Navigating Cyber Risk, Regulation and the Reality of Fines

Navigating Cyber Risk, Regulation and the Reality of Fines
June 12, 2026 16 mins

Navigating Cyber Risk, Regulation and the Reality of Fines

On Aon Podcast Hero Image

Pablo Constenla, head of coverage and claims for cyber and financial lines in EMEA for Aon, is joined by Charlie Weston-Simmons, partner at A&O Shearman, to examine how leaders can stay ahead as cyber risk, regulation and financial exposure converge.

Key Takeaways
  1. AI is reshaping threat dynamics, requiring leaders to move beyond awareness and invest in quantification, scenario planning and faster.
  2. Anticipate regulatory impact and act before enforcement does.
  3. Cyber insurance plays an important role but is only one part of a broader resilience strategy.

Intro:
Hello and welcome to another episode of On Aon. This week we look at a topic that's been voted the top risk in Aon's Global Risk Management Survey for the last six years — Cyber. As AI gives ransomware attackers an edge and regulation and fines get tougher, there's never been a better time to discuss the issues facing businesses and what they can do. Here are Aon's Pablo Constenla Constanle and A&O Shearman's Charlie Weston-Simmons to pick up the topic.

Pablo Constenla:
My name is Pablo Constenla, Head of Cyber and Financial Lines Coverage and Claims, EMEA. Today, we are discussing a topic that's rapidly evolving as the cyber risk landscape shifts in real time and regulatory scrutiny increases.

First, we see AI reshaping cyber risk with automated attacks and tools like Claude Mythos accelerating both threat and response.

At the same time, regulation is moving just as fast with NIS2, DORA, the Collective Actions Directive, and increased enforcement across Europe.

So what does this mean for organizations and crucially for insurability of cyber risk, including fines?

Around this topic, Aon partnered with A&O Shearman, one of the global leading law firms on the publication of the Cyber Fines Report. And today I have the pleasure of being joined by Charlie Weston-Simons, partner at A&O Shearman to unpack this. Charlie, great to have you with us today.

Charlie Weston-Simons:
Thanks for having me, Pablo. It's great to be here.

Pablo Constenla:
Charlie, AI is dominating conversations right now. How is it actually changing the cyber risk and insurance landscape?

Charlie Weston-Simons:
Let's take cyber risk first. And I think if you wind the clock back 12 to 24 months, the general commentary on the impact of AI would have been that it's prompting more sophisticated social engineering, high-quality deep fakes and, overall, it was slowly improving the capabilities of less skilled adversaries, but it wasn't making the most sophisticated adversaries materially better.

And at that time, the message to defenders was that they needed to incorporate AI-enabled tools to keep pace with attackers. But we weren't seeing game-changing things like effective malicious code being written using LLMs or automated attack paths.

Now scroll forward to April this year and Anthropic shocked the world when it announced the capabilities of its Mythos model.

And those capabilities included to identify undiscovered critical vulnerabilities at a pace and scale that no one had ever seen before and the ability to carry out very complex exploits in an automated way.

So now, as a result, frontier AI is central to pretty much every conversation that we're having about cyber risk. And I'm sure most of your conversations too, Pablo. But I think it's worth stressing that at least I feel that we're still at a watershed moment where frontier AI capabilities are not yet available to adversaries. And governments, regulators, the private sector are all working on how we are going to defend against these new and incredibly sophisticated risks. So with all of that in mind, I think from a legal and insurance perspective, the key issue becomes how do you manage a risk that is evolving faster than regulation and controls can adapt. And at this point, I'm going to pass the question back to you, Pablo, because you're infinitely more qualified than me to cover the challenges of insuring cyber risk in a climate of transformational change.

Pablo Constenla:
Great, thanks Charlie. We also highlight this in the report and it's that there is increasing uncertainty in how risk is quantified, which ultimately fits into insurance coverage decisions.

In order to assist clients globally, Aon, as other companies, has a proven data-driven analytical framework to quantify both first- and third-party cyber scenarios. These tools have been employed by global companies to stress test existing insurance and captive strategies, and implement a more integrated approach to cyber risk financing and transfer.

