Insurance CROs Highlight Cybersecurity, AI, Climate Change as Key Risk Concerns

Insurance CROs are optimistic about their ability to shore up their operational defenses in 2024 despite global economic headwinds, and complex emerging risks, EY/IIF survey finds
By: | March 20, 2024
Business risk

Cybersecurity, artificial intelligence and climate change risks are among the top concerns of insurance company chief risk officers (CROs), according to a new survey by EY and the Institute of International Finance.

The inaugural edition of this joint report is based on survey data from 68 insurance carriers across 15 countries, and highlights the challenges and opportunities faced by insurance CROs in an increasingly volatile geopolitical environment, while wrestling with budget constraints and attracting technical talent.

“Insurance CROs continue to hunt for opportunities to drive growth and reduce the operational risk associated with that, including third-party cyber risk,” stated Isabelle Santenac, EY Global Insurance Leader. “With record-breaking natural catastrophes in 2023, the pressure on carriers to tackle the increasing multibillion-dollar protection gap is compounded by shrinking budgets and scarce talent to tackle some of the most pressing climate-related disasters our generation has faced.”

Cybersecurity Risks

Over the next 12 months, respondents expect cybersecurity to be the top risk on their agendas, and by a substantial margin: 53% cited cybersecurity risk as top risk. In second place was insurance risk—defined as underwriting risk, including lapses, catastrophic losses and longevity risk—at 35%. Business model change/transformation was third, at 32%.

The top risks that CROs believe will require the most attention from their board of directors was also cybersecurity risk, at 53%, followed by strategic risk, 37%, and business model change/transformation, 35%.

Asked to forecast which emerging risks would be a top priority for insurers in the next three years, cybersecurity remains in first place, cited by 68% of CROs. Geopolitical risk was cited by 56% and environmental risk, including the climate protection gap, was cited by 50%.

AI Risks

“Artificial intelligence (AI), including generative AI (GenAI), is among the hottest topics in C-suites and boardrooms across the insurance industry, as it is in other sectors,” the report noted. “CROs understand the need to adopt a governance model and risk management approach to address the unique and varied set of risks AI presents, including data security and privacy threats and regulatory concerns about ethics and bias, among others. The risk that insurers don’t do enough to embrace GenAI to drive innovation and business transformation should be on CROs’ radars, too.”

From a business perspective, insurers are at different stages in their AI journeys—from initial investments and pilots to more extensive deployments in data modeling and predictive analytics, the report stated. Preparations for AI and GenAI seem to be proceeding slowly and cautiously, though CROs recognize how much more activity will be necessary in the not-too-distant future.

Establishing enterprise AI governance structures is being investigated, or in progress at 60% of respondents, and fully implemented at 12, while 28% report no plans to implement such structures.

Half of respondents said their companies are investigating the establishment of controls to ensure responsible use of AI/ML in insurance decision making, such as for underwriting, claims processing or customer service. Nearly a quarter, 24% said this has been fully implemented, while 26% have no plans to do so.

Looking at the use of AI in the business, CROs have a range of concerns, the report noted. Asked where they see the most heightened risk from the use of ML, AI, GenAI or LLM in business, 61% said the model, including the risk of hallucination and “explainability,” was the top concern. Data privacy was second, at 49%, and consumer fairness and algorithmic bias was third, at 37%. Also, cybersecurity risk was cited by 32%.

ESG and Climate Change Risk

Environmental, social and governance (ESG) and climate risk are part of the risk management agenda.

Asked about the maturity of a company’s understanding of its exposure to physical and transition risks of climate change, only 3% felt they had a complete handle on these risks.

However, more than half—or 54%—felt they had a “complete complete” understanding of climate change risks, and 33% reported a preliminary understanding. Only 10% reported no understanding, or no intent to evaluate it.

Additional survey findings focus on the talent needs of risk management and the technical skills that CROs believe will be most needed.

Communication, interpersonal leadership and critical thinking skills was viewed as most important skill by 41% of respondents, followed by cybersecurity, 39%, and AI-based model risk management, 30%.

Learn more about the EY/IIF report on the IIS web site. &

The R&I Editorial Team can be reached at [email protected].

More from Risk & Insurance