Estimated reading time: 5 minutes
A new Boston Consulting Group report shows a growing gap between Artifical Inteligence powered attacks and how companies defend against them. The report points to rising losses, more executive worry, and slow investment, even as threats increase. BCG surveyed 500 senior leaders worldwide across different industries and regions to highlight the seriousness of the problem.
What The Report Measured
BCG surveyed 500 senior leaders, including CEOs, CISOs, and other executives, from companies, suppliers, regulators, and academia. The companies ranged from less than $100 million to over $1 billion in revenue. The survey included sectors like banking, government, technology, health care, and energy.
Three Pressures Hit Security Teams At Once
BCG says organizations face three main challenges at the same time. They need to stop AI-powered attacks, use AI to improve their defenses, and protect the AI systems they create or use. BCG describes this as a sudden increase in complexity.
Executives Rank AI Cyber Threat As A Top Business Risk
Awareness of these cyber threats is now common in boardrooms. The report says 53% of leaders list AI-enabled cyber threats among their top three risks. Tech leaders are most concerned at 65%, followed by banking at 58% and health care at 55%.
This concern matches new incident trends. Sixty percent of organizations say a recent cyberattack was probably driven by AI. Fourteen percent say attacks were definitely AI-enabled, and 46% suspect AI was involved.
Attackers Scale Faster Than Defenders
BCG’s main finding is striking for security buyers. Sixty percent of organizations likely faced an AI-powered cyberattack in the past year. Only 7% have installed AI-driven defense tools, while 88% say they plan to use them.
Shoaib Yousuf, a BCG managing director and coauthor of the report, framed the imbalance in plain terms. “AI is enabling a new era of cyber threats that are faster, more deceptive, and more scalable,” he said. “But most companies are still stuck with outdated tools and underfunded strategies, leaving them highly exposed.”
Deepfakes, Ransomware, And Robocalls Show The New Playbook
The report shares three case studies showing real operational and financial harm. In one, a health care provider was hit by an AI-encrypted ransomware attack. The attack shut down records, billing, and surgery scheduling systems. Hospitals had to delay surgeries and redirect admissions while recovering.
In another case, deepfake technology was used for financial fraud. An employee joined a fake video call that impersonated senior executives. The scam led to 15 transactions across five banks, costing about $25 million.
A third case involved AI voice cloning in an election-themed robocall campaign. Attackers faked voter communications on a large scale. Regulators fined a telecom provider $1 million after the campaign, and the provider had to improve compliance and monitoring.
PODCAST – AI Risk: The Cyber Liability Insurance Industry Faces a Faster, Bigger Ransomware Repeat
Budget And Talent Bottlenecks Stall AI Defense
BCG points to five barriers that slow down AI defense programs. Leaders most often mention budget limits at 56%, followed by talent shortages at 54%. Other barriers include leadership gaps, vendor options, and being locked into certain vendors.
Budgets remain tight. Only 5% of respondents say their cybersecurity budget increased significantly because of these attacks. Most firms have made only small increases over the past two years.
Hiring is even more difficult. Sixty-nine percent report trouble finding AI cybersecurity talent. The banking sector feels this most, with 83% saying hiring is a challenge.
AI Defense Tools Lag Maturity
Even companies that have AI tools often see themselves as early in their development. Only 25% say their AI cyber defense tools are advanced, while the rest say their tools are new and untested. BCG warns that as agentic AI develops, this gap will widen.
Leaders also expeLeaders expect even greater threats in the next two years. They rank AI-enabled financial fraud as the top risk at 43%, followed by AI-powered social engineering at 39%. They also highlight AI-driven vulnerability discovery and adaptive malware.
BCG also points out that policies are unclear. While 72% of regulators have issued or drafted AI-cyber rules, 70% of respondents do not know about them or are unsure. This uncertainty makes planning and procurement slower.
Get The Cyber Insurance News Upload Delivered
The Latest Cyber Liability Insurance News
Subscribe to our newsletter!
What CEOs, CISOs, And Insurers Should Watch Next
BCG urges CEOs and CISOs to work closely together. The report recommends making AI security a board-level priority with clear results. It also suggests using multiple vendors and building AI systems with security in mind from the start.
Vanessa Lyon, global director at BCG’s Center for Leadership in Cyber Strategy, used blunt language. “The era of passive cyber defense is over,” she said. “Attackers are moving at machine speed.”
For cyber insurers, BCG recommends preparing for more deepfake payment fraud and business interruptions from ransomware. Insurers should ask about voice verification, payment controls, and AI governance. Claims teams should also get ready for more cases involving social engineering endorsements.
Related Cyber Liability Insurance Posts
- Zywave Details Agentic AI Plan For Insurance Sales Workflows
- Lloyd’s Invests in BreachBits to Boost Cyber Insurance Innovation
- Maria Long Promoted to Resilience Chief Underwriting Officer
- Sharp Drop in US Cyber Insurance Premium Rates Signals Market Pressure in 2025 – Fitch
