234 CEO exits. $3 billion in wire fraud. Most backup systems have never been tested.


LION Specialty

Reading time: 5 minutes
šŸŽ§ Listening time: 6 minutes — prefer to listen? Flip reads this week's Brief here.


Boards got impatient with their CEOs. Attackers are more organized than they've ever been. And FI regulators are moving faster than I've seen in 20 years. Your underwriters are stressing about all three.

Lately I've felt like the cranky old insurance version of the get off my lawn guy.

Saying to anyone that will listen: "Insurance programs simply weren't built for this era."

This week we're breaking down the market's impact from 234 CEO departures, ransomware crews running literal customer service desks, and sublimits that were written when phishing was still a grammar problem. Twenty years of watching this market and the same gap keeps showing up at claim time: what the policy says and what the plan assumed are two different things.

Here's what made the cut this week:

  • Departures within 30 months of hire jumped 79% last year. That number lives on your D&O application, not just your board agenda.
  • Ransomware crews now offer customer discounts. Most firms have never confirmed their backups actually restore. One side of that fight has been practicing.
  • The FBI logged $3 billion in business email compromise losses last year. The social engineering sublimit on most programs hasn't moved since phishing was a different problem.

CEO exits hit a second straight record. Boards changed tempo.

Summary

Russell Reynolds Associates counted 234 chief executive departures across 13 major stock indices in 2025.

That is 16% above 2024 and 21% above the eight-year average. Second consecutive record. Average outgoing tenure dropped to 7.1 years from 7.4, against 8.3 in 2021.

Those are large public company figures.

Here is the number that travels: departures within 30 to 36 months of taking the job jumped 79% year over year. Eleven appointments did not last twelve months. A chief executive who leaves inside three years is not a tenure statistic.

It is a failed hire.

The process that selected them failed, and the board owns that process. Former Cargill CEO Dave MacLennan, now a director on several boards, told Deloitte that succession is an evergreen topic, that the dialogue can change from meeting to meeting. For D&O underwriters, that cadence matters: a board actively managing succession reads differently than one reviewing it annually.

(sources: Russell Reynolds Associates, Global CEO Turnover Index 2025; Deloitte, "CEO Succession and Human Capital Risk: What Boards Expect")

So what?

A board with less patience for slow results also has less patience for a thin succession file.

The index tracks the world's largest public companies, but the oversight expectation carries. Mutual boards and their examiners ask the same question. Deloitte Private surveyed 300 executives at family businesses with $100 million to $1 billion in revenue, organizations with closely held structures, thin benches, and boards where everyone knows the candidates by name. Eighty-five percent call succession planning critical. Fifty-seven percent have a plan. Twenty-three percent are working on one.

The same file works at renewal. D&O and key-person underwriters are asking who steps in if the top seat opens. A written emergency-interim plan reads as governance strength, not just good housekeeping.


Day one of a breach is day one of your cyber claim.

Summary

Finance chiefs in Tampa last month spent a session living through a made-up ransomware attack.

Walter Crawford of cybersecurity firm OakTruss Group led the exercise. The scenario locked employees out of core systems and froze invoicing. Customer records sat possibly exposed.

Crawford told the room to expect decisions built on gaps in information.

He named outside legal counsel as the first call. He warned that most companies have never tested whether their backups actually restore, and that full recovery can take weeks or months. He said ransomware crews run help desks and offer discounts.

In the published recap, insurance came up once.

Crawford called it a preparation item: understand your coverage before something happens. Getting legal in early is right. It is also the moment a CFO can spend money the policy will not return.

(source: CFO.com, "What CFOs should do in the first 24 hours of a cyberattack," June 25, 2026)

The LION Lens

What happened — OakTruss Group's Walter Crawford ran finance executives through day one of a ransomware event. The drill covered severity calls on partial facts, the first call to counsel, payroll continuity, and untested backups.

Why it matters — Each day-one choice is also a coverage choice. Cyber policies set notice deadlines and route defense work to approved panel counsel. They require carrier consent before a ransom payment. Business interruption pays only after a waiting period, and stops at the restoration cap.

