How APAC insurers can tackle AI-powered cyber threats

A new era of cyber risk is taking shape across Asia Pacific as threat actors add generative AI tools to their arsenal.

The region experienced 34 per cent of global cyber incidents in 2024 - more than any region in the world – and insurers face new challenges as underwriters grapple with an AI-fuelled surge in cyber risks and evolving regulatory requirements.

While traditional phishing emails have become easier to spot, thanks to telltale grammatical errors and a boost in cyber risk awareness, GenAI tools like WormGPT (the hacking community’s answer to ChatGPT) allow low-skill actors to launch highly convincing, grammatically correct phishing and business email compromise attacks at scale.

Synthetic media like deepfake technologies now enable impersonation of executives through video and audio manipulation, fueling misinformation and fraud.

Fertile hunting ground

Asia Pacific has become fertile hunting ground for cyber criminals, thanks to drivers such as rapid digitisation, decentralised technology adoption and gaps in cybersecurity maturity – particularly among SMEs and supply chain vendors.

Data from the IBM X-Force 2025 Threat Intelligence Index shows key impacts of cyber attacks in Asia Pacific last year included data theft (12 per cent), credential harvesting (10 per cent)  and extortion (10 per cent).

Adam Peckman, Head of Risk Consulting & Cyber Solutions – Asia Pacific, and Global Head of Cyber Risk Consulting – Cyber Solutions at Aon in Singapore, says the emergence of GenAI tools is dramatically reshaping the cyber threat landscape in Asia-Pacific.

“These technologies are enabling threat actors to launch more sophisticated, scalable and targeted attacks at a fraction of the cost and effort previously required,” he says.

“Tools like WormGPT and synthetic media are removing traditional barriers to entry, allowing even low-skilled actors to execute highly tailored campaigns.”

The GenAI cyber toolkit

In 2024, Aon observed a 53 per cent increase in deepfake-driven social engineering incidents across Asia Pacific, contributing to a 233 per cent rise in related insurance claims.

“These attacks are not only more convincing but also more difficult to detect, especially when used to impersonate executives or manipulate digital identities,” says Peckman.

“As a result, organisations are facing a new era of cyber risk – one where the speed, scale and precision of attacks are outpacing traditional defences.”

Nicholas Blackmore, a Partner at law firm Kennedys who specialises in cyber incident response, says GenAI tools are expanding the risks associated with social engineering.

“We've seen a couple of incidents recently where threat actors have exfiltrated data, but instead of then installing ransomware on the system, they'll contact the victim pretending to be a security researcher and asking for a ‘fee’ for identifying their security issue,” he says.

“Previously, most threat actors couldn't really do that, because they weren't able to write something that sounded convincingly like a professional English-speaking security researcher – but with generative AI, they're now much closer to the mark.”

Munich Re has seen strong momentum in cyber insurance uptake across Asia Pacific, including Australia. It estimates that the global cyber insurance market totalled US$15.3 billion in 2024.

Emma Cronin, Senior Cyber Underwriter, Munich Re Australasia, says Munich Re expects the current global premium volume to more than double by 2030, growing at an average annual growth rate of more than 10 per cent.

“Despite the overall positive market development, a significant cyber protection gap remains,” says Cronin. “Our global survey found that 87 per cent of C-level executives still consider their organisation’s cyber protection inadequate.”

Evolving regulations

Regulatory frameworks are also evolving in responses to sophisticated cyber threats. For example, the Monetary Authority of Singapore’s Notice on Technology Risk and Notice on Cyber Hygiene came into effect in May last year and applies to all financial institutions operating in the city state.

This means insurers face obligations such as implementing a framework and process to identify critical systems, and establishing a recovery time objective of no more than four hours for each critical system.

The maximum penalty for data breaches under these laws is S$1 million, and more if a data breach reveals multiple compliance infractions.

In March this year, the Hong Kong Legislative Council passed the Protection of Critical Infrastructure (Computer System) Ordinance, which is set to come into effect in early 2026.

It focuses on protecting critical infrastructure and will bring Hong Kong in line with the global trend of increasing requirements for cybersecurity and operational resilience.