This approach involves three main activities: scenario analysis, financial modeling, and stress testing. Just that way of example, Aon’s Cyber Risk Analyzer is a powerful broker-led tool for quantifying cyber risk and optimizing cyber insurance programs for our clients and prospects. It integrates Aon's customized proprietary simulation modeling and cyber quotation analytics to deliver the insights needed for data-driven decisions and resilient cyber risk management.

And actually, one thing that stood out after we released the report on insurability was the level of follow-up questions on needs to implementation — particularly how it differs across jurisdictions.

From your ongoing experience, Charlie, with clients, where is this becoming most challenging?

Charlie Weston-Simons:
In the last 12 months, we have been advising a lot of clients on their NIS2 implementation strategy. And I think it's worth pausing before we get into the question to think about what some of the thinking is behind NIS2. And a key aspect of that was that we had an original NIS directive, but it was felt that it had been implemented across Europe in quite a patchy, inconsistent way.

NIS2 was an updating of that original NIS directive. It was an updating and an expansion to enhance European resilience, but it still has to be transposed at national level.

It doesn't apply in the same way as the GDPR, for example, which just applies across Europe without the need for national implementation. And the transposition process has happened at different speeds with some countries transposing quickly, others leaving it late, and in different ways. And as a result, despite the best intentions of NIS2, you've ended up with inconsistencies across Europe.

And I think in particular, and this is something which a lot of our clients have been struggling with, there have been inconsistent interpretations on scope.

So if you are a large organization with operations across Europe and, because of the sectors that you operate in, you can't take advantage of the one-stop shop. You need to look at your position in every EU country where you operate and understand if you need to register and also the specific requirements of that jurisdiction. So, it has given rise, I think, in our experience to quite a significant compliance burden in order to ensure that your organization has done everything it needs to in each jurisdiction by the required deadline.

What we haven't got to yet, but I'm sure we will at some stage, is enforcement. And look, I think NIS2 is still really new. We haven't yet seen any enforcement, or at least none that I'm aware of. But look, I think it's inevitable that at some point, we will have a major European cyber incident and an organisation will be impacted in various jurisdictions and we will start seeing some enforcement activity. But at the moment, I think it's too early to tell.

Pablo Constenla:
Sure, definitely we agree. And another area we highlight in the report and that one that it's gaining real momentum is collective actions, class actions around Europe. We are already seeing very large-scale proceedings being started, commenced in Europe. How significant is this trend, Charlie?

Charlie Weston-Simons:
It's very significant and it's something that a lot of clients that we work with are concerned about. So I did this previously when we were discussing the impact of Frontier AI, but I think it is helpful to cast your mind back to where we were a few years ago when actually in terms of the European position, I think the UK was the problem child because it was felt that representative actions might be possible in England and Wales and we had a lot of claims materializing after mass data breaches. We then had a very important Supreme Court decision in 2021, which calmed everything down because it made clear that for mass data breach claims, the only option was to have an opt-in procedure.

And that more or less brought us into line with Europe. And certainly as far as the UK is concerned, that's where we remain. Now the collective — the new collective actions regime in Europe is still in its early stages, but the possibility that consumer bodies can be authorized to bring these representative proceedings in European countries is a really important new development. And just part of the reason why it's so significant is that under GDPR, data subjects have the right to bring a claim for non-material damage.

But the amount of those claims is pretty low. And by low, we're talking in the hundreds of euros, that sort of thing. It's not really economic to bring these claims through the courts. And this new directive that has now been implemented gives that opportunity to bring a claim on behalf of an affected class. And as we know, Pablo, where you have a major cyber incident, where you have a lot of personal data impacted, you can be talking about thousands, millions of individuals.

And although these individual claims may not be worth very much, once you're talking about those sorts of numbers, then they are very significant claims indeed. At the time of recording this podcast, I don't think we have any examples of those claims being brought through, concluded, so we don't yet have any precedents for these new representative claims being brought in the EU.

But as with anything in this space, we've just got to see where it goes because so much is changing at the moment.