Practical implications — A response plan written without the policy open can turn a covered event into a disputed one. Put the carrier on the hour-one call list. Match the vendor roster to the panel. Test your restoration speed against the policy's clock.

So what?

Sophos surveyed 3,400 IT and cybersecurity leaders in 2025, mostly at mid-market firms. The median ransom payment fell 50%, to $1 million. Recovery costs dropped 44%, to an average of $1.53 million. And 53% of victims fully recovered within a week, up from 35% the year before. Sophos credits reliable backups and faster containment. IBM puts the average financial services breach at $5.56 million worldwide, second only to healthcare.

Falling severity plus ample carrier capacity points toward a softer cyber market for buyers who can document tested controls. Accounts bringing a timed restoration test and a tabletop log to renewal are negotiating retentions and sublimits from a stronger seat.

(sources: Sophos, State of Ransomware 2025; IBM, Cost of a Data Breach Report 2025)

The LION POV

Here's how we're advising clients:

  • Match your response roster to your carrier's panel now. Breach counsel, forensics, negotiator. If a vendor you trust is not panel-approved, get them endorsed onto the policy before the incident, not during one. Larger programs can negotiate their own counsel and forensics onto the form at placement.
  • Run a timed, full restoration test this quarter. Restore from an immutable or offline copy. A backup the attacker could reach proves nothing. The hours inside the waiting period are self-funded, and most firms have no idea how many those are until they're in one.
  • Write the carrier into hour one. Notice, consent before any ransom payment, sanctions screening. Treat suspicion as the trigger. The policy says possible, not confirmed. Consent skipped on day one is the most common trigger we see for disputed extortion claims.
  • Pull your dependent business interruption sublimit. If a critical vendor goes down and their restoration time exceeds your coverage window, that gap is worth knowing before renewal, not after.

Want a second set of eyes on how your response plan lines up with your cyber form? Contact LION Specialty for a confidential review.


The scam got automated. The sublimit didn't move.

Summary

Phishing volume rose 17.1% in six months, per a KnowBe4 report from April 2026.

Skadden's July 13 advisory maps where that volume goes next. Deepfaked executive voices request urgent wires. Fake IT-desk calls talk employees out of their login codes.

Phony deals arrive with nondisclosure agreements designed to keep the target from checking with colleagues.

The FBI counted over $20 billion in reported cybercrime losses for 2025. More than $3 billion came from business email compromise alone. The average U.S. data breach, all industries, hit a record $10.22 million. The SEC expects disclosure within four business days, and Europe's DORA gives financial firms as little as four hours.

The sublimits were set before the attack learned to talk.

(sources: Skadden, Arps, Slate, Meagher & Flom LLP, "The Rising Tide of AI-Enabled Social Engineering Scams," July 13, 2026; FBI IC3 2025 Annual Report; KnowBe4, April 2026; Office of the Special Deputy Receiver v. Hartford Fire Ins. Co., No. 25-2309, 7th Cir., June 18, 2026)

So what?

In the programs we review, social engineering sublimits commonly run $100,000 to $250,000 against seven-figure towers.

Most were set when phishing meant a badly spelled email. For an institution that wires more in a morning than the sublimit covers, the math deserves a fresh look. Check where the coverage sits.

Social engineering often lives on the crime form, not the cyber form, and the two can argue over the same loss. We have seen that play out.

In our April edition we covered a ruling from an Illinois federal court involving the Office of the Special Deputy Receiver, the entity that winds down insolvent insurance companies for the state. A spear-phishing attack took nearly $4 million out of two insurance estates. The OSD sued both its carriers: Hartford Fire on the fidelity side and HSB Specialty on the cyber side. HSB's motion to dismiss failed and HSB later settled. Hartford's exclusion held at the district court, and the Seventh Circuit affirmed on June 18.

One attack, two forms, opposite outcomes. Wire controls now pull double duty.

Multiperson approval and call-back verification stop the fraud, and they read as credit at underwriting. Before renewal, pull the crime and cyber forms, find the social engineering sublimit, and ask whether a deepfaked executive voice would survive your current call-back rule.


