Report. 

Ashley Hattle-Cleminshaw, PropertyCasualty360, “Fraudsters using AI to manipulate images for false claims,” May 8, 2024. https://www.propertycasualty360.com/2024/05/08/fraudsters-using-ai-to-manipulate-images-for-false-claims

Rupert Jones, The Guardian, “Car insurance scam: fake damage added to photos,” May 2, 2024. https://www.theguardian.com/business/article/2024/may/02/car-insurance-scam-fake-damaged-added-photos-manipulated 

Nicos Vekiarides, Insurance Journal, “Deepfake Fraud Is on the Rise. Here's How Insurers Can Respond,” July 17, 2024. https://www.insurancejournal.com/news/national/2024/07/17/784226.html

UVeye Research, 2025 White Paper.

The Institutes RiskStream Collaborative: RAPID X and AI Council Initiative Overview.

This article was first published on The Skills Edge Blog at The Institutes.

The insurance industry is facing a perfect storm: a wave of retirements, a shortage of specialized talent, and a new generation of workers with different expectations. Without a plan to capture institutional knowledge and modernize operations, insurers risk falling behind.

In this report, we explore the root causes of the insurance talent crisis—and how forward-thinking organizations are using technology to bridge the gap.

Download the eBook Now  

Sponsored by: Origami Risk

It's been a wild and bewildering few years in our industry, and almost everything seems to be in flux. Leaders are seeking some reliable sense of what to expect so they can strategize and plan effectively. 

Three consecutive years of rate increases have taken a toll on consumers and businesses but have achieved the desired goal of profitability -- at least for now, as insured losses from catastrophe events across the globe in the first half of 2025 increased to almost $100 billion, which marks the second highest recorded after 2011's $140 billion, according to an Aon report. These figures are up from $71 billion in H1 2024 and are threatening, especially as hurricane season has yet to peak.

Lately, industry colleagues and client inquiries are shifting from product design and market entry to more strategic planning. Meanwhile, insurtech funding is rebounding with renewed urgency and excitement for all things AI, but also testing more recently adopted investor parameters, established after years of excesses.

What follows is an executive level review of our thought leadership articles (all of which can be accessed at Insurance and InsurTech Blog) published over the past few months, mined for insights. It turns out the majority of the trends we have identified and illuminated are emerging.

There are other noteworthy developments, too, such as Progressive claiming the No. 1 spot in market share, unseating State Farm. The most-talked-about new insurance/insurtech entrants—Root, Lemonade and Hippo—have survived, evolved or thrived despite declarations of their demise. And, let's not overlook a milestone, as P&C reached $1 trillion in written premiums for the first time.

Looking back at some of 2025 predictions, we note that Predict & Prevent continues to gain traction. The electrical detection, fire prevention solution by Ting is a shining example. Advances in leak detection and water shut-off along with workplace injury avoidance are also highlights. Legal abuse centered on litigation financing is finally getting more attention; record-setting verdicts are adding pressure, on top of weather risk. Finally, there is anticipation of greater M&A activity. 

And 2025 is just the halfway point of the decade. So remain buckled in and stay tuned.

Here are some of our most-read and commented-on articles:

(Re)defining Empathy in Insurance

The expression "empathy in insurance" is as abused and misunderstood as "innovation in insurance." The underlying intent and value of both are important but vague, contradictory at times and often misapplied by industry practitioners.

The future success of insurance depends on repositioning the industry for higher relevance to the new consumer and stakeholder alike. Redefining empathy amid exponential gains in technology is a big step forward in thoughtful and responsible use of AI in insurance.

Human touch in insurance is not going away any time soon, but your next co-worker is likely to be AI-powered.

Here is the link.

AI Can Fix Everything in Insurance

Every time we read an article or a marketing piece espousing the astounding power of AI as applied to insurance, we cannot help but think about Gus Portokalos!

As you may recall, Gus was the bride's father in the 2002 hit movie "My Big Fat Greek Wedding," who famously suggests, "Put some Windex on it!" as a solution to all manner of problems, including cuts and scrapes. Gus proudly related every word, phrase and meaning back to his Greek ancestry as a solution or fix to each conversation. A lot of people are treating AI in the same fashion.

Even the typically thoughtful Bill Gates gushed that AI is "the first technology that has no limit" and "could be as revolutionary as the internet or mobile phones."