Pablo Constenla:
Definitely, and this is where insurance expectations do not always match the full extent of risk — particularly when multiple exposures arise from the same incident. And the real challenge isn't just managing cyber risk, it's connecting the dots across legal, risk and insurance when a collective action is faced. We believe that actually more awareness, expertise, and collaboration around class actions is crucial for successful settlements. U.S. class actions against European companies have increased in the last five years. We've gained that experience and we definitely need to keep bringing that knowledge to Europe and that enhanced collaboration across the different experts. Going to another topic, when incidents do happen, response becomes critical.

Charlie, A&O Shearman has been increasingly active in cyber incident response. What do you think are the key challenges for business leaders right now?

Charlie Weston-Simons:
I think we have in the last 12 months in particular, but going way back, seen examples of major cyber incidents with very significant financial consequences. And I think now there is a real appreciation that these incidents can be existential crises for our biggest companies.

If you find yourself in that sort of incident response context where, let's say for example, it's a ransomware incident and a large part of your IT environment is locked up, it is a very pure crisis management scenario where you are dealing with incomplete information and you are having to take a lot of decisions very quickly. It touches everything. You need to focus on your recovery. You need to focus on your legal obligations. You need to think about your communications. And, of course, you have to make sure that your insurance responds. You need to cover all of these different work streams. And for business leaders, it has to be a priority to ensure that everybody understands what the and the company’s strategies are going to be in that situation. That incidents have been practiced for, that everyone understands what their role will be. And we see a real difference between those organizations that have prepared for these true crisis scenarios and those which haven't.

Look, I think until relatively recently, preparing for cyber incidents at a decision-making level was seen as being perhaps enough to do an annual exercise which everyone could take part in. It would all go very well and then you'd come back again in a year’s time to refresh and dust it off. But to be truly resilient, and I think that has got to be the focus now, organizations really need to promote the management of cyber risk, but in particular, instant response.

And that is a big theme of what other public bodies announcing across Europe and in the UK as well. It's got to be such a big focus now.

Pablo Constenla:
And actually cyber fines are definitely increasing, they're complex, and sometimes they are often only partially insurable. If there is one thing listeners should take away, Charlie, what do think it would be?

Charlie Weston-Simons:
That’s a really good question, Pablo. And the easy answer to that question would be to read our fantastic joint report on the insurability of cyber fines and recognize that it is a very inconsistent position, I think, across the jurisdictions that we covered in the report in terms of whether fines are insurable.

And as a result, you can't necessarily rely on your insurance to pick up any fine that you may incur following a cyber incident. I say necessarily because there are a lot of jurisdictions clearly where the position is at least arguable.

That's the easy answer.

But I think the better answer to that is that cyber fines and whether you can cover them under insurance policy is only a very small part of the overall cyber resilience picture. And yes, it is absolutely vitally important that you have a really good cyber insurance policy that covers all of the things that it should do.

And it's there when you need it.

Pablo Constenla:
Definitely.

Charlie Weston-Simons:
But organizations should also focus on frankly, never having to be in a position where they have to claim under their cyber insurance policy. It is just one part of your risk mitigation strategy and investing in your cyber resilience, not only in ensuring that you have the best technical controls that you can get, but also making sure that there is a real cyber risk culture within your organization. That's so important.

And I think it comes through if you look at all these regulations that we now have across Europe, which are coming into force pretty soon in that, yes, they provide for enforcement, they provide for fines but actually, within all of these regulations, there are positive obligations that organizations are to comply with. They need to have effective, appropriate, technical organizational measures. If you are a financial services organization, it's likely you'll be regulated by DORA, in which case there is an encyclopedia of controls that you're supposed to have. And this may feel like quite a compliance burden, but actually, it's coming from a from a good place, which is that we all need to be more resilient and to bring it back to Frontier AI, we may be standing on the edge of this new age of cyber risk.

And so that need is now even more important than it ever was.

Pablo Constenla:
Definitely. And Charlie, as we think ahead, in your opinion, what do organizations and business leaders expect in the cyber world in the coming months and years?

Charlie Weston-Simons:
I'm going to repeat myself again, that cyber risk is at least very high on every organization's risk register now. And Frontier AI is now bringing that really into focus. So I think first of all, organizations and business leaders, to extent they are not already, really need to understand the risks posed by Frontier AI and get advice on how that they can stay resilient with the new risks that are coming our way.