The Bottom Line

Boards sped up, regulators shortened their clocks, and attackers automated. All three now test the same thing: whether the plan existed before the event. The institutions that can produce a successor file, a timed restoration test, and a call-back rule are getting better terms. And calmer Mondays.

Looking ahead. Falling ransomware severity and ample carrier capacity point toward a friendlier cyber market into 2027 for buyers who can document controls. Watch for carriers to start drafting AI-fraud language the way they once handled silent cyber, patching exclusions after the exposure was already priced in. Expect succession questions to show up on D&O applications, not just in board packs.

Three questions for your next risk committee:

  • Could we name our emergency interim CEO today, in writing, and has an underwriter seen it?
  • What is our measured, full restoration time from an immutable copy, and how much of it falls inside our waiting period?
  • What is our social engineering sublimit, and would our call-back rule survive an AI-cloned executive voice?

In case you missed it: Earlier this year we audited six coverage lines for silent AI gaps and found every definition assumed a human was making the decision. Some carriers have already filed absolute AI exclusions for its D&O, E&O, and fiduciary forms, reaching AI-generated content, failure to detect third-party AI content, and insufficient AI governance. Broadly worded exclusions don't end the coverage argument, but the silence is ending. Worth reading before your next renewal. Read the audit here.

From the Wednesday Intelligence archive: Our deep-dive on how late notice and unapproved vendors trigger disputed cyber claims connects to the day-one decisions above. Read it here.


Thank you for reading today's edition!

Want to share this edition via text, email or social media? Simply copy-and-paste the link below:

https://lionspecialty.ck.page/posts/234-ceo-exits-3-billion-in-wire-fraud-most-backup-systems-have-never-been-tested

And if this briefing was forwarded to you, subscribe directly here.

Stay Covered Everybody,

-FLIP

P.S. Comment BLUEPRINT and we'll send you our D&O Contract Vigilance Blueprint, a 5-day email course on the policy gaps that only show up after a claim is filed.

P.P.S. Nothing in this briefing constitutes legal advice. This is market intelligence designed to help you ask sharper questions of your advisors and make better decisions at renewal.


You're receiving this because you subscribed to the LION Specialty Boardroom Brief.
Unsubscribe  Ā·  Update your preferences

LION Specialty

Everything you need to know to navigate the financial institution insurance market in ā‰ˆ 5 minutes per week. Delivered on Fridays.

Read more from LION Specialty
A record $110,000 sanction. A federal AI-evidence rule sent back for a rewrite. And a defense play that works whether or not the rule ever arrives. Five minutes, boardroom-ready.

Reading time: 5 minutesListen time: 11 minutes Good morning. Two forces are reshaping litigation at once. Claims are getting more polished and more plentiful. The proof behind them is not keeping up. Generative AI can draft a flawless-looking brief in minutes. It cannot manufacture the evidence that brief needs. That gap is where this week's intelligence lives. Here's what's in front of you: Courts have now caught AI-invented citations in more than 1,700 filings (as of July 2026), and one...

1,822 lawsuits, a $91M judgment, and 8 more you couldn't stop clicking

Reading time: 5 minutesListening time: 6 minutes The Boardroom Brief — Quarter in Review America turns 250 this weekend. Nobody will mention insurance at the barbecue. But the industry you run is older than the country it's celebrating. Marine underwriters financed the Revolution when the colonies had no navy and no central bank. The receipts are real. So instead of a new Brief this week: ten editions from the past quarter that you told us mattered, measured in the ones you opened and the...

The single most important thing your D&O underwriter grades has nothing to do with your technology.

Negotiating D&O at Every Stage of the Build My first insurtech client was convinced he was going to be the Steve Jobs of insurance. Ten years ago he had everything investors wanted. A growth curve doubling every quarter. A proprietary pricing algorithm. And a claims and reserving operation so unglamorous it never made the deck. Guess which one kept him solvent. The growth curve drove the keynote. His algorithm set the valuation. The reserve discipline no one put in the deck is the only reason...