The Growing AI Cyber Security Threat: Time for Business Leaders to Act

With “AI cyber capabilities…accelerating even faster than had been previously envisaged”, the government emphasised that AI is now capable of “finding weaknesses in software, writing the code to exploit them and doing so at a speed and scale that would have been impossible even a year ago."¹

What steps should your business take to mitigate the AI cyber security threat? This Aon Client Alert summarises what the government’s open letter means for businesses and sets out five practical actions leaders can take to protect their organisations. 

Every Business is a Potential AI Attack Target

Aon’s Global Risk Management Survey found that cyber attacks and data breaches remain the top enterprise risk through 2026, with this trend expected to continue well into 2028.² For every UK business, the threat from malicious use of AI laid out by the government is clear: Cyber criminals will use AI to “target ordinary companies, of every size, in every sector. Attackers go where defences are weakest.” And the criminals are being richly rewarded. According to recent analysis from CrowdStrike, AI-crafted phishing emails – the method of choice for many ransomware attacks – have shown click-through rates of around 54%, compared with approximately 12% for traditional attacks.³

AI is Multiplying Known Cyber Risks

AI is multiplying known cyber risks by automating reconnaissance, generating highly tailored phishing and social engineering campaigns, and attacking systems at scale. Capabilities that were once limited to a smaller number of well-resourced threat actors are becoming more accessible, enabling less sophisticated attackers to launch complex campaigns.

Is Your Business Prepared? 

Are businesses ready to counter the increasing cyber security threat posed by AI? According to Aon research, only a minority of organisations feel confident that their cyber strategy, controls and insurance are keeping pace with AI-enabled threats.⁴ 

Many businesses describe themselves as “somewhat prepared” at best, with fragmented governance and limited testing of AI-driven incident scenarios, while some organisations still see AI as a future issue, delaying the implementation of critical cyber risk management strategies. Only a relatively small proportion of UK businesses currently hold baseline cyber security certifications such as the UK’s Cyber Essentials, indicating that many have not yet embedded foundational controls, even as attackers gain AI-driven advantages.⁵

The recommended approach is to follow an “assume breach” methodology: organisations should assume initial access is inevitable (whether through social engineering or vulnerability exploitation) and build defences to limit the blast radius of a single compromised system. This remains one of the most important defensive measures in this “new era,” alongside expeditious patch management procedures.

Why the Government’s Open Letter Matters for Business Leaders

The government’s open letter urges businesses to double down on their cyber security approach, recognising that board-level cyber risk management has become essential as rapid advances in AI have accelerated cyber risk’s evolution into a strategic business challenge.⁶ Aon’s research underscores this urgency: While AI adoption is rising quickly, board level oversight, enterprise-wide AI inventories and AI-specific testing of incident response remain under developed.

Build Resilience With an AI/Cyber Security Action Plan

AI has not rewritten the fundamentals of cyber risk management but instead has rapidly increased the scale and likelihood of potential attacks, requiring business leaders to focus on core controls and actively stress-test them against AI-enabled scenarios. To build resilience and help prevent a damaging cyber attack, leaders need an action plan that will stress test cyber defences against attacks and close significant governance, control and insurance gaps. 

1. Get the Basics Right

• Maintain robust hygiene across core IT assets, including timely patching and vulnerability remediation, and the decommissioning of end-of-life systems.
  
• Provide regular, role-appropriate cyber awareness training for employees at all levels, focused, but not limited to phishing, social engineering and handling of sensitive data.

2. Re-Assess Cyber Resilience and Insurance 

• Update cyber loss scenarios and stress tests to factor in the increased likelihood of, and potential severity from attacks, including the impact on operations, reputation and regulatory exposure.
• Assess whether existing cyber and related insurance policies (e.g. crime, D&O and technology E&O) appropriately respond to AI-related incidents, and identify where enhancements or additional limits may be needed.
• Use sector comparators and survey data to understand how the organisation’s preparedness for AI-driven cyber threats compares with regional and industry peers.