Sectors including financial services are covered by the Ordinance, which means insurers will be required to strengthen computer systems and report cybersecurity incidents or risk penalties of up to HK$5 million.

Blackmore adds that most countries now have some form of notification requirement following severe cyber incidents.

“Australia has had mandatory notification for serious data breaches and cyber incidents affecting critical infrastructure since 2018,” he says.

“If an organisation experiences a cyber incident, they now often have to notify multiple authorities under multiple laws, and there may be additional authorities that they choose to notify voluntarily.

“Much of our work involves helping insureds comply with these notification requirements after a cyber incident has occurred, because under cyber insurance policies, the insurers don't just foot the bill for the costs of the incident – they actively help their insureds with their investigations and regulatory compliance.”

Response from insurers

Michael So, Managing Director of Henderson Insurance Consultants Limited and Founding President of AiX Society in Hong Kong, says that as cyber threats escalate across the Asia Pacific region, insurers must move beyond static, uniform policy models and embrace dynamic, data-informed strategies that reflect the real-time cyber posture of each insured organisation.

“First, it's essential to shift away from ‘one-size-fits-all’ cyber policies,” he says. “Insurers should tailor coverage based on a company’s specific risk exposure, industry sector and digital infrastructure.

"Organisations that handle sensitive data, operate complex digital platforms, or face elevated threat levels will naturally require more specialised and granular coverage structures.

So also considers the application of sublimits for high-severity risks – such as ransomware, system outages, or major data breaches – to be a necessary control.

“This helps insurers manage aggregate risk while encouraging policyholders to enhance prevention and response capabilities.”

So adds that insurers should evaluate the technical posture of an organisation, whether it has invested meaningfully in protection and whether cybersecurity is driven internally by dedicated professionals or reputable security providers.

“Companies that demonstrate a strong commitment to safeguarding their systems and data – through certified partners, modern security architecture, or 24/7 monitoring – should receive recognition in the form of adjusted or preferential premiums,” he says.

“This ties closely to the adoption of AI-powered tools for ongoing risk assessment. Instead of relying solely on annual surveys or point-in-time audits, insurers should enable real-time scanning or quarterly posture reports to accurately reflect how a company’s risk profile evolves over time.

“Furthermore, the role of a professional insurance intermediary with cybersecurity expertise cannot be overstated,” So says.

Organisations like Aon we are helping clients navigate the increasingly complex cyber landscape by combining data-driven insights with tailored risk transfer strategies.

Its CyQu platform, for example, benchmarks more than 10,000 organisations globally and provides a clear view of a company’s cyber maturity and insurability.

“This enables clients to prioritise investments, improve underwriting outcomes, and make more informed decisions,” says Peckman. “In 2024, we observed a 16 per cent improvement in critical controls for APAC companies adopting the CyQu.”

Cronin says that while GenAI tools are reshaping the threat landscape, lowering the barriers to entry for cybercriminals and amplifying the scale and impact of attacks, they can also help to bolster cyber defence when properly implemented, “providing the ability to identify and respond to threats in real time and help to identify vulnerabilities before they become problematic”.

Closing the protection gap

Cronin says Munich Re is working with its partners to close the cyber protection gap through providing bespoke co-created risk solutions and sharing its industry knowledge to raise overall risk awareness, while highlighting the importance of cyber insurance as part of a broader resilience strategy.

 “As cyber risks evolve, we continue to work with our insurance partners to address underwriting complexity, accumulation risk and breach response, providing cyber capacity and underwriting expertise,” she says.

“We are also leveraging advanced threat intelligence and analytics to stay ahead of increasingly sophisticated attacks, including ransomware, supply chain vulnerabilities, and AI-driven threats. These findings will be used to further refine our accumulation models.”

Aon is also working with companies to build more tailored insurance coverage based on their specific risk capital needs. This involves defining various AI use cases across their companies and deploying analytics to model the potential

Looking ahead, Peckman expects insurers to adopt more dynamic underwriting models that incorporate real-time risk signals and continuous monitoring.

“This will enable more responsive, data-informed coverage that evolves alongside the threat landscape, ultimately supporting a more resilient and insurable digital ecosystem in the region.”