AI Missteps and Vendor Gaps Fuel Cyber Risks Across Sectors, Moody’s Finds

Moody’s 2025 Cyber Survey reveals alarming cybersecurity shortfalls across nearly 2,000 organizations globally, with direct implications for risk management and insurance claims handling. Notably, 22% of surveyed organizations lack any governance policies for artificial intelligence tools, despite widespread use of public AI platforms like ChatGPT and Gemini. This leaves companies vulnerable to data breaches, regulatory violations, and reputational damage—events that inevitably generate claims.

From a claims perspective, the survey’s findings highlight critical areas of exposure: third-party software and open-source code remain weak points, with many organizations unaware of where such software is embedded in their systems. Only 41% maintain programs to track open-source usage, despite its near-universal presence in corporate IT environments. These vulnerabilities increase the likelihood of supply chain attacks, a growing concern for insurers and adjusters dealing with cyber liability and business interruption claims.

Local governments and healthcare-related sectors stand out as particularly underprepared, with less than half implementing basic cyber hygiene practices. Moreover, a concerning 22% of respondents don’t scan their backup data for malware, reducing recovery effectiveness after ransomware events—a key detail when adjusting claims related to data loss and operational downtime.

While fears of AI replacing cybersecurity jobs persist, Moody’s data suggests otherwise: 40% of organizations plan to grow their cyber teams. However, the shift in cyber leadership reporting—more CISOs now report to CEOs and CFOs—could influence how cyber risks are documented, valued, and responded to during claims investigations.

For claims professionals, these trends mean increased scrutiny of organizational risk practices, particularly during post-breach evaluations. Understanding which industries lag in cyber governance can help adjusters anticipate coverage disputes, assess negligence, and contextualize losses within broader systemic gaps.