Emerging risks | Growth Opportunities | APAC Insurance

Monday, July 13, 2026

Insight by…

Insight by type

Cyber risk and regulatory demands drive resilience focus for Asia Pacific insurers

CROs are prioritising operational resilience as they adapt to shifting threats and new oversight standards, according to a new EY-IIF survey.
Cyber risk and regulatory demands drive resilience focus for asia pacific insurers  rein asia
June 5, 2025

 • 

4 min read
The Inaugural Recognising excellence in Asia's insurance industry Find out more Entries close
28 August

(Re)in Summary

• Cyber risk remains a top concern for 72% of APAC CROs, driven by rising geopolitical tensions.
Operational resilience is now central to risk strategy, with a focus on business continuity, adaptability and shock absorption.
New regulations, including Australia’s CPS 230 and IAIS standards, are redefining resilience standards but could strain third-party partnerships.
CROs are embedding resilience across business units while competing for scarce cyber and tech talent.

A new EY-IIF survey of Chief Risk Officers (CROs) reveals resilience is becoming the strategic cornerstone of risk management for insurers in Asia Pacific, driven by systemic risk concerns, economic volatility and regulatory demands.

“Operational resilience is a focal point because of its close links to cyber, technology, third-party and regulatory risk,” the report, published on May 20, notes. “Indeed, increased operational resilience can be seen as a target outcome — a key goal in setting strategies and tactics to manage many other types of risks.”

Cybersecurity has remained the leading concern for Asia-Pacific insurers since 2020, with 75% of chief risk officers in the latest survey identifying it as their top risk for 2025. Globally, 66% of CROs say it requires the most attention over the next 12 months, up from 53% last year.

The sustained prominence of cyber concerns is being driven by geopolitical tensions, with 62% of Asia-Pacific CROs considering geopolitical risk one of the most pressing threats over the next three years. “Geopolitical worries largely manifest as heightened concerns about even greater cyber threats and a worsening of macroeconomic conditions,” the report warns.

In response, CROs are stepping up cybersecurity (58%), enhancing political risk modelling (44%), and diversifying investments (42%).

Growing attention to their own firms’ cybersecurity mirrors the evolving risks cyber insurers are underwriting across Asia, as insurers respond to rising threats, including an expansion of cyber property damage cover and tightening manufacturing cyber risk assessments. However, while the cyber insurance market continues to grow, increased competition—including from London—saw cyber insurance rates drop 8% during Q1 2025, according to global brokers Marsh.

Boards, regulators fuel resilience push

Boards and regulators are also reinforcing the shift toward resilience. Insurers are now focusing on business continuity, adaptability and shock absorption.

“Given proliferating risks and increasingly volatile conditions, operational resilience has become a critical objective for more CROs in insurance,” the report notes. “In our market engagements and at industry events, we see that the importance of operational resilience is increasingly viewed in terms of maintaining the ability to support customers and minimise the financial impacts of unexpected events.”

46% of Asia-Pacific CROs identified governance and oversight as their top operational resilience enhancement area. Disaster recovery and crisis management, though still important, have been deprioritised as many insurers recently updated these systems.

“But there is opportunity — and indeed a need — for CROs to push their teams to build on these baseline capabilities,” the report notes.

Regulation is playing a pivotal role. For instance, Australia’s Prudential Standard CPS 230, effective from July 2025, and the Operational Resilience Objectives of the International Association of Insurance Supervisors (IAIS) are expected to reshape risk mandates.

However, some CROs flagged concerns that placing liability for third-party failures on insurers could hinder valuable partnerships.

“Some rules that make insurers responsible for third-party vulnerabilities may discourage carriers from seeking external partnerships that would shore up their protections or promote business continuity,” the report notes.

Embedding resilience, building talent

CROs are now incorporating operational resilience into risk appetite frameworks through qualitative measures such as service continuity and incident response times. The survey found that 67% of CROs already include resilience using non-financial metrics; only 5% don’t address it at all.

“We have seen growing interest in principle-based approaches to operational resilience,” the report notes. “Firms are working to develop frameworks, including formal definitions and rankings of critical services based on customer impacts. They are also mapping processes to services and defining specific impact tolerances.”

This approach elevates CROs’ roles, positioning them as strategic partners responsible for embedding resilience across all business units, from IT and compliance to operations and customer-facing teams.

At the same time, the shift demands new talent strategies. CROs say strong cyber capabilities, threat detection, incident response and recovery are foundational to building resilience. However, there’s a growing shortage of skilled professionals.

“There is a lot more focus on people who can use the technology. The combination of human capital and technology is a big driver of the value,” said one of the CROs surveyed.

The Inaugural Recognising excellence in Asia's insurance industry Find out more Entries close
28 August