A majority of insurance chief risk officers (CROs) expect cybersecurity to require the most attention over the next 12 months, while a significant proportion also place third-party and vendor cyber risk among their top five concerns, according to findings from EY, a professional services firm.
The firm reports that many CROs are prioritising generative AI-enabled risk management capabilities, with chatbot and large language model integration emerging as the most common application.
At the same time, most organisations anticipate reducing manual roles within risk functions and increasing investment in data, analytics and AI skills.
The findings are drawn from EY’s third annual Global Insurance Risk Management Survey, conducted in collaboration with the Institute of International Finance (IIF).
The report is authored by Stu Doyle, EY Americas Insurance Nonfinancial Risk Leader, and Jonathan Zhao, EY Global Insurance Leader and EY Hong Kong Financial Services Managing Partner, and reflects responses from CROs across regions, business lines and organisational sizes.
According to EY, the results point to a risk environment defined by increasing speed, complexity and interconnection. Geopolitical developments, technological change, climate pressures and evolving regulation are combining to create risks that emerge more abruptly and spread more widely across organisations.
EY reports that cyber risk, operational resilience, artificial intelligence and third-party dependencies have become central enterprise concerns. The survey indicates, according to EY, that insurers are shifting their focus from managing traditional risks towards anticipating how disruption and innovation could reshape their business models and operations.
In response to escalating cyber threats, EY finds that insurers are bringing together cyber risk, third-party risk and operational resilience into more integrated frameworks. This includes expanding continuous monitoring, strengthening governance and increasing scenario testing, alongside closer oversight of third- and fourth-party relationships.
EY also highlights that governance and controls remain a core priority, particularly as AI adoption accelerates and regulatory expectations continue to diverge across jurisdictions. Insurers are updating control frameworks, clarifying accountability and introducing more automated monitoring and testing capabilities, according to EY.
Data remains a critical area of focus. EY reports that many CROs are prioritising improved access to high-quality, consistent data to enable more timely and actionable risk insights. Investment in centralised data platforms is helping organisations address fragmentation and support more effective use of advanced technologies.
The survey further shows, according to EY, that the risk workforce is undergoing structural change. CROs expect automation to reduce routine tasks, while demand grows for skills such as data literacy, digital expertise and business understanding. EY notes that hybrid roles combining risk, data and AI capabilities are expected to become more prominent.
EY concludes that the role of the CRO is continuing to evolve into a more strategic position, with greater involvement in business decision-making and organisational transformation.
Firms that strengthen governance, enhance data capabilities and build digitally skilled teams will be better placed to manage increasing complexity and maintain resilience in a rapidly changing risk environment, according to EY.
