On Aon — Episode 116
Title: Navigating Cyber Risk, Regulation and the Reality of Fines
In this Risk Capital Insight episode of the On Aon podcast, Pablo Constenla, head of coverage and claims for cyber and financial lines in EMEA for Aon, is joined by Charlie Weston-Simons, partner at A&O Shearman, to examine how leaders can stay ahead as cyber risk, regulation and financial exposure converge.
As artificial intelligence accelerates the scale and sophistication of attacks and regulators expand enforcement, the discussion focuses on what it takes to translate uncertainty into action — from quantifying cyber-related fines to understanding where insurance comes into play. Drawing on Aon’s Cyber Fines Report and frontline experience across incidents and investigations, the episode highlights how organizations can align legal, risk and insurance strategies to make more confident decisions and strengthen resilience at pace.
Key Takeaways:
Experts in this episode:
Key Resources:
The Insurability of Cyber Fines
Key Moments:
(01:40) How AI is reshaping cyber risk, from enhanced social engineering to the emergence of automated attacks and new vulnerabilities
(05:30) The growing complexity of regulation, including NIS2 implementation challenges and inconsistencies across jurisdictions
(12:10) Why cyber incidents are now viewed as existential crises and how organizations should rethink incident response and resilience
Soundbites:
Pablo Constenla:
“And the real challenge isn't just managing cyber risk, it's connecting the dots across legal, risk and insurance when a collective action is faced.”
Charlie Weston-Simons:
“I think from a legal and insurance perspective, the key issue becomes how do you manage a risk that is evolving faster than regulation and controls can adapt.”
Intro
Hello and welcome to another episode of On Aon. This week we look at a topic that's been voted the top risk in Aon's Global Risk Management Survey for the last six years — Cyber. As AI gives ransomware attackers an edge and regulation and fines get tougher, there's never been a better time to discuss the issues facing businesses and what they can do. Here are Aon's Pablo Constenla Constanle and A&O Shearman's Charlie Weston-Simmons to pick up the topic.
Pablo Constenla
My name is Pablo Constenla, Head of Cyber and Financial Lines Coverage and Claims, EMEA. Today, we are discussing a topic that's rapidly evolving as the cyber risk landscape shifts in real time and regulatory scrutiny increases.
First, we see AI reshaping cyber risk with automated attacks and tools like Claude Mythos accelerating both threat and response.
At the same time, regulation is moving just as fast with NIS2, DORA, the Collective Actions Directive, and increased enforcement across Europe.
So what does this mean for organizations and crucially for insurability of cyber risk, including fines?
Around this topic, Aon partnered with A&O Shearman, one of the global leading law firms on the publication of the Cyber Fines Report. And today I have the pleasure of being joined by Charlie Weston-Simons, partner at A&O Shearman to unpack this. Charlie, great to have you with us today.
Charlie Weston-Simons
Thanks for having me, Pablo. It's great to be here.
Pablo Constenla
Charlie, AI is dominating conversations right now. How is it actually changing the cyber risk and insurance landscape?
Charlie Weston-Simons
Let's take cyber risk first. And I think if you wind the clock back 12 to 24 months, the general commentary on the impact of AI would have been that it's prompting more sophisticated social engineering, high-quality deep fakes and, overall, it was slowly improving the capabilities of less skilled adversaries, but it wasn't making the most sophisticated adversaries materially better.
And at that time, the message to defenders was that they needed to incorporate AI-enabled tools to keep pace with attackers. But we weren't seeing game-changing things like effective malicious code being written using LLMs or automated attack paths.
Now scroll forward to April this year and Anthropic shocked the world when it announced the capabilities of its Mythos model.
And those capabilities included to identify undiscovered critical vulnerabilities at a pace and scale that no one had ever seen before and the ability to carry out very complex exploits in an automated way.
So now, as a result, frontier AI is central to pretty much every conversation that we're having about cyber risk. And I'm sure most of your conversations too, Pablo. But I think it's worth stressing that at least I feel that we're still at a watershed moment where frontier AI capabilities are not yet available to adversaries. And governments, regulators, the private sector are all working on how we are going to defend against these new and incredibly sophisticated risks. So with all of that in mind, I think from a legal and insurance perspective, the key issue becomes how do you manage a risk that is evolving faster than regulation and controls can adapt. And at this point, I'm going to pass the question back to you, Pablo, because you're infinitely more qualified than me to cover the challenges of insuring cyber risk in a climate of transformational change.
Pablo Constenla
Great, thanks Charlie. We also highlight this in the report and it's that there is increasing uncertainty in how risk is quantified, which ultimately fits into insurance coverage decisions.
In order to assist clients globally, Aon, as other companies, has a proven data-driven analytical framework to quantify both first- and third-party cyber scenarios. These tools have been employed by global companies to stress test existing insurance and captive strategies, and implement a more integrated approach to cyber risk financing and transfer.
This approach involves three main activities: scenario analysis, financial modeling, and stress testing. Just that way of example, Aon’s Cyber Risk Analyzer is a powerful broker-led tool for quantifying cyber risk and optimizing cyber insurance programs for our clients and prospects. It integrates Aon's customized proprietary simulation modeling and cyber quotation analytics to deliver the insights needed for data-driven decisions and resilient cyber risk management.
