Insurance CROs are faced with an evolving risk landscape defined by speed, volatility and interconnection – EY/IIF Survey

• CROs cite cybersecurity threats and digital hostilities as the most significant geopolitical impact on their organizations (79%).
• Operational resilience continues to be a board-level priority, with cyber resilience (66%), critical business services (60%) and third-party risk management (56%) among top focus areas.
• Risk technology (58%) and operating model changes (42%) are driving a more integrated, enterprise-wide approach to risk governance.

As insurers accelerate the adoption of enterprise-wide technologies across business functions and decision-making, cybersecurity remains the dominant risk for global insurance chief risk officers (CROs), ranking as the No. 1 threat again this year and across all three survey cycles.

This is according to the third annual EY–Institute of International Finance (IIF) Global Insurance Risk Management Survey. Based on insights from over 100 organizations across EMEIA, the Americas and Asia-Pacific, the findings highlight how CRO priorities are sharpening amid geopolitical volatility, accelerating AI adoption and shifting regulatory expectations.

While last year’s survey pointed to cyber and geopolitical risks rising in parallel, the latest findings show cyber has pulled ahead — redefining the near-term CRO agenda and outpacing all other threats in prevalence, regulatory focus and operational impact.

Eighty percent of insurance CROs surveyed rank cyber among their top five enterprise risks, with 30% of respondents identifying it as their top threat. At the same time, the risk landscape is becoming more complex, with cyber exposures increasingly linked to third-party dependencies, expanding data privacy requirements and more sophisticated attack vectors.

Geopolitical tensions are compounding these pressures, with 79% of CROs surveyed citing cybersecurity threats and digital hostilities as the most significant geopolitical impact on their organizations. As a result, cyber risk has moved beyond IT to become a core enterprise issue shaping resilience, regulatory scrutiny and board-level oversight.

Jonathan Zhao, EY Global Insurance Leader, says:

“Together, these trends signal a fundamental transformation in how risk functions operate, expanding both the CRO’s toolkit and their responsibility to enable safe, value-driven innovation. The most effective CROs will be those who can strike the right balance: embedding robust governance while harnessing AI to deliver sharper insights, faster decisions and greater resilience across the business.”

Philippe Brahin, IIF Director, Insurance and NBFI Regulation and Policy, says:

“This year’s survey underscores that insurers are operating in a risk environment that is not only moving faster but becoming more interconnected. Cyber risk has risen to the top of the CRO agenda not simply because of its volatility, but because it cuts across operations, third parties, customers and financial resilience all at once. In that context, the role of the CRO is evolving beyond oversight alone, toward shaping enterprise-wide governance that strengthens resilience, informs decision-making and helps firms innovate with greater confidence.”

AI adoption accelerates as insurers scale deployment and strengthen risk oversight

Artificial intelligence is no longer confined to isolated pilots within risk functions, with a clear shift toward enterprise-level deployment. In 2025, most insurers were still in the early stages of adoption — only 23% of organizations reported having implemented one or more automation or advanced analytics use cases to enable risk management activities, while 44% indicated that use cases had been identified and were actively being explored, rather than deployed.

The latest findings show that adoption has since accelerated, with more than half of organizations now deploying AI tools for risk management across areas such as general use of chatbots (57%), legal and document analysis (42%) and cyber analytics (38%).

As adoption accelerates, governance is evolving in parallel — 62% of firms have implemented enterprise AI governance structures and 55% have introduced formal AI policies, reflecting growing awareness of model risk, data quality and accountability. At the same time, skills gaps, data limitations and budget constraints remain meaningful barriers to the full realization of AI’s potential.

Operational resilience continues to be a board-level priority

In 2025, CROs emphasized strengthening resilience through governance, oversight and cyber readiness, with boards driving enhancements across critical areas such as disaster recovery, business continuity and third-party dependencies.

This focus has intensified as a priority and become more structured, with resilience evolving from a compliance exercise into a demonstrable, enterprise-wide capability. Cyber resilience (66%), critical business services (60%) and third-party risk management (56%) now rank among the top priorities, alongside increased investment in testing, vulnerability management and end-to-end recovery planning.

Risk governance and operating models evolve

Risk governance and operating models are undergoing a significant evolution as insurers respond to rising regulatory fragmentation and an expanding range of nonfinancial risks. In 2025, CROs focused on strengthening core foundations — enhancing frameworks, controls and coordination across the three lines of defense — while increasing alignment with the business and internal audit to improve consistency and oversight.

By 2026, this effort has become more integrated and enterprise-wide, with organizations prioritizing a broad set of non-financial risk enhancements. Risk technology emerges as the leading focus (58%), followed by controls and control frameworks (53%), while governance, frameworks and policies, and talent development (each 47%) also rank among the top priorities. Operating model changes (42%) and improvements in risk identification and assessment (39%) are also widespread.

Regulatory fragmentation and increasing board engagement are driving a more integrated, enterprise-wide approach to governance — one that requires streamlined data, consistent definitions and end-to-end visibility, while emphasizing greater clarity, accountability and defensibility.

Jonathan Zhao adds:

“Operational resilience is no longer viewed as a compliance requirement — it has become a core enterprise capability and a priority for boards. As expectations increase, CROs are being asked to demonstrate not just preparedness, but the ability to respond and recover in a structured, repeatable way. At the same time, this is accelerating a broader shift in risk governance, with more integrated, enterprise-wide models that bring together data, controls and oversight.”

A turning point for risk leadership

The role of the CRO is reaching an inflection point, as risk leadership shifts from oversight to strategic enablement. In 2025, CROs were already expanding their influence, with 75% reporting increased involvement in major enterprise-wide change initiatives and growing engagement in business strategy, transformation and innovation.

In 2026, risk functions continue to play a central role in decision-making, with 76% of CROs reporting increased involvement in enterprise-wide change initiatives. As cyber threats intensify, AI adoption scales and regulatory expectations shift, the focus is no longer solely on control and compliance, but also on enabling resilience, supporting growth and transformation and guiding the organization through uncertainty.

-ENDS-

Notes to editors

About EY

EY is building a better working world by creating new value for clients, people, society and the planet while building trust in capital markets.

Enabled by data, AI and advanced technology, EY teams help clients shape the future with confidence and develop answers for the most pressing issues of today and tomorrow.

EY teams work across a full spectrum of services in assurance, consulting, tax, strategy and transactions. Fueled by sector insights, a globally connected, multi-disciplinary network and diverse ecosystem partners, EY teams can provide services in more than 150 countries and territories.

All in to shape the future with confidence.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.

This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.

Methodology

The global EY organization, in conjunction with the IIF, surveyed IIF member firms and other insurers in each region globally from November 2025 through January 2026.

Participating insurers’ CROs or other senior risk executives were interviewed, completed a survey, or both. In total, 106 organizations across EMEIA, the Americas, and Asia-Pacific participated.

Participating insurers were fairly diverse in terms of asset size, geographic reach, and line of business. Regionally, those firms were headquartered in Asia-Pacific (9%), EMEIA (42%), and the Americas (49%).