​

​

Reading time: 5 minutes

Your Friday Five

Every Friday we distill 200+ insurance, legal, and market-risk articles into three signals your board may need for its Monday briefing.

Three developments caught our attention this week:

• AXIS surveyed 500 CEOs and CISOs on AI risk. The findings reveal a 10-point gap between executive optimism and security realism, and 75% plan to cut cyber headcount while threats multiply.
• A federal court just split the difference between crime bonds and cyber policies for social engineering losses. The ruling exposes a coverage gap most financial institutions don’t know they have.
• New York legislators are holding hearings about a homeowners insurance “crisis.” The data tells a different story and the real cost drivers remain untouched.

Three events you need to take five and scan...

The AI Governance Gap Your Board Needs to Close

Summary

AXIS surveyed 500 CEOs and CISOs across the U.S. and U.K. The findings expose a fault line running through executive suites.

CEOs are 10 points more optimistic than CISOs that AI will strengthen cyber defenses. The generational gap runs even deeper: only 23% of executives over 55 believe AI improves security, compared to 77% of those aged 35-44. U.S. leaders feel prepared for AI threats at nearly twice the rate of their U.K. counterparts (85% vs. 44%).

The contradiction that should concern boards: 82% plan to increase cybersecurity budgets over the next 12 months — while 75% plan to reduce cybersecurity headcount because AI tools will make remaining staff more productive.

As AXIS’s Lori Bailey put it: “While it is now commonplace for CEOs to champion AI as a catalyst for innovation and efficiency, CISOs tend to see it as a new frontier of exposure and control.”

source: AXIS Specialty US Services Inc. ​

​
​So what?

Your board probably has this same disconnect.

CEOs see AI as a productivity multiplier. CISOs see Shadow AI as unauthorized tools employees deploy without IT oversight — as their top risk (27% ranked it first). These aren’t incompatible views, but they require reconciliation at the governance level.

The “increase budget, cut headcount” paradox deserves scrutiny. AI-driven attacks are viewed as the greatest emerging cyber threat (29.6% in the U.S.). Reducing the humans who respond to those attacks while the attack surface expands is a bet on tools that haven’t been tested under fire.

Monday morning: Ask whether your board has heard from both perspectives. If your last cyber briefing came only from the CEO, you may be missing half the picture.

Crime Bonds Won’t Save You From Email Fraud

Summary

In March 2025, an Illinois federal court produced a split ruling that exposes a coverage gap most financial institutions don’t know they have.

The Office of the Special Deputy Receiver, a non-profit administering insolvent insurance company estates, lost approximately $7 million when hackers compromised its CFO’s Outlook email account, manipulated email rules to hide their activity, then impersonated the CFO to instruct employees to wire funds to fraudulent accounts. Eight transfers. Three weeks. Employees followed what appeared to be legitimate internal instruction and protocol.

OSD carried both a Hartford Financial Institution Bond and an HSB Specialty Cyber Policy. Hartford denied coverage entirely. HSB paid $250,000 under a Social Engineering sublimit but denied Computer Fraud coverage. OSD sued both.
​
Judge Andrea R. Wood granted Hartford’s motion to dismiss and denied HSB’s.

(source: Office of the Special Deputy Receiver v. Hartford Fire Insurance Co., N.D. Ill., March 31, 2025)

The LION Lens

What happened - Hartford’s email fraud exclusion barred coverage for losses “resulting directly or indirectly from the Insured having, in good faith, transferred or delivered Funds in reliance upon a fraudulent instruction sent through electronic mail.” The court found this language unambiguous. OSD’s employees transferred funds in good faith based on fraudulent emails. Exclusion applies. Case dismissed.

Why it matters - The exclusion didn’t care that the fraudulent emails resulted from a sophisticated account compromise. It only cared that employees relied on emails to execute transfers. The human element — employees making decisions based on what they read — triggered the exclusion.

Practical implications - Financial institution bonds are designed to protect against internal dishonesty or direct computer manipulation, not against losses resulting from employees’ good-faith reliance on fraudulent communications. When the attack vector is email, the bond steps aside.

So what?

HSB’s cyber policy told a different story.

The court rejected HSB’s argument that “intervening human decision-making” broke the causal chain between the computer crime and the loss. Cyber policies apply a more permissive “direct result” standard. The transfers were “a direct response” to fraudulent emails issued from the compromised CFO account. That’s enough.

This distinction matters: crime bonds require strict “direct cause” analysis where human acts may break the chain. Cyber policies apply a “direct result” standard where they don’t.

Your financial institution bond almost certainly contains similar email fraud exclusion language. Your cyber policy may or may not contain adequate Computer Fraud coverage — many institutions rely on Social Engineering sublimits ($250,000 in this case) that won’t cover a seven-figure loss.

