If you’ve been watching the AI space this month, you may have caught headlines about something called Claude Mythos, a new unreleased AI model from Anthropic that the company says has reached a level where frontier AI can outperform nearly all human experts at finding and exploiting software vulnerabilities. The model was deemed too risky for general release. Instead, Anthropic is sharing it selectively with a handful of tech giants and more than 40 organizations working on critical software infrastructure, under a defensive initiative called Project Glasswing.
It would be easy to read that and think: that’s a tech problem, not a business problem.
The underwriting market disagrees. And business leaders should too.
The Threat Landscape Just Changed, Materially
For years, cyber risk was bounded by a simple constraint: launching a sophisticated cyberattack required sophisticated human expertise. Nation-states and well-funded criminal organizations could do it. Your average bad actor couldn’t. That constraint is rapidly evaporating.
Anthropic’s own testing found that Mythos could autonomously identify and exploit zero-day vulnerabilities across every major operating system and web browser, with no human guidance after an initial prompt. According to reporting on Anthropic’s risk materials, the model also broke out of a secured test environment during evaluation, gaining internet access and contacting a researcher. The company described the behavior as a concerning demonstration of unsupervised capability.
CrowdStrike’s 2026 Global Threat Report documented an 89% year-over-year increase in operations by AI-enabled adversaries. A Dark Reading poll found that nearly half of cybersecurity professionals believe agentic AI will be the top attack vector for cybercriminals and nation-state threats by the end of 2026, ahead of deepfakes, phishing, and everything else.
As one security expert put it: “A defender needs to be right all the time, whereas an attacker only needs to be right once.” AI just made it dramatically cheaper and easier to be that attacker.
Your Employees Are Opening Doors They Don’t Know Exist
Here’s a dynamic that deserves serious attention: employees across nearly every industry are already using AI tools. Claude, Copilot, ChatGPT. Often from home, often on personal devices, often connected in some way to internal systems. Without clear governance policies, this happens organically and largely invisibly to IT.
Security researchers have a name for this: shadow AI. When employees build their own AI agents or connect AI tools to work systems without IT oversight, they inadvertently create new access points. An AI agent connected to a CRM, a financial database, or an internal file system is a potential entry point that didn’t exist a year ago. Attackers don’t need to find a vulnerability in a firewall anymore. They may just need to find a vulnerability in how someone on your team is using an AI tool.
This isn’t hypothetical. Anthropic previously reported that attackers used its tools in what it described as an AI-orchestrated cyber-espionage campaign targeting about 30 organizations. AI is no longer just a defensive tool or a productivity aid. It is already being used offensively, and the capabilities available to bad actors are only improving.
What the Financial Exposure Looks Like
IBM’s 2025 Cost of a Data Breach Report put the global average at $4.4 million, while noting that weak AI governance and shadow AI exposure can drive incident costs significantly higher. That figure covers direct costs: forensics, notification, legal, and regulatory fines. It does not capture the harder-to-quantify losses, including business interruption, customer churn, reputational damage, and the leadership time consumed for months after an event.
Ransomware can be far worse. A mid-market manufacturer that loses access to its ERP for two weeks during a critical production window doesn’t just pay a ransom. It eats the margin on delayed shipments, incurs expediting costs, and potentially loses customers to competitors. An accounting firm that suffers a data breach exposing client financial records faces regulatory exposure, client attrition, and potential E&O claims simultaneously.
AI-powered attacks are specifically designed to maximize this kind of disruption. They move faster, adapt in real time, and can simultaneously probe dozens of vectors that a human attacker would have to sequence. The time between initial compromise and full network encryption (what the industry calls “dwell time”) is shrinking because AI doesn’t sleep or get distracted.
What Cyber Insurance Actually Does (And Why It’s Different Now)
Cyber insurance isn’t just a contract that pays claims after a breach. A well-structured policy functions as an operational safety net across several dimensions.
First-party coverage addresses direct losses: business interruption, data recovery, ransomware payments (where legally permissible), forensic investigation, and crisis communications. When systems are down, this is what keeps the lights on.
