Executive Summary

A new report from Moody's, released on October 8, 2025, reveals that the insurance and asset management sectors are making substantial strides in maturing their approach to cyber risk. The findings show a clear trend of increased cybersecurity budgets, stronger board-level governance, and greater executive accountability. A key highlight is that 40% of surveyed firms now tie CEO compensation to cybersecurity metrics, demonstrating that cyber risk is now viewed as a core business issue. This cultural shift is supported by enhanced operational practices, including more frequent incident response testing and proactive governance over emerging technologies like AI.

Regulatory Details

The Moody's report is a market analysis, not a regulatory document. However, it provides a valuable benchmark for how firms in the heavily regulated financial services industry are responding to pressure from regulators, investors, and the evolving threat landscape. The trends identified in the report—such as linking executive pay to cyber performance and formalizing CISO-board communication—are likely to become de facto standards that regulators will expect to see during examinations.

Affected Organizations

The report focuses specifically on the following sectors:

• Insurance companies
• Asset management firms

However, the trends are indicative of a broader movement across the entire financial services industry, including banking and investment services. The findings serve as a benchmark for any organization operating within this ecosystem.

Compliance Requirements

The report details industry best practices rather than compliance mandates. Key trends that are becoming standard practice include:

• Budget Allocation: Nearly 50% of firms now spend 8% or more of their total IT budget on cybersecurity.
• Executive Accountability: 40% of companies link CEO compensation to cybersecurity performance goals.
• Board Governance: Almost 70% of firms have their CISO brief the board of directors at least twice a year.
• Operational Readiness: 98% of firms test their incident response plans at least annually, and 80% perform daily data backups.
• AI Governance: 84% of respondents have established formal policies to govern the use of AI tools.

Implementation Timeline

These are observed trends, not deadlines. However, firms lagging behind these benchmarks are likely to face pressure from their boards, investors, and regulators to catch up quickly. The rapid year-over-year increases suggest that these practices will be nearly universal within the next 1-2 years.

Impact Assessment

The increasing focus on cybersecurity has several business and operational impacts:

• Positive Impact: Firms are becoming more resilient to cyberattacks, reducing the potential for financial and reputational damage.
• Financial Impact: Increased budgets for cybersecurity mean resources are being diverted from other IT or business initiatives. However, this is increasingly seen as a necessary cost of doing business.
• Organizational Impact: The CISO role is gaining prominence and direct access to the board, elevating cybersecurity from a back-office IT function to a strategic business enabler.
• Competitive Impact: Firms with mature cybersecurity programs may have a competitive advantage, as they are viewed as more stable and trustworthy by customers and partners.

Enforcement & Penalties

There are no direct penalties associated with this report. However, regulators like the SEC in the US have implemented rules requiring disclosure of cyber risk governance. Firms that cannot demonstrate practices in line with the industry standards highlighted by Moody's may be seen as having deficient governance, potentially leading to regulatory findings or shareholder lawsuits in the event of a breach.

Compliance Guidance

1. Benchmark Your Program: Use the statistics from the Moody's report to benchmark your organization's cybersecurity program against its peers. Identify areas where your firm is lagging, such as budget allocation, board reporting frequency, or executive accountability.
2. Propose a 'Cyber-KPI' for Executives: CISOs can use this report to build a case for linking a portion of executive bonuses to specific, measurable cybersecurity outcomes (e.g., reduction in critical vulnerabilities, improved incident response times).
3. Formalize Board Reporting: If not already in place, establish a formal charter for a board-level risk committee that includes cybersecurity. Schedule semi-annual CISO briefings as a minimum standard.
4. Review and Test IR Plans: While 98% of firms test annually, leading firms test more frequently (e.g., quarterly tabletop exercises). Review your testing cadence to ensure it is adequate for the current threat level.