And actually, one thing that stood out after we released the report on insurability was the level of follow-up questions on needs to implementation — particularly how it differs across jurisdictions.
From your ongoing experience, Charlie, with clients, where is this becoming most challenging?
Charlie Weston-Simons
In the last 12 months, we have been advising a lot of clients on their NIS2 implementation strategy. And I think it's worth pausing before we get into the question to think about what some of the thinking is behind NIS2. And a key aspect of that was that we had an original NIS directive, but it was felt that it had been implemented across Europe in quite a patchy, inconsistent way.
NIS2 was an updating of that original NIS directive. It was an updating and an expansion to enhance European resilience, but it still has to be transposed at national level.
It doesn't apply in the same way as the GDPR, for example, which just applies across Europe without the need for national implementation. And the transposition process has happened at different speeds with some countries transposing quickly, others leaving it late, and in different ways. And as a result, despite the best intentions of NIS2, you've ended up with inconsistencies across Europe.
And I think in particular, and this is something which a lot of our clients have been struggling with, there have been inconsistent interpretations on scope.
So if you are a large organization with operations across Europe and, because of the sectors that you operate in, you can't take advantage of the one-stop shop. You need to look at your position in every EU country where you operate and understand if you need to register and also the specific requirements of that jurisdiction. So, it has given rise, I think, in our experience to quite a significant compliance burden in order to ensure that your organization has done everything it needs to in each jurisdiction by the required deadline.
What we haven't got to yet, but I'm sure we will at some stage, is enforcement. And look, I think NIS2 is still really new. We haven't yet seen any enforcement, or at least none that I'm aware of. But look, I think it's inevitable that at some point, we will have a major European cyber incident and an organisation will be impacted in various jurisdictions and we will start seeing some enforcement activity. But at the moment, I think it's too early to tell.
Pablo Constenla
Sure, definitely we agree. And another area we highlight in the report and that one that it's gaining real momentum is collective actions, class actions around Europe. We are already seeing very large-scale proceedings being started, commenced in Europe. How significant is this trend, Charlie?
Charlie Weston-Simons
It's very significant and it's something that a lot of clients that we work with are concerned about. So I did this previously when we were discussing the impact of Frontier AI, but I think it is helpful to cast your mind back to where we were a few years ago when actually in terms of the European position, I think the UK was the problem child because it was felt that representative actions might be possible in England and Wales and we had a lot of claims materializing after mass data breaches. We then had a very important Supreme Court decision in 2021, which calmed everything down because it made clear that for mass data breach claims, the only option was to have an opt-in procedure.
And that more or less brought us into line with Europe. And certainly as far as the UK is concerned, that's where we remain. Now the collective — the new collective actions regime in Europe is still in its early stages, but the possibility that consumer bodies can be authorized to bring these representative proceedings in European countries is a really important new development. And just part of the reason why it's so significant is that under GDPR, data subjects have the right to bring a claim for non-material damage.
But the amount of those claims is pretty low. And by low, we're talking in the hundreds of euros, that sort of thing. It's not really economic to bring these claims through the courts. And this new directive that has now been implemented gives that opportunity to bring a claim on behalf of an affected class. And as we know, Pablo, where you have a major cyber incident, where you have a lot of personal data impacted, you can be talking about thousands, millions of individuals.
And although these individual claims may not be worth very much, once you're talking about those sorts of numbers, then they are very significant claims indeed. At the time of recording this podcast, I don't think we have any examples of those claims being brought through, concluded, so we don't yet have any precedents for these new representative claims being brought in the EU.
But as with anything in this space, we've just got to see where it goes because so much is changing at the moment.
Pablo Constenla
Definitely, and this is where insurance expectations do not always match the full extent of risk — particularly when multiple exposures arise from the same incident. And the real challenge isn't just managing cyber risk, it's connecting the dots across legal, risk and insurance when a collective action is faced. We believe that actually more awareness, expertise, and collaboration around class actions is crucial for successful settlements. U.S. class actions against European companies have increased in the last five years. We've gained that experience and we definitely need to keep bringing that knowledge to Europe and that enhanced collaboration across the different experts. Going to another topic, when incidents do happen, response becomes critical.
Charlie, A&O Shearman has been increasingly active in cyber incident response. What do you think are the key challenges for business leaders right now?
Charlie Weston-Simons
I think we have in the last 12 months in particular, but going way back, seen examples of major cyber incidents with very significant financial consequences. And I think now there is a real appreciation that these incidents can be existential crises for our biggest companies.
If you find yourself in that sort of incident response context where, let's say for example, it's a ransomware incident and a large part of your IT environment is locked up, it is a very pure crisis management scenario where you are dealing with incomplete information and you are having to take a lot of decisions very quickly. It touches everything. You need to focus on your recovery. You need to focus on your legal obligations. You need to think about your communications. And, of course, you have to make sure that your insurance responds. You need to cover all of these different work streams. And for business leaders, it has to be a priority to ensure that everybody understands what the and the company’s strategies are going to be in that situation. That incidents have been practiced for, that everyone understands what their role will be. And we see a real difference between those organizations that have prepared for these true crisis scenarios and those which haven't.