As with the greatest man-made inventions that have shaped human history, including the wheel, printing press, electricity, airplane and internet, AI is likely to drive unimaginable benefits, innovation and unexpected consequences. Unlike these earlier advances, however, AI may the first man-made invention that threatens its creators. We have been warned!

Here is the link. 

Trust, Personalization and Transparency

The insurance industry is at a crossroads. Brewing negative consumer sentiment about insurance affordability and premium fairness is spilling over as profitability struggles threaten markets. As the industry takes needed action, insurers find it difficult to inform and educate a customer base that views pricing as opaque and overly complicated. All of this raises the question: Can premium adequacy and trustworthiness co-exist?

The year ahead offers a pivotal opportunity for the insurance industry to redefine itself. By prioritizing transparency and personalizing policies, insurers can address premium leakage while restoring trust. Companies that lead with these values will not only strengthen their bottom lines but also reshape the industry's reputation for the better.

Here is the link. 

P&C Insurance: Mind the Gap(s)

The expression "Mind the Gap" dates to the 1960s and announcements on the London Underground. The purpose was to warn passengers of the potentially dangerous gap between the train door and platform, which are not perfectly aligned. The line has since evolved to become a general warning about the danger of open space or gap between two points.

It applies especially well to the many risks and headwinds faced by the insurance industry today. And if unattended, the gap may be impossible, or at least much harder, to close.

The role of innovation and insurtech cannot be overstated for an industry that historically is people- and labor-intensive. Closing these gaps is vital for the insurance industry and its contributions to the economy and consumer livelihoods. Long-term insurance stability is in the best interests of investors, financiers and risk takers of all types, including businesses and consumers. Minding the gap is foundational for industry success in 2025 and beyond.

It's time to mind the gap(s).

Here is the link. 

P&C Insurance Claims: The Time Has Come

For those of us who have worked in this industry for a decade or longer, when you honestly assess how claims handling has evolved over time, you would fairly conclude that while certain aspects have improved – some even impressively – the fundamental model, process, service and financial outcomes have essentially remained unchanged or marginally improved.

When comparing insurance claim modernization with that by others in financial and consumer services, the shortcomings become even more obvious. Yet the environment in which claims occur and are resolved has changed significantly.

The reasons and underlying factors for this lack of breakthrough are many and complex and playing catch up in real time has not proven to be easy so far, but it is possible – and mandatory.

The time is now, conditions are ripe, the solutions are at hand and the future of the industry awaits.

Here is the link. 

Get Connected

A complete library of our thought leadership articles can be found at Insurance and InsurTech Blog. You may also subscribe to our free daily Connected Newsletter or podcast (Connected Podcast on Apple podcasts or Connected Podcast on Spotify).

Traditional insurance models are no longer fit for today’s fast-evolving landscape. Mounting costs, outdated systems, and shifting customer expectations demand a bold transformation. This new research reveals why now is the time for insurers to modernize their operating models – leveraging Cloud, AI/ML, GenAI, IoT, and more – to drive efficiency, innovation, and sustainable growth. Discover how industry leaders are reimagining their foundations to stay competitive and profitable.  

Read Now

Sponsored by ITL Partner: Majesco

While on vacation last week at the Jersey shore, my mind wandered far afield. Perhaps because my daughters repeatedly urged me to watch "Sinners," my thinking ranged to vampires and then zombies. 

Eventually, my mental meandering resolved itself into a renewed belief in the importance of scenario planning, especially in these unpredictable times, and the insurance industry should absolutely be preparing for a whole range of possibilities.

Let's start with the one that amused me as I sat on the beach: the possibility of a zombie apocalypse. 

A key issue: Are those who get infected by the hordes of zombies dead or merely "undead"?

As I understand zombie lore, the decision could go either way. Zombies don't show any brain activity and have no heartbeat. Yet they still have their physical bodies, and they still function — in that straight-armed, "I'm coming to eat your brain" kind of way. 

Life insurers would have to come to a decision and be prepared to defend it.

If zombies are considered to be "undead," all sorts of other types of insurance kick in. Zombies decay and are known to lose limbs, so there could be lots of disability claims, for instance.

There would be auto accidents galore, as people fled. 

