How AI-fuelled cyberattacks could drive a new wave of risk clustering

High-profile cyber breaches across North America, including large-scale ransomware and supply chain attacks affecting critical infrastructure and major retailers in both the US and Canada, have reignited concerns about whether cyber insurance is keeping pace with an increasingly complex threat landscape.

According to IBM’s Cost of a Data Breach Report 2025, the global average cost of a breach reached $4.7 million. Ransomware-related losses continued to climb, with Sophos reporting that 59% of organizations were hit by ransomware in the past year.

Against this backdrop, insurers and brokers are questioning whether underwriting models are calibrated for a new era of AI-accelerated attacks and whether policy wordings could evolve to address them.

Tokio Marine HCC specialists told Insurance Business that rather than isolated data breaches, many of last year’s most significant events triggered cascading disruption across supply chains, cloud environments and entire sectors.

“Cyber risk is increasingly systemic, operational and identity-driven,” said Xavier Marguinaud (pictured on the left), head of cyber – international at Tokio Marine HCC. “Many of the most significant events (in 2025), including ransomware attacks, were not isolated data breaches, but disruptions that cascaded across suppliers, cloud platforms and entire sectors. This highlights how interconnected modern digital ecosystems have become.”

Cyber attack ‘clusters’ highlight growing concentration risk

As organizations rely more heavily on shared infrastructure (such as SaaS platforms, cloud providers and identity management systems), single points of failure can create widespread vulnerabilities. Last year’s attacks on UK retailers, including Marks & Spencer, Co-op and Harrods, highlight how sector-wide vulnerabilities can emerge when companies share similar technology stacks and suppliers.

While there is no confirmed link between these incidents, they demonstrate how tightly coupled industries can experience correlated disruption, said Isaac Guasch (pictured on the right), cyber security leader at Tokio Marine HCC.

“The clustering of incidents in the retail sector does suggest a broader pattern of targeted campaigns against industries with shared characteristics – similar technology stacks, supply chains and operational models,” Guasch said. “Retail is particularly sensitive because downtime immediately affects revenue and customer trust.”

Meanwhile, cyber attackers are shifting tactics. Rather than relying solely on sophisticated technical exploits, threat actors are increasingly targeting trusted relationships, leveraging stolen credentials, compromised tokens and third-party integrations to gain access.

According to Guasch, this evolution underscores a fundamental change in how organizations must approach cyber resilience. “Corporates should be concerned in the sense that attackers can now operate faster and at greater scale,” he said. “An appropriate response to this should include disciplined identity governance, strong monitoring, token lifecycle management and structured AI oversight within their own environments.”

Marguinaud added: “Looking ahead, organisations should prioritise understanding their critical dependencies, reducing blast radius, strengthening identity controls and regularly stress-testing business continuity. The defining theme for 2026 will likely be resilience rather than pure prevention.”

AI as an accelerator of cyber risk

The rise of artificial intelligence is adding another layer of complexity, but not necessarily in the way many fear. While AI can accelerate reconnaissance, automate phishing campaigns and speed up vulnerability discovery, experts caution against viewing it as a wholly new category of risk.

“AI should be seen as an accelerator rather than a revolutionary threat,” Guasch explained. “Most successful intrusions still rely on familiar weaknesses like credential theft or misconfigurations.”

In response, insurers are adjusting their models accordingly without fundamentally changing how cyber risk is defined. At Tokio Marine HCC, Marguinaud and Guasch said, underwriting teams work closely with in-house cyber security specialists to continuously update risk models and incorporate emerging threat intelligence.

“Our models are not calibrated specifically for AI, and they do not need to be,” Marguinaud explained. “In most documented cases, AI accelerates or scales existing techniques rather than introducing fundamentally new loss drivers. From a cyber risk perspective, the focus remains on access control, operational resilience and dependency management.”

As digital ecosystems become more concentrated, the potential for a large-scale cyber event affecting multiple sectors simultaneously continues to grow. The bigger question for the industry is whether it is adequately capitalized to withstand a truly systemic cyber event.

Experts have warned that such scenarios are becoming increasingly plausible. Concentration risk (be it in cloud providers, widely used software libraries, or identity platforms) sets up the potential for correlated losses on a scale that could test the limits of the cyber insurance market.

Marguinaud and Guasch said that while AI could act as an accelerant in such scenarios, it is unlikely to be the sole trigger. “The more relevant variable is the degree of diversification and resilience within digital ecosystems,” they said. “Organizations that understand their dependencies and have robust recovery mechanisms are better positioned to withstand systemic shocks.”

To manage this exposure, insurers are investing heavily in modelling capabilities, stress-testing portfolios and diversifying risk across industries and geographies. TMHCC said it also uses external models to validate assumptions and challenge internal views of aggregation risk.

In the future, market discipline will be critical to addressing systemic and AI-driven cyber risk, the TMHCC specialists stressed: “Sustainable underwriting, realistic pricing and careful portfolio construction are essential if the sector is to remain adequately capitalized and structured to withstand a large systemic event.”