Risk & Insurance recently spoke with Sarah Thompson, head of cyber, USA, for MSIG. What follows is a transcript of that discussion, edited for length and clarity.

Risk & Insurance: What cyber trends does MSIG USA see in industries such as energy, financial services, manufacturing and technology?

Sarah Thompson: The cyber risk environment remains highly dynamic, with many trends cutting across industries despite sector-specific nuances. At a macro level, heightened regulatory scrutiny, evolving compliance demands, and sustained appetite for cyber insurance capacity continue to shape the market.

This momentum is reflected across sectors. In financial services, organizations are aggressively seeking coverage as regulatory expectations intensify. Manufacturers are increasingly focused on operational technology and its integration with IT systems, raising concerns about resilience. In the energy sector physical damage risk from cyber events has captured significant attention.

Across all industries, artificial intelligence has emerged as both a powerful business enabler and a growing source of risk. The overarching themes shaping today’s cyber landscape are third party/vendor risk, regulatory oversight, and the convergence of informational and operational technology.

R&I: Third-party vendors’ incidents pose an increasing risk of disruption, through malicious attacks or unintentional errors. How should risk professionals address these risks?

ST: Third-party vendor risk continues to be one of the most significant drivers of cyber loss, as demonstrated by systemic incidents in 2024 involving CDK, Change Healthcare, and Crowdstrike. These events exposed deep dependencies across industries and highlighted how both malicious attack and non-malicious failures can cause widespread disruption. For risk professionals, you should treat vendor risk with the same level of scrutiny as internal security – starting with rigorous front-end due diligence on technical controls and understanding how vendors integrate with core systems.

Beyond initial assessments, organizations should adopt continuous monitoring practices and embed vendors into their incident response plans as if they were part of their own network. Strategic redundancy is also gaining traction, where companies contract multiple vendors for critical services to ensure rapid failover and to minimize downtime.

Vendor risk should be a core consideration in procurement and M&A activities. As you acquire a company, you inherit its third-party exposures. Cyber insurance underwriting can be a valuable diagnostic tool, enabling organizations to map their vendor dependencies and proactively manage emerging vulnerabilities. Ultimately, a layered, proactive approach is essential to building resilience in today’s interconnected risk environment.

R&I: Ransomware has been a big driver of cyber claims. How are attacks evolving?

ST: Ransomware continues to be the leading driver of loss, and its evolution is marked by increasing automation and a shift in motivation. While traditional extortion tactics like encrypting systems or threatening to leak data are still prevalent, threat actors are now more focused on causing operational disruption. Attacks are increasingly targeting digital supply chain providers, where even a single compromised vendor can trigger widespread business interruption. This shift toward systemic disruption has made ransomware not just a financial threat, but a strategic one.

Artificial intelligence is accelerating the evolution of ransomware. Threat actors are using AI to automate attacks and exploit vulnerabilities at a faster rate, increasing both scale and impact. On the defensive side, AI is being leveraged to strengthen cyber resilience – detecting threats earlier and responding more effectively. It’s a fast-moving pace, and staying ahead requires proactive risk management and continuous adaptation.

R&I: What does MSIG USA recommend to organizations to mitigate ransomware risks?

ST: Cyber risk mitigation flows from strong baseline protections. Organizations should prioritize access management (MFA and password protocols), network segmentation, patching cadence, and endpoint detection across all devices. These controls help to limit how far an attacker can move and reduce the likelihood of successful exploitation. Response readiness is equally critical. Having a tested incident response plan, business continuity strategy, and regular tabletop exercises ensures teams can act quickly and effectively.

One of the most impactful defenses is a robust backup strategy. Backups should be immutable, offline, encrypted and tested frequently. Many of the largest business interruption claims in the industry stem from backups that failed when needed most. They must be reliable, current, and part of a broader plan.

R&I: The human element appears to be the weakest link in cyber. What’s most needed to mitigate social engineering attacks?

ST: Humans are indeed the most vulnerable point in cybersecurity, and the most effective defense against social engineering isn’t just technology, it’s accountability. Organizations must foster a culture where team members understand their role in protecting client and company data. The mindset should be embedded into daily operations and reinforced regularly. Leadership must treat cybersecurity as a shared responsibility, integrating it into performance metrics like phishing test results and training completion rates. When employees feel personally accountable, they’re far more likely to engage thoughtfully with security protocols.

Technical controls are essential, but they can’t fully eliminate human error. Social engineering thrives on exploiting behavior, and without a security-first culture, even the best technical systems can be compromised. When employees feel a responsibility for the organization’s security, they become a stronger line of defense for evolving threats.

R&I: Cyber has attracted a lot of capacity, making it a competitive line of business. What should brokers and risk managers know about choosing cyber insurance partners?

ST: In today’s crowded cyber market, not all capacity is created equal. While increased competition has driven rates down and broadened coverage, brokers and risk managers should look beyond pricing and assess the long-term commitment and financial strength of their insurance carrier. Cyber is a relatively volatile line of business, and systemic events can quickly shift market dynamics. Risk managers must work with carriers that have experience in handling claims and offer meaningful support during incidents.

Equally important is a partner that understands the nuances of cyber risk and is willing to engage beyond the policy. At MSIG USA, we offer both proactive and reactive services, helping clients strengthen their risk posture before an event while ensuring responsive support when it matters most. Our disciplined, data-driven underwriting approach allows us to tailor coverage to unique exposures, while our ability to support clients across multiple lines of business provides a more holistic view of risk.

Ultimately, brokers and clients should seek a carrier that delivers stability, expertise, and strategic partnership. With financial strength indicated by our A+ ratings and a global reach that spans over 40 countries and regions, we can support long-term resilience and bring confidence to leading businesses around the world. &