Three strategic actions for insurance CROs in 2026

The third annual EY/IIF survey finds insurance CROs faced with an evolving risk landscape defined by speed, volatility and interconnection.

In brief

• Insurance risks are increasing rapidly and becoming more complex as nonlinear forces from geopolitics, technology, climate and regulation converge.
• Cyber, third‑party risk, operational resilience and AI remain enterprise-level priorities for CROs.
• CROs see advanced technologies such as AI, high‑quality data and a digitally skilled workforce as critical components for next‑generation risk management.

The pace and complexity of risk have intensified. Risks that once emerged gradually now erupt without warning. Decision windows have compressed. Disruptions that begin in one corner of the organization can cascade across technology, third parties, operations and markets in ways few risk management frameworks were designed to anticipate.

This is a NAVI world — one defined by change that is nonlinear, accelerated, volatile and deeply interconnected. And it is fundamentally reshaping what it means to be a chief risk officer (CRO).

How the insurance risk landscape continues to shift

Findings from the third annual EY/Institute of International Finance (IIF) Global Insurance Risk Management Survey point to three key actions that signify a shift from incremental improvement to more integrated, execution‑focused risk leadership.

The focus is no longer on protecting the organization from traditional business-related risks, but rather on anticipating how the next threat, disruption or innovation will force the organization to change, while simultaneously aligning to strategic objectives. Cyber and technology risks dominate the near‑term agenda. AI and automation are moving rapidly from pilots to scaled deployment. Operational resilience is no longer treated as a compliance obligation — it has become an enterprise and customer expectation, and risk organizations are being reshaped to deliver greater forward-looking insights to their business partners.

Drawing on insights from CROs across regions, lines of business and organizational sizes, the survey reveals a profession at an inflection point. As volatility becomes the norm and disruption the default, risk leadership is evolving from a defensive function into a strategic capability — one that helps insurers withstand shocks, enable growth and move forward with confidence.

“The CRO profile has evolved from being purely technical to being seen as a trusted advisor to boards,” one survey respondent said.

1. Strengthen cyber and frontline defenses

Cyber risk remains the top priority for CROs, fueled by rising digital threats — including AI‑enabled attacks — alongside expanding third‑party ecosystems, geopolitical tensions and increasingly data‑intensive operations. What has changed is not just the scale of the threat, but its interconnected nature. Cyber incidents now cascade rapidly across vendors, critical services and customer channels, turning localized failures into enterprise‑level events.

For insurers, this reality exposes a structural weakness. Distribution partners, third-party administrators, cloud providers and modeling vendors are no longer peripheral dependencies — they sit at the core of service delivery.

As a result, third‑party risk has become a primary systemic exposure. Treating cyber risk, third‑party risk and operational resilience as separate disciplines no longer reflects how disruptions actually unfold.

Leading CROs are responding by unifying these capabilities into a single, integrated model. That means shifting from periodic assessments to continuous monitoring, and from fragmented ownership to enterprise‑level governance.

“The growing complexity of IT security and third-party risk is demanding more of our attention and resources than ever before,” one survey respondent said.

Practical steps include:

• Maintaining a tiered inventory of third‑ and fourth‑party providers mapped to critical business services
• Expanding continuous monitoring for exposures and concentration risk
• Increasing scenario testing and resilience reporting to boards
• Embedding resilience expectations into contracts, including recovery time and recovery point objectives, and evidence of data restoration

CROs are also strengthening frontline defenses by hardening identity and privileged-access management (PAM) and deploying stronger data-loss controls across cloud and third-party environments. They are also reinforcing protections against phishing and business email compromise, while running regular tabletop exercises to improve user resilience. Increasingly, AI is being used to support threat detection, triage and automated control assurance.

The goal is preparedness: the ability to absorb shocks, recover quickly and demonstrate resilience with confidence.

Cyber risk remains a top priority for CROs

3. Transform the risk workforce and operating model for a digital future

Technology is not only changing the nature of risks but also transforming how risk work is performed. AI is rapidly expanding across underwriting, claims, fraud, controls, cyber and customer operations, making dynamic governance structures and flexible risk management approaches increasingly essential. For risk functions, this shift is less about headcount and more about enhancing capabilities.

The survey results show CROs are redesigning operating models to deliver higher productivity with stable or modestly growing teams. Automation is absorbing routine tasks. AI is accelerating analysis and testing. What remains — and grows in importance — is judgment, interpretation and engagement with the business.

As one CRO noted, “When technology is no longer a barrier, qualities like curiosity and creativity become even more essential for our teams.”

To support this shift, CROs should:

• Invest in targeted upskilling programs that build AI literacy, data fluency, automation skills and agile ways of working, complemented by selective specialist hiring in areas like cyber
• Redesign risk organizations to align around products and platforms, supported by global capability centers and AI‑powered workflows
• Create hybrid AI risk specialist roles – professionals who blend domain experience with AI and data skills, capable of translating technical insights into business decisions
• Develop career paths that move beyond rigid ladders to flexible lattices, rewarding adaptability, curiosity and cross‑functional experience

The future risk function will be leaner, more digitally fluent and deeply embedded into business operations and innovation. The CRO’s challenge is to ensure this transformation strengthens, rather than weakens, risk independence and insight.

Top skill sets to better manage risk in the next three years:

1. Ability to adapt to a changing risk environment (66%)
2. Digital acumen, e.g., technology, data, AI, programming (55%)
3. Soft skills, e.g., leadership, relationship building, communication, negotiation, active teaming (49%)
4. Understanding of the business and products (45%)
5. Deeper specialization in at least one domain, e.g., credit, cyber (24%)

The future of insurance risk leadership

In today’s environment, resilience is no longer just about withstanding shocks; it is about readiness for what comes next. Emerging technologies, evolving market structures and persistent geopolitical uncertainty will continue to reshape the risk agenda — often faster than organizations expect, and in ways that defy linear planning.

For CROs, the implication is clear. The role is to help the organization anticipate disruption, respond decisively and maintain confidence amid uncertainty. That requires collaboration with business and technology teams; tighter integration across cyber, third‑party risk and operational resilience; stronger governance, data and controls to support digital transformation; and a risk workforce equipped with the digital fluency and judgment to operate at speed.

CROs who act on these priorities will do more than mitigate risks. By leaning into forward‑looking analytics, enterprise leadership and digitally enabled operating models, they will help shape how their organizations grow — making risk management a source of strategic advantage rather than a constraint.