EY and IIF: Four in Five CROs Rank Cyber Among Top Risks
Eighty percent of insurance chief risk officers rank cyber among their top five risks, according to a new report from EY and the Institute of International Finance. That was up 14 percentage points year over year.
The third annual EY–IIF global insurance CRO survey found that cybersecurity ranked well above strategic risk (44%), regulatory/compliance risk (41%), third-party risk (40%) and geopolitical/market risk (38%) when respondents were asked which risks will require the most attention from the CRO.
One in four respondents said data privacy and protection—including regulatory compliance—was their organization’s most important aspect of cyber risk. This was followed by protection against phishing (19%) and third-party/vendor cyber risk management (16%).
“The most notable shift in the CRO agenda over time is the rise of third-party risk as a persistent top-tier concern,” the report said. “This highlights growing recognition of dependency risk across extended value chains — particularly as operational resilience requirements, outsourcing oversight and vendor concentration concerns increase.”
Overall, 77% of respondents identified third-party and vendor cyber risk management as an important aspect of cyber risk for their organization. EY and IIF said that in the Americas, third-party risk is increasingly viewed through a technology and cyber lens tied to data access, control automation and vendor governance.
Related: NIPR Warns Agents of Email Phishing Attempts
The findings come as insurance industry analysts raise concerns about emerging cyber risks tied to artificial intelligence. Fitch Ratings said Anthropic’s Mythos model has raised eyebrows in the financial and cybersecurity worlds. In the short to medium term, vulnerabilities will probably outnumber patches as the artificial intelligence tool is applied to cyber threat intelligence and incident response.
“AI is particularly disruptive to cyber risk because traditional vulnerability analysis was labor-intensive and offered limited financial upside for researchers, a gap AI now fills at scale and speed,” Fitch said in its brief on the cyber marketplace on Feb. 15. “This lowers barriers for attackers, expands third-party risks, and could materially increase attack volume.”
EY and IIF’s research shows that planned risk management enhancements over the next year “reinforce a shift toward stronger infrastructure and integration across both financial and nonfinancial risk management.”
Enhancements on the financial side remained anchored in core quantitative disciplines, the report said. Fifty-five percent of respondents, for example, pointed to risk appetite and limits as a planned enhancement in the next year, while 52% said they planned to enhance risk measurement, stress testing and scenario analysis.
Enhancement plans related to risk technology jumped by double digits year over year in both the financial and nonfinancial risk management arenas. Risk technology (58%) and controls/control framework (53%) were the top-planned nonfinancial risk management enhancements, followed by a three-way tie at 47% between governance, frameworks and policies and talent development.
“Overall, the data points to greater focus on infrastructure, integration and the critical role of human capital, rather than incremental, siloed improvements,” the report said.
CROs and other senior risk executives from 106 IIF member firms and other insurance companies in EMEIA, the Americas and Asia-Pacific were surveyed between November 2025 and January 2026. Participants were interviewed, completed an online survey or both. The research included a cross-section of the insurance sector by asset size, geographic reach and line of business.