Look, I think until relatively recently, preparing for cyber incidents at a decision-making level was seen as being perhaps enough to do an annual exercise which everyone could take part in. It would all go very well and then you'd come back again in a
year’s time to refresh and dust it off. But to be truly resilient, and I think that has got to be the focus now, organizations really need to promote the management of cyber risk, but in particular, instant response.
And that is a big theme of what other public bodies announcing across Europe and in the UK as well. It's got to be such a big focus now.
Pablo Constenla
And actually cyber fines are definitely increasing, they're complex, and sometimes they are often only partially insurable. If there is one thing listeners should take away, Charlie, what do think it would be?
Charlie Weston-Simons
That’s a really good question, Pablo. And the easy answer to that question would be to read our fantastic joint report on the insurability of cyber fines and recognize that it is a very inconsistent position, I think, across the jurisdictions that we covered in the report in terms of whether fines are insurable.
And as a result, you can't necessarily rely on your insurance to pick up any fine that you may incur following a cyber incident. I say necessarily because there are a lot of jurisdictions clearly where the position is at least arguable.
That's the easy answer.
But I think the better answer to that is that cyber fines and whether you can cover them under insurance policy is only a very small part of the overall cyber resilience picture. And yes, it is absolutely vitally important that you have a really good cyber insurance policy that covers all of the things that it should do.
And it's there when you need it.
Pablo Constenla
Definitely.
Charlie Weston-Simons
But organizations should also focus on frankly, never having to be in a position where they have to claim under their cyber insurance policy. It is just one part of your risk mitigation strategy and investing in your cyber resilience, not only in ensuring that you have the best technical controls that you can get, but also making sure that there is a real cyber risk culture within your organization. That's so important.
And I think it comes through if you look at all these regulations that we now have across Europe, which are coming into force pretty soon in that, yes, they provide for enforcement, they provide for fines but actually, within all of these regulations, there are positive obligations that organizations are to comply with. They need to have effective, appropriate, technical organizational measures. If you are a financial services organization, it's likely you'll be regulated by DORA, in which case there is an encyclopedia of controls that you're supposed to have. And this may feel like quite a compliance burden, but actually, it's coming from a from a good place, which is that we all need to be more resilient and to bring it back to Frontier AI, we may be standing on the edge of this new age of cyber risk.
And so that need is now even more important than it ever was.
Pablo Constenla
Definitely. And Charlie, as we think ahead, in your opinion, what do organizations and business leaders expect in the cyber world in the coming months and years?
Charlie Weston-Simons
I'm going to repeat myself again, that cyber risk is at least very high on every organization's risk register now. And Frontier AI is now bringing that really into focus. So I think first of all, organizations and business leaders, to extent they are not already, really need to understand the risks posed by Frontier AI and get advice on how that they can stay resilient with the new risks that are coming our way.
I think on the regulatory side, there are a number of significant regulations which are now enforced. There are more coming.
And certainly in the UK, we are going to have at some point soon the Cybersecurity and Resilience Act, which broadly speaking is our version of NIS2. Again, that is a very significant piece of cyber resilience legislation. But these regulations are new. There may be new regulations, laws being cooked up to deal with new emerging threats and as organizations or business leaders need to keep their eye on the ball there and make sure that their organizations are at least compliant.
And it's a heavy burden, but broadly speaking if organizations are doing all the sort of good stuff that they should be doing to protect themselves then they ought to be compliant.
I think the other thing that I would flag is that we are, given all of these new regulations, we should expect to see in the next few years, greater scrutiny by regulators. And that will be a combination of upfront auditing of compliance with these new regulations. But post-incident, we may also see more enforcement.
And as our report shows, there are new tools that regulators have at their disposal to enforce. It's not just about financial remedies. There are non-financial sanctions that can be brought to bear as well. One of the things that I think has really caught the attention of a lot of our clients is that under NIS2, personal management liability for managers of organizations to the extent that they are not compliant with NIS2. That personal liability has, again, it's made a number of boards, I think, sit up and take focus, take notes of obligations.
And look, I think finally, to bring us back to a claims point that we've just discussed, it's possible that we'll be seeing some of the very large consumer claims brought under the new regulation that we've got. So watch this space.
Pablo Constenla
Okay, definitely I agree, Charlie. Definitely the cyber risk landscape is becoming even more dynamic and interconnected. The insurability of cyber fines remains a very uncertain and jurisdiction-specific issue. It's clear that organizations need to take very practical action to stay ahead of regulatory developments.
And that understanding, both the legal implications and insurance constraints, is essential.
If you would like to explore these topics further, you can download our joint report on the insurability of cyber fines. Thank you, Charlie, for the great discussion and thank you for listening.
Outro
Thanks for tuning in to the latest episode of On Aon. If you've enjoyed this episode, don't forget to subscribe wherever you get your podcasts and be sure to visit Aon.com to learn more about Aon.
We'll be back next week with another episode, our Human Capital Insight, when we'll be talking about AI in the workforce.