Estimated reading time: 5 minutes
The Biggest Threat: Concentrated Vendor Risk
Peter Foster does not hesitate. “The third-party risk is the systemic risk that most underwriters worry about,” he says. “If you compromise 100 to 1,000 companies at a single point of failure, that’s the future risk that’s also here and now.”
Foster, Chairman of Willis’ Global FINEX Cyber Solutions, warns that today’s soft pricing can snap back fast. “One systemic event could take pricing off again,” he says. “We still see short-term business interruption losses and long-tail privacy losses hitting even as premiums are going down.” That mismatch keeps him uneasy.
Boards’ Confidence vs. Claims Reality
Willis’ new Cyber in Focus 2025 report backs him up. It finds boards often feel “ready,” but claims tell another story: losses run longer, broader, and costlier than leaders expect. The study draws on 4,650 claims and board-level data to make the point bluntly.
Foster’s framing fits that thesis. He sees “big privacy losses” returning to the foreground—particularly from pixel/analytics tracking practices—alongside persistent ransomware. “Data collection risk is a key risk the market is looking at more closely, in order to keep that data collection risk covered,” he says.
Ransomware Economics: Fewer payers, Bigger asks
What about payment spikes? “Because fewer companies are paying ransoms, attackers are asking for more,” Foster says. He has watched multi-million-dollar demands re-emerge. The incident count remains high, he notes, but better handling keeps many cases out of the headlines. Insurers triage with specialist firms; insureds lean on playbooks. “We’re better at managing it now,” he says, but it’s still a drain.
Small Business Reality Check
Foster rejects the myth that SMBs are too small to target. It’s happening to “mom-and-pop businesses,” he says. Some can’t afford outside help and “just take the loss and start systems over.” He argues insurance can narrow that gap by bundling risk-management services. “Underwriters bring tools from third parties to reduce risk because they want to help you get there and give you better coverage and pricing,” he says.
That point echoes Cyber in Focus 2025: preparedness is uneven; impacts are underestimated; vendor and privacy exposures are rising while many firms still treat them as secondary.
Governance Shift: The CISO Moves Up
Foster has also watched the org chart change. “For years, the CISO reported to the CIO,” he says. “Now I see the CISO reporting to the CFO or CEO because this risk is core to the enterprise.”
He links that to reputation, finance, and strategy: “If your network fails, your business fails.”
The stress is showing. “CISO burnout is real.”
Willis’ board-facing work mirrors that shift. The firm advises directors to assess resilience through drills, staffing, tabletop exercises, and the ability to fund and demonstrate controls because the claims file will.
Drills, Not Luck
Underwriters start renewals with one question, Foster says: What changed in your security organization since last year? “Staffing, investments, tabletop exercises, technology—if the security organization isn’t evolving, that’s a red flag,” he says. Cyber drills are the new fire drills. The companies that practice recover faster and bargain better.
Pixels, Privacy, and The Long Tail
Foster keeps returning to privacy. Pixel-driven data leakage, class actions, and regulatory heat have revived long-duration liability. This aligns with Willis’ prior client alerts regarding Meta Pixel exposures and recent European scrutiny of tracking technology. The bottom line: marketing code can become a cyber insurance claim.
The AI risk: Coverage Breadth vs. New Gaps
AI widens the blast radius. “AI is already infiltrating business,” Foster says. He worries about privacy, security, tech E&O, IP, and discrimination claims; often outside traditional tech sectors.
His – what keeps me up at night -scenario: a manufacturer gets sued for professional liability because its use of AI software harms a partner. “They never bought a professional liability policy,” he says. Underwriters are hesitant to extend E&O to such buyers. Expect new debates and gray-zone disputes over wording as AI-driven harm spreads.
Watch Our Latest Podcast, It Dives Into the AI Risks In Insurance, Cyber, E&O, and More
To Pay Or Not To Pay Ransomware
Should ransomware payments be banned? Foster agrees you do not wish to fund bad actors or terrorists, but thinks a hard ban would crush small firms and could adversely affect the provisioning of healthcare services. “If the only way to get back online is to pay $30,000, that’s a difficult choice for someone’s life’s work or if a healthcare provider needs the network to provide care,” he says. He notes many financial institutions have adopted internal no-pay positions, but a universal prohibition would “really hurt small business and jeopardize quality of healthcare.”
Law enforcement will always advise against paying ransomware because it is funding criminal conduct and that attackers share victims on the dark web. Still, Foster argues policy must reflect operational reality at times.
Market Now, Market Next
Today’s cyber market looks competitive, even soft, he says. Willis’ earlier 2025 outlook projected stable rates and ample capacity, at least in the near term. However, Foster’s caution stands: one systemic vendor failure could quickly shift sentiment.
Meanwhile, he sees “more efficient platform play” making procurement easier and broadening regional uptake. That could bring more buyers into the pool if claims stay contained.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
Takeaway For Boards
Foster’s message to directors is stark. Don’t confuse confidence with readiness. Treat third-party dependencies and data collection as core balance-sheet risks. Fund the basics. Prove them in drills. Demand that security, legal, and marketing speak the same language about pixels, consent, and logs. And assume AI will test the edges of your policies.
The Willis data agrees: boards say they’re ready, but claims say otherwise. The gap is costly, both in terms of reputation and finances. Close it before a shared vendor becomes your single point of failure.
Related Cyber Insurance News Posts