The LION POV

Here's how we're advising clients:

• Pull both policies now. Request your financial institution bond and cyber policy. Read the email fraud exclusion in the bond. It’s probably there, and it’s probably broad.
• Verify Computer Fraud Coverage. Not just Social Engineering. Social Engineering sub-limits are typically capped at $250,000, unless you specifically push for higher coverage. Computer Fraud coverage may provide access to the full policy limit. The HSB case survived because OSD alleged Computer Fraud, not just Social Engineering.
• Map your wire transfer procedures to your coverage. If employees can execute large transfers based on email instructions alone, your coverage architecture needs to account for that exposure. The controls OSD had in place weren’t followed because of the manipulation. The coverage they thought they had didn’t respond.

The Hartford ruling won’t be the last word on these issues. But it clarifies the split: crime bonds step aside when employees rely on emails. Cyber policies may still respond if the Computer Fraud coverage is there.
​
Sources:
​Wiley's 7 Predictions for Cyber Risk in 2026​
LION Deep Research

Want to review how your crime and cyber coverage interact? Contact LION Specialty for a confidential gap analysis

The New York “Crisis” that isn’t

Summary

New York lawmakers launched a formal investigation into homeowners insurance affordability in August 2025. Three Senate committees. Document requests to carriers. A public hearing in November. The premise: premiums are soaring, insurers are gouging, and regulators must intervene.

The data tells a different story.

New York ranks 29th in homeowners insurance affordability, with premiums representing 2.11% of median household income — a lower percentage than a decade ago. Insurance costs equal 0.39% of median home value. Louisiana’s ratio is 1.18%. Mississippi’s is 1.04%. Florida’s is 0.4%.

New York insurers spent 74 cents of every premium dollar on claims and expenses in 2024. The national average was 91 cents. That’s not a market in crisis. That’s a market functioning efficiently.

(sources: BIG I, Insurance Research Council, Various Industry)

So what?

The real cost drivers aren’t on the legislative agenda.
​
New York’s Scaffold Law, enacted in 1885, imposes absolute liability on property owners and contractors for gravity-related construction injuries, regardless of worker negligence. New York is the only state that maintains this standard. Liability insurance premiums for contractors run approximately 30% higher than in comparative negligence states. Bodily injury claims exceeding $250,000 occur in New York more than 30 times as frequently as in other states.

The Consumer Litigation Funding Act, signed in December 2025, caps consumer litigation funding recovery at 25% of gross settlements. But it explicitly excludes commercial litigation funding — the institutional money from hedge funds and private equity that critics say fuels nuclear verdicts and drives up liability costs.

New York recorded 38,270 suspected motor vehicle insurance fraud incidents in 2023 — a record. The state ranked second nationally for staged crashes.

Triple-I’s Patrick Schmid warned lawmakers directly: “Targeting insurance premiums would address a symptom rather than the cause, potentially destabilizing a well-functioning, competitive market.”

When your board asks what’s happening in New York, the answer is political theater. Rate caps, profitability reviews, and fossil fuel divestment mandates make headlines. Scaffold Law reform, commercial litigation funding restrictions, and fraud prosecution do not.

The 29th ranking and the 74-cent combined ratio are your talking points. The market isn’t broken. The incentives are!

The Bottom Line

Three disconnects surfaced this week. CEOs and CISOs see AI through different lenses and boards need both views. Crime bonds and cyber policies diverge on social engineering losses. And most institutions haven’t mapped the gap. New York legislators target insurers while the real cost drivers remain untouched — and the data doesn’t support the “crisis” premise.

The common thread: governance requires seeing the full picture, not just the comfortable half.

In Case You Missed It!

Every other Wednesday, we go deeper.

While Friday is for news, Wednesday is for Conversational Intelligence. Insider to insider.

We break down complex industry events like Nuclear Verdicts, Cyber Hurricanes, and D&O Structure, along with lessons learned from working with hundreds of financial institutions over 20+ years.

Actionable blueprints from 20+ years serving financial institutions and $250 million in claims recoveries.

Last week: The insurance industry wears exhaustion like a badge of honor, but we realized that burned-out brokers make dangerous mistakes. We rebuilt our firm using the longevity secrets of the world's "Blue Zones," prioritizing recovery systems to ensure elite performance. This is the blueprint for the "Corporate Blue Zone." The safest place for your risk program to live!

>>> Read: Why Your Broker's Burnout Is Your Exposure​

Your broker's wellbeing is the foundation of your coverage quality.

Thank you for reading today's edition!

Want to share this edition via text, email or social media? Simply copy-and-paste the link below:

​http://lionspecialty.ck.page/posts/the-sauce-in-this-update-might-save-the-industry​

And if this briefing was forwarded to you, subscribe directly here.

Stay Covered,

Natasha & Mark

Co-Founders and Managing Partners

LION Specialty