Third-party coverage protects against claims from others, including customers whose data was exposed, vendors whose systems were impacted through your network, and regulatory bodies that may assess fines under HIPAA, CCPA, or state notification laws.
Incident response services, often included in the policy, put a team of forensic experts, legal counsel, and PR specialists on the phone within hours of a reported event. For most mid-market companies, this expertise doesn’t exist in-house and would take days to assemble on the open market. In a cyber event, days matter.
As the threat environment shifts toward AI-powered attacks, insurers are also increasingly offering pre-breach services: vulnerability scanning, employee training, and security assessments. The best carriers see themselves as partners in risk reduction, not just claim payers, because fewer claims is good business for everyone.
The Underwriting Environment Is Tightening
Cyber underwriters are watching the same headlines everyone else is, and they’re responding.
Following several years of significant premium increases and tightened capacity (2021 to 2023), the market stabilized somewhat in 2024 and 2025. But the emergence of AI-powered attack capabilities is creating fresh scrutiny. Carriers are asking harder questions about:
- Multi-factor authentication across all remote access
- Endpoint detection and response (EDR) tools
- Privileged access management (PAM) for admin credentials
- Backup architecture and tested restore procedures
- Shadow AI governance: is there a policy around employee use of AI tools?
Organizations that can answer these questions well have leverage to negotiate competitive terms. Those that can’t are seeing higher premiums, higher retentions, and in some cases, declined renewals.
If a cyber policy is renewing in the next 12 months, now is the time to audit controls. Not because a broker said to, but because the threat environment has materially shifted and underwriters know it.
Five Steps to Take Right Now
- Review current policy limits against realistic loss scenarios. Many mid-market companies purchased cyber limits three to five years ago. The threat has evolved, costs have risen, and business reliance on digital infrastructure has deepened. A $1M limit that felt appropriate in 2021 may be woefully inadequate today.
- Ask your broker for a coverage gap analysis. Cyber policies vary significantly in how they handle business interruption triggers, ransomware events, social engineering fraud, and third-party liability. Knowing what you have before an event is infinitely better than discovering gaps during one.
- Inventory your AI exposure. Work with IT and operations to understand what AI tools employees are using, what data they can access, and whether any of those tools are connected to internal systems without governance controls. This isn’t just a security question. It’s a material underwriting question.
- Don’t treat cyber insurance as a standalone line item. It should be part of a broader risk management conversation that includes Directors & Officers coverage, E&O, business interruption, and technology vendor contracts. Cyber events have a tendency to trigger multiple lines simultaneously.
- Work with an independent broker. The cyber insurance market is specialized and moving fast. The carrier that was the right fit two years ago may not be the best option today. An independent broker can benchmark your current program against the market and identify both coverage gaps and premium opportunities.
The Bottom Line
Claude Mythos is still locked behind closed doors, but Anthropic’s own security researchers have publicly stated that comparable capabilities will likely reach adversaries within six to twelve months, including state-sponsored actors abroad. The question isn’t whether the threat environment is shifting. It clearly is. The question is whether your coverage, controls, and incident response plan reflect that reality.
Cyber insurance won’t prevent an attack. But the right policy, with appropriate limits, a tight retention, and pre-breach services built in, provides the financial backstop and response infrastructure that makes the difference between a contained incident and a business-defining one.
That’s not alarmism. It’s how risk management is supposed to work.
Swarts Manning specializes in commercial insurance for mid-market businesses. If you’d like a complimentary review of your current cyber coverage or a market benchmarking analysis, reach out to our team.
Each month, Swarts Manning insurance experts cover relevant topics for your business. Stay tuned for more discussions about managing your insurance and industry-specific tips.
Click here to submit a Quote Request
If we have had the pleasure of working with you, we would love for you to leave a review on Google. Your honest thoughts help us improve and grow, and allow potential customers to get a better understanding of what we have to offer. Thank you in advance for your time and support!