I think on the regulatory side, there are a number of significant regulations which are now enforced. There are more coming.

And certainly in the UK, we are going to have at some point soon the Cybersecurity and Resilience Act, which broadly speaking is our version of NIS2. Again, that is a very significant piece of cyber resilience legislation. But these regulations are new. There may be new regulations, laws being cooked up to deal with new emerging threats and as organizations or business leaders need to keep their eye on the ball there and make sure that their organizations are at least compliant.

And it's a heavy burden, but broadly speaking if organizations are doing all the sort of good stuff that they should be doing to protect themselves then they ought to be compliant.

I think the other thing that I would flag is that we are, given all of these new regulations, we should expect to see in the next few years, greater scrutiny by regulators. And that will be a combination of upfront auditing of compliance with these new regulations. But post-incident, we may also see more enforcement.

And as our report shows, there are new tools that regulators have at their disposal to enforce. It's not just about financial remedies. There are non-financial sanctions that can be brought to bear as well. One of the things that I think has really caught the attention of a lot of our clients is that under NIS2, personal management liability for managers of organizations to the extent that they are not compliant with NIS2. That personal liability has, again, it's made a number of boards, I think, sit up and take focus, take notes of obligations.

And look, I think finally, to bring us back to a claims point that we've just discussed, it's possible that we'll be seeing some of the very large consumer claims brought under the new regulation that we've got. So watch this space.

Pablo Constenla:
Okay, definitely I agree, Charlie. Definitely the cyber risk landscape is becoming even more dynamic and interconnected. The insurability of cyber fines remains a very uncertain and jurisdiction-specific issue. It's clear that organizations need to take very practical action to stay ahead of regulatory developments.

And that understanding, both the legal implications and insurance constraints, is essential.

If you would like to explore these topics further, you can download our joint report on the insurability of cyber fines. Thank you, Charlie, for the great discussion and thank you for listening.

Outro:
Thanks for tuning in to the latest episode of On Aon. If you've enjoyed this episode, don't forget to subscribe wherever you get your podcasts and be sure to visit Aon.com to learn more about Aon.

We'll be back next week with another episode, our Human Capital Insight, when we'll be talking about AI in the workforce.

General Disclaimer

The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

Aon's Better Being Podcast

Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.

Aon Insights Series Asia

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series Pacific

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series UK

Expert Views on Today's Risk Capital and Human Capital Issues

Client Trends 2025

Better Decisions Across Interconnected Risk and People Issues.

Construction and Infrastructure

The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.

Cyber Resilience

Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.

Employee Wellbeing

Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.

Environmental, Social and Governance Insights

Explore Aon's latest environmental social and governance (ESG) insights.

Q4 2023 Global Insurance Market Insights

Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.

Global Risk Management Survey

Better Decisions Across Interconnected Risk and People Issues.

Regional Results

How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.

Impact Report 2025

Explore Aon's corporate sustainability impact and strategy.

Top 10 Global Risks

Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.

Industry Insights

These industry-specific articles explore the top risks, their underlying drivers and the actions leaders are taking to build resilience.

Human Capital Analytics

Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.

Human Capital Quarterly Insights Briefs

Read our collection of human capital articles that explore in depth hot topics for HR and risk professionals, including using data and analytics to measure total rewards programs, how HR and finance can better partner and the impact AI will have on the workforce.

Insights for HR

Explore our hand-picked insights for human resources professionals.

Workforce

Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.

Mergers and Acquisitions

Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.

Natural Resources and Energy Transition

The challenges in adopting renewable energy are changing with technological advancements, increasing market competition and numerous financial support mechanisms. Learn how your organization can benefit from our renewables solutions. 

Navigating Volatility

How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?

Parametric Insurance

Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.

Pay Transparency and Equity

Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.

Property Risk Management

Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.

Technology

Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.

Trade

Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.

Transaction Solutions Global Claims Study

Better Decisions Across Interconnected Risk and People Issues.

Weather

With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.

Workforce Resilience

Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.

More Like This

View All
View All
Subscribe CTA Banner