Insurance chief risk officers (CROs) are reshaping their priorities around cyber threats, advanced technology and third-party dependencies as they respond to what they see as a faster, more interconnected risk environment, according to the latest EY/Institute of International Finance (IIF) global insurance risk management survey.
The third annual study, conducted between November 2025 and January 2026, gathered views from CROs and senior risk executives at 106 insurers across EMEIA, the Americas and Asia-Pacific.
Across the sample, cyber security, strategic risk and third-party dependency emerged as the dominant near-term concerns, with CROs also looking ahead to longer-horizon issues, such as climate transition, data ethics and skills shortages.
Cyber security remains the defining near‑term priority for insurance CROs. It has ranked as the top risk for three consecutive survey cycles, from 2023 to 2025, reflecting both the persistence of the threat environment and heightened expectations from boards and supervisors around resilience and incident response.
Eighty per cent (80%) of CROs now place cyber in their top five risks requiring attention over the next 12 months. Nearly four in five (78%) say cyber threats and “digital hostilities” are the most significant way in which geopolitical developments affect their organizations.
Respondents increasingly view cyber as a multidimensional exposure rather than a discrete technology problem. Data privacy and protection is most frequently cited as the leading cyber concern, followed by protection against phishing and other social‑engineering attacks and the management of third‑party and vendor cyber risk.
In EMEIA, cyber is more often linked to regulatory oversight and obligations attached to outsourced services. In the Americas and Asia‑Pacific, CROs tend to frame cyber through the lens of technology resilience, control effectiveness and data protection.
Across markets, insurers are putting more weight on prevention, detection and recovery capabilities. Boards are demanding clearer key risk indicators, more frequent testing and better insight into incidents and service continuity. CROs are expected to demonstrate that their firms can contain and recover from attacks, not simply that they have checked compliance boxes.
Advanced technology is reshaping both the risk landscape and the tools used to manage it. Insurers are moving quickly from experimentation to embedding artificial intelligence and automation into core operations.
Over the next three to five years, 60% of respondents list AI‑enabled risk solutions as a top technology priority, making it the headline item on CRO roadmaps. Enterprise governance, risk and compliance (GRC) platforms and automated control testing also remain high on the investment agenda, while a growing share of firms are building centralized risk data hubs to support analytics and monitoring.
The most common applications of AI in risk functions include chatbots integrated with internal systems, legal and document review, cyber analytics and digital fraud detection. Some insurers are extending AI to underwriting, pricing and horizon scanning for emerging threats.
Even so, CROs caution that the main obstacles to wider deployment are not primarily technical. Skill gaps in AI and data analytics, weaknesses in data quality and availability, budget constraints and the complexity of integrating new tools with legacy systems are cited as key constraints. Many firms also reported that first‑line governance and control frameworks have not yet caught up with the technology being rolled out.
To address this, a majority of insurers said they have now introduced enterprise‑level AI governance frameworks and formal policies on generative AI. These are intended to clarify ownership, set standards for data and model risk, and align AI use with supervisory expectations.
Third‑party risk has risen steadily up the CRO agenda and is now a persistent top‑tier concern. Respondents highlighted increasing reliance on external providers for cloud, core systems, data services and specialist functions, alongside greater regulatory attention to outsourcing and concentration risk.
The survey also suggested that insurers are shifting from building discrete “resilience capabilities” to governing operational resilience as an integrated discipline. Over the next five years, CROs are expected to assign high priority to cyber resilience, critical business service frameworks and third‑party risk management, as well as technology disaster recovery, crisis management and business continuity.
When asked about the capabilities they are most focused on strengthening, two‑thirds of firms point to vulnerability management, including vendor oversight. Governance and oversight, penetration and end‑to‑end testing, and technology enablement are also prominent. Data restoration, measurement and monitoring, and talent and upskilling round out the picture.
Meanwhile, CROs said the surge in third‑party relationships has increased the complexity of partner‑related risks and made consistent resilience across ecosystems a board‑level issue. Supervisors in major markets are echoing this view through evolving operational resilience and outsourcing rules.
Internal control environments are also being reshaped. After several years focused on establishing standardised frameworks and closing execution gaps between the first and second lines, insurers are now concentrating on how controls are operated, monitored and evidenced.
Over the next 12 months, respondents’ top priorities for internal controls include improving control frameworks and standards for risk identification and design; enhancing testing and monitoring; and increasing the use of AI and emerging technologies to support control monitoring, testing and documentation. Many also plan to rationalise key controls to reduce duplication and strengthen governance.
CROs acknowledge that the rapid expansion of regulatory requirements has sometimes produced fragmented compliance activity. The survey indicated that more attention is now being given to control performance metrics, reporting and issues management, with the aim of producing clearer, more timely evidence of effectiveness and remediation.
Beyond the 12-month window, CROs identified a cluster of emerging risks that they believe will shape their roles over the next five to 10 years. Data privacy and data ethics, climate transition risk and a potential global debt crisis topped the list, followed by concerns about information reliability, skills shortages and the implications of technologies such as quantum computing and autonomous systems.
In the Americas and Asia-Pacific, data privacy and ethics are more frequently ranked as top concerns, while EMEIA respondents placed relatively greater weight on climate transition. Social fragmentation, geopolitical instability and AI governance were also mentioned as factors that could alter the overall risk landscape for insurers.
Taken together, the survey findings portray an insurance sector where risk management is moving further into the centre of strategic decision‑making.
CROs reported that boards and executive teams are drawing more heavily on real‑time risk insights, scenario analysis and trigger‑based monitoring, in place of purely calendar‑driven reviews. They also noted a shift away from volume‑driven control activity toward a model that emphasises judgement, business partnership and resilience.
As insurers confront a world of more frequent shocks, tighter technology and data interdependencies and evolving regulatory expectations, the CRO’s ability to balance independence with deep engagement across the business is likely to remain a central test of how effectively firms manage risk.
