Data security and privacy are the top concerns among technology companies facing a complex risk landscape, with 79% indicating it is a “somewhat or very high concern” and 55% expecting these risks to increase within three to five years, according to the “Technology Industry Risk Report 2025: The Complexity of Risk,” produced by the World Economic Forum with strategic support from Marsh McLennan and other partners. These concerns are followed by regulatory compliance, of which 56% of respondents indicate somewhat or very high concern, and technology errors and omissions (E&O), of which 52% indicate the same.
According to the report, “The complexity of interconnected networks and solutions, together with the increasing prevalence of cyberattacks and sophistication of threat actors, puts cyber-related risks at the top of tech companies’ concerns.” The global average cost of a data breach in 2024, the report notes, was $4.88 million—a 10% increase over 2023—emphasizing the concerns many organizations have about their “ability to protect sensitive data and maintain operational systems.”
As organizations become increasingly interconnected, the potential for a single point of failure to trigger a widespread disruption or systemic failure increases. As a result, comprehensive risk management is essential for large networks. “At the same time, concern regarding black swan events has become more pronounced in the tech industry amid recognition that even companies with robust cybersecurity measures and contingency plans are not immune to their impact, whether directly or indirectly through third parties. These events—unpredictable by nature—can disrupt operations, lead to significant financial losses, and further complicate the risk landscape,” the report explains.
“Broadly speaking, the most complex exposure has [long] been…combined cyber risk and technology, E&O, and exposure,” Tom Quigley, communications, media & technology practice leader, Marsh, tells CLM. “The more technology becomes ubiquitous, the more users are dependent upon it working as expected. So, whether it's a consumer…an institutional user, infrastructure, [or] IoT [(Internet of Things)]…if the technology does not work as expected, it leads to damages.”
The Evolving Risk Landscape
“Escalating geopolitical and geoeconomic tensions could significantly influence organizations’ decision-making and growth strategies,” states the report. “Tech companies are also grappling with interconnected challenges, ranging from natural catastrophes destroying properties and disrupting supply chains, to potential liabilities linked to product failures, to the increasing prevalence of Nuclear jury verdicts.” Furthermore, rapid tech innovation has led to challenges in understanding and managing off-strategy risks. As a result, companies have had to adapt their risk strategies and insurance programs accordingly.
Managing Risk
When it comes to managing risk, according to Quigley, tech companies look at three aspects: “physical world events that have happened previously that could now be triggered because of a technology failure…or cyber event [and] mapping out and understanding what those scenarios are,” he explains, is the first aspect.
“Number two [is] understanding contractual arrangements with either…business partners…providers, or…customers,” Quigley continues. Despite wanting to say a product works perfectly and, if not, that strict limitations liability is provided in their contract, he suggests asking, “What are the service level agreements? The promises? What are the indemnifications? [Asking these questions plays] a big part in terms of identifying exposure.”
Number three, Quigley continues, for companies that are “very complex, or perhaps their technologies are being used in a manner whereby there could be systemic exposures—meaning multiple users impacted if something goes wrong—is getting into modeling what those scenarios look like…and understanding what the products do…looking at the contracts and getting into the quantifications. Those are steps one, two, and three before you even discuss transferring those risks.”
Greg Eskins, global cyber product leader, Marsh, adds, “You manage what you don't measure…It’s not good enough to singularly model a particular peril or… event. It's how those things intersect, and that can be a reasonably complex undertaking….But I think that is at the crux of it…once we have an identification of managing it—whatever it is being the most high-impact strategic issue that a particular organization faces—we've done a lot of work understanding what technical controls one can put in place that have a demonstrable quantitative impact on reducing that risk.”
Innovation Continues Despite Challenges
The challenges posed by the evolving risk landscape, however, have not stopped tech companies from innovating new products. According to the report, 77% of companies surveyed are developing new products and services, while 48% are selling existing products or services to be used in new ways. Further, innovation was found to be a top priority for tech companies, with 41% indicating that “the foundation of our company is continuous innovation” and 37% indicating that they are “investing heavily in new technologies.” A third of companies are expanding into new geographic markets, while another third is “focusing on stability and resilience due to economic or competitive pressures,” which, according to the report, underscores “how economic and competitive pressures could challenge the growth trajectory of the industry.”
AI: Opportunities and Increased Risk
“Artificial intelligence (AI) is revolutionizing the way organizations work,” notes the report. “But many tech companies are not merely users of AI; they are actively developing and customizing AI solutions to enhance their operations, creating a new risk landscape with evolving challenges that are expected to further amplify existing vulnerabilities.”