3. Update Cyber Threat Modelling for AI

• Ask security and risk teams to define realistic and relevant AI-enabled attack scenarios.
• Link scenarios to specific controls and confirm which detection, prevention and response controls are in place, and where there are gaps. Prioritise quick wins such as the use of multi-factor authentication, privileged access controls and enhanced email/domain protection.

4. Strengthen Governance and Board Reporting

• Confirm and document who is the accountable executive for cyber risk.
• Define a simple AI risk dashboard covering all AI applications used; top AI-enabled threats; current controls; and key remediation actions with owners and timelines.

5. Test Incident and Crisis Response Plans 

• Conduct tabletop exercises to validate cyber business continuity and incident response plans under AI-enabled attack scenarios, including rapid reporting, clear escalation paths and effective coordination with incident response, legal and insurance partners.
• Use an AI-enabled phishing or deepfake scenario to test decision making, escalation paths and external communications (including with regulators, customers and the media).
• Ensure incident response and crisis playbooks include guidance on validating identities and instructions when AI-generated content may be involved, and that legal and communications teams are aligned.

How Aon Can  Help

Aon works with organisations across the UK to build AI-ready cyber resilience, helping clients to understand exposures, strengthen defences and make better, risk-informed decisions. 

• Cyber business continuity: We help organisations identify critical functions, govern continuity strategies and plan for resilience against cyber threats. Through structured assessments, policy development, and scenario-based planning, we help clients set priorities and establish frameworks that maintain essential operations during disruption.
• Cyber claims management: We help companies proactively prepare for, manage, and expedite cyber insurance claims in the immediate aftermath of an incident. Our approach accelerates claims resolution and supports financial recovery from cyber claims, minimising business interruption while strengthening insurer communication.
  
• Cyber impact analysis: We deliver rigorous, data-driven assessments of key cyber risks by quantifying the potential financial impact of severe yet plausible scenarios. Using scenario modelling, financial analysis, and insurability reviews, we help organisations understand the materiality of their exposures and align coverage with actual risk.
  
• Control assessment: We provide a comprehensive evaluation of an organisation’s cyber security posture, leveraging tools such as CyQu, NIS2 and Cyber Response Readiness alongside recognised frameworks. By benchmarking control maturity against regulatory standards and industry peers, we deliver actionable insights that highlight strengths, expose gaps, and prioritise improvements.
  
• Incident response management:  We equip senior leaders with the tools they need to respond to cyber incidents. By establishing governance structures, integrating response and communication plans, and conducting realistic tabletop exercises, executives can coordinate effectively across the business and reduce the uncertainty that follows a cyber attack.
  
  Your Aon contact can provide additional details on any of the steps outlined above and help you tailor this approach to your organisation. Speak to an Aon broker to understand your policy wording around AI and cyber.

¹ AI cyber threats: open letter to business leaders
² Global Risk Management Survey, Aon
³ CrowdStrike 2025 Threat Hunting Report: AI Becomes a Weapon and a Target, CrowdStrike
⁴ 2026 Risk Outlook: Insights from Aon’s Airmic Live Webinar
⁵ 2026 Risk Outlook: Insights from Aon’s Airmic Live Webinar
⁶ Cyber 2026: Evolving Threats Demand Strategic Leadership, Aon

About Aon

Aon plc (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Through actionable analytic insight, globally integrated Risk Capital and Human Capital expertise, and locally relevant solutions, our colleagues in over 120 countries provide clients with the clarity and confidence to make better risk and people decisions that help protect and grow their businesses.

Follow Aon on LinkedIn, X, Facebook and Instagram. Stay up-to-date by visiting Aon’s newsroom and sign up for news alerts here.

Aon UK Limited is authorised and regulated by the Financial Conduct Authority. Aon UK Limited is registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500

©2026 Aon plc. All rights reserved.
FP.AUK.2026.883.GG.

The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information and use sources that we consider to be reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.