There might be liability claims against property owners — or not. I'm liable if someone slips and falls because of my carelessness, but am I really liable if a defense I've rigged up blows a zombie's brains out? What if my system blows out the brains of an uninfected neighbor looking for protection? 

As for health insurers, you might think they'd be inundated with claims, but there's no treatment for zombies. There would presumably be loads of people injured fleeing the zombies, but would hospitals still be functioning? What would the CPT code be for an injury while avoiding an attack by a zombie?

And on and on and on.

In the real world, where even the multiplying hordes of conspiracy theorists aren't claiming zombies exist, Royal Dutch Shell is the poster child for scenario planning. Based on research at the RAND Corporation in the 1960s, it set up a group that considered, among many other things, the possibility of a surge in oil prices. Shell then put contingency plans in place that left it well-prepared when prices quadrupled in just a few weeks during the oil crisis of 1973.  

For me, the key hurdle for scenario planning is to make sure you don't think you're predicting the future. As this article explains in some detail, based on the Shell example, you're just trying to get outside the mental model that you use to view the world. Even if none of your scenarios come to pass — and they likely won't — you've developed a more robust view of your environment and are better prepared. 

Now is a great time to apply that sort of discipline in insurance because of all the uncertainty about government policy, about geopolitics and about the economy. 

The Trump administration has for months talked about abolishing the Federal Emergency Management Agency but may be backing off after the disastrous flash flood in Texas. Tariff policies are all over the place. What's going to happen with Ukraine, Gaza, Iran...? Economists are predicting a resurgence of inflation in the U.S., and the data released today suggest it may be starting, but many of the expected effects from Trump policies have been muted this far. Will they, in fact, show up? When?

Your strategic decisions may not change much based on some of those issues, but it's worth gaming out the possibilities for any that might. 

In the meantime, stay away from those zombies.

Cheers,

Paul

The flash flooding in Texas has, tragically, killed more than 100 people, and much-deserved finger pointing has begun about who all is to blame. As responsibility gets sorted out over the coming weeks and months, I think we need to recognize another aspect of the problem, one that goes well beyond local, state and federal authorities. We humans just don't think and behave right.

The flood happened in what's known as the most dangerous river valley in the U.S., but local and state officials have for years decided not to install early warning systems because they didn't think voters would approve of the spending. Lots of people discounted the forecasts of heavy rain that the National Weather Service issued in the days leading up to the floods.

If we can't even prepare for flooding in what's known as Flash Flood Alley, where can we get it right?

I'm really quite discouraged. I'm beginning to think human behavior may be intractable.

To be clear, I'm happy to point fingers at lots of people in authority. There was a massive failure to prepare here, as this story in the Washington Post describes.

State and local authorities not only didn't invest in warning systems; they also underestimated the logistical difficulties of alerting people in remote areas, even though cellphone coverage is known to be spotty and severe weather can obviously cause power outages. At the federal level, the DOGE chainsaw led to some 600 people being cut at the National Weather Service or taking early retirement this spring, and many experts say the lack of personnel likely contributed to the inadequacy of warnings about the Texas flood. 

The problem will get worse at the federal level, too, because the Trump administration says it will scale the Federal Emergency Management Agency (FEMA) way back or even eliminate it as part of a plan to "empower states." Already, the Trump administration has said it will, at the end of this month, cut off access to a data source that is considered to be crucial for hurricane forecasting. 

But even beyond the (many) failures of authorities, I think we have to acknowledge that people really aren't built to prepare for disasters. We reason based on our personal experience, and we get complacent because we haven't experienced a flood, a wildfire, a hurricane, a tornado and so on.  

I realize money is scarce in many areas and can understand why voters would be reluctant to invest in warning systems. I also realize that this flood was unprecedented in this particular area.

But we live in a time of unprecedented weather, and the problems are only going to get worse. So we need to do far better at making ourselves and our properties more resilient in the face of impending natural disasters. 

Yet I'm not sure we will. 

I'm not sure we can, as humans.    

All I can think to do is the sort of thing I've recommended in the past, so we can at least minimized the catastrophes. Insurers have a major opportunity to guide policyholders on how to mitigate risk, including possibly offering incentives through discounts on premiums. Insurers can also help communities of people work together. 

We won't solve the problem. We humans are hard-wired against a real answer, it seems. But we can have a serious rethink and at least try to do better.

That's the best I've got, I'm afraid. 

Cheers,

Paul