AI risks, such as human error, system design failure, and more, ranked at the bottom of concerns among survey respondents. Meanwhile, respondents expect AI-related risks to become more of a concern in the next three to five years, suggesting a couple of possibilities: that executives are focused on other issues; the lack of significant AI-related losses to date has created a false sense of security and awareness that new risks will emerge.
“The absence of significant losses to date does not mean companies can afford to temporarily ignore risks, especially considering the field’s fast-paced development,” the report notes. “The shift from traditional tech products to AI-driven solutions introduces unique liability risks. For instance, if a tech system that uses AI fails to perform as expected, the developer may face product liability concerns.”
Quigley notes that although AI needs to be watched, “there is nothing urgent that is changing today that is putting us out of coverage or that is going to put us at high risk.” However, the technology is moving quickly, and the Marsh team expects that “actual uses of AI are going to accelerate. Then, there is concern that it starts to…push boundaries that we're comfortable with. Does it start to push underwriters into zones of discomfort? Does this become the next issue, similar to ‘silent cyber?’” Quigley asks, referencing the ambiguity of coverage for cyber incidents that are not explicitly mentioned in traditional insurance policies. “So, lowering concerns for the [present] but recognizing we do need to keep our eyes on it because this is moving so fast—maybe not today, but in a couple years, it might really start to push the boundaries.”
The Marsh report suggests a three-pronged risk strategy to mitigate AI risk, which includes technical controls, process controls, and people controls. “AI risk management is not a one-time exercise; it requires ongoing evaluation and adaptation to keep pace with continued technological advancements.”
GenAI: An Up-and-Coming Risk
While AI is well-known and poses long-term concerns, generative AI (GenAI) is an amplifier of familiar risks, “as opposed to a whole new net category of risk. So, cyber and AI are not like a fire or an explosion or a flood,” explains Eskins. “They are categories of risk emanating from software and hardware and firmware and other technologies...[T]he difference…is speed and scale. Obviously, you deploy agents, you use these tools en masse…if they're supposed to be available and everyone's using a similar tool without layering all their own security and protocols and processes, then you can possibly have a systemic event.”
Eskins suggests that a good first step toward GenAI utilization would be “to start to understand how businesses are using these tools, how it's changing their business model. Then, we can start to underwrite to those things…Then, you can start to model some of those things and therefore start to price some of that for scale and evolve the existing products to account for any nuance. Because, certainly, there will be nuance that will be required over time.”
Responding to a Rapidly Changing Risk Landscape
Insurers emphasize that these tools also present opportunities to “reduce risk, to reduce fraud, [and] to detect security events and anomalies well in advance,” explains Eskins. “So, I think one of the things we can do to respond to the rapidly changing landscape is not move to any side of the extreme of ‘this is the world's greatest technology’ or ‘this is the technology that's going to destroy the world.’”
Eskins suggests asking questions and being open minded about underwriting; considering how to utilize tools to reduce risk within both insurers’ and insureds’ organizations; not overreacting; gaining a deeper understanding by collecting information and data; and communicating effectively about concerns and how they can be overcome to reduce concerns.
“More and more, we're talking to our clients about not just looking at [a client’s] immediate risk but making sure they're looking at and addressing the risks throughout their ecosystem…which reduces friction in the process and helps us all grow,” explains Quigley.
Then, Quigley explains, if the product goes down through no fault of the tech company, but because of a cloud host or provider, the company can still provide the amplification, indemnification, or assistance to the end user.
Challenges in Casualty Risk
“Tech companies now face a new reality as most insurers—focused on increasing casualty claims costs and lacking a true understanding of tech products’ casualty risk—have significantly lowered available limits, with few willing to go as high as $25 million across the tower,” according to the report.
“A heightened litigation environment, coupled with longer claim cycles and soaring jury verdicts, has created a perfect storm that is reshaping how insurers assess casualty risk overall.” For tech companies in particular, casualty-related issues are more pronounced as their products become more ubiquitous—from smart home devices to wearable technology to medical devices to vehicles and beyond.
As Nuclear Verdicts and social inflation rise, insurers are increasingly cautious of tech products that could cause injuries, catastrophes, or fatalities. “The potential for high-stakes claims has made insurers hesitant to provide traditional limits, as they grapple with the uncertainty surrounding these risks.” As a result, tech companies face challenges securing desired casualty insurance limits. These changes in the casualty insurance market, the report emphasizes, require open communication between tech companies and insurers to enhance the chances of securing sufficient coverage.