Paul Johannes Spittau, Head of Group Insurance Mediation at GrECo International met with Igor Fedotov, CEO of IIZI Estonia, to discuss what will shape risk advisory through 2030. From APIs and AI to tougher resilience regulation, the conversation explores what clients must prove to underwriters to secure capacity, clearer terms, and cleaner wording.
The forces reshaping risk advisory
Spittau: Which technology trends will matter most to Estonian businesses between 2026 and 2030?
Fedotov: The most important technologies are not isolated tools, but technologies that change the whole insurance value chain: API-based data exchange across advisers, insurers, and partners; AI and automation in service, document, comparison, and claims support; and cybersecurity and digital operational resilience, as everything depends on secure infrastructure. Embedded insurance will grow within segments such as car sales and leasing, home loans, travel, and SME services, so independent advice and claims support will matter more. The long-term move is from transaction platforms to risk and service platforms.
Why Estonia moves fast and where it’s exposed
Spittau: What are the top three Estonia-specific drivers, why are they accelerating, and which industries or systems are most vulnerable?
Fedotov: Estonia’s digital maturity raises expectations (digital identity, remote service, fast online processes). At the same time, many SMEs depend on outsourced IT and cloud platforms without a mature continuity capability. Add Baltic-region geopolitical pressure plus DORA, NIS2, the AI Act, and data-protection requirements, and the most exposed are digital customer interfaces, payments, logistics, and partner integrations, plus critical infrastructure, financial services, transport, healthcare, energy, and digital service providers. .
AI: assistant, not replacement
Spittau: How should IIZI view AI as a technology force between 2026 and 2030?
Fedotov: AI will be a horizontal capability across the broker business: Think faster client communication, summarising wordings, comparing exclusions, renewal reminders, claims-document classification, and internal search. The best use cases cut manual work and improve advice quality by flagging when offers are not comparable because of exclusions, deductibles, sub-limits, or claim conditions, and by helping teams build stronger risk profiles and cyber submissions. But AI should not replace advice: it still needs context, trade-offs, and claims support. It must run under human oversight with clear data rules, accuracy checks, and accountability.
Loss patterns: business interruption is the headline
Spittau: How are digital transformation pressures, regulation, and economic realities changing cyber and technology-related loss patterns in Estonia?
Fedotov: Cyber risk has moved from an IT issue to a business continuity and management issue. Dependence on cloud, outsourced IT, payments, CRM/ERP, connected devices, and partner APIs means an incident can stop sales, logistics, customer service, accounting, or production. Losses now come from attacks and outages such as supplier disruption, human error, misconfiguration, social engineering, ransomware, and data leakage: Risks where the biggest impact is often business interruption, reputational damage, and operational chaos. Regulation and economic pressure link outcomes increasingly to governance quality, not only technical maturity.
Spittau: What does that mean for pricing, deductibles, capacity, exclusions and underwriting scrutiny?
Fedotov: Cyber and technology insurance is more selective. Insurers differentiate by evidence of controls – MFA, tested backups, endpoint protection, privileged access management, segmentation, incident response and supplier-risk governance. Weak information or controls mean tougher scrutiny, higher deductibles, narrower cover, lower limits or exclusions. Preparation before placement or renewal is now a risk adviser’s leverage: translating technical reality into something the market can underwrite, with clearer wording, better terms and fewer surprises at claim time.
Spittau: How does AI change cyber and technology loss patterns?
Fedotov: AI improves detection and efficiency, but it also increases the speed and quality of attacks. Phishing, deepfake social engineering, invoice fraud, automated vulnerability discovery and identity manipulation are becoming more convincing and harder to recognise. AI also creates internal risk if confidential data goes into unapproved tools or decisions are automated without control. As a result, exposures will increasingly overlap across cyber, crime, PI/technology E&O and management liability.
Where’s investment going?
Spittau: Which sectors are investing heavily in AI, automation, cloud modernisation and data platforms, and why does it matter for risk?
Fedotov: Investment is strongest in financial services, telecoms, energy, transport/logistics, manufacturing, healthcare, retail/e-commerce and tech-enabled professional services because they run on digital journeys and data. In Estonia, the next efficiency wave depends on data quality, API connectivity and automation; for IIZI that links to retail self-service, corporate risk advisory and affinity/partner platforms where insurance is embedded in another journey.
Rules moving the market: DORA, NIS2 and the AI Act
Spittau: Which legislative and regulatory developments are most challenging for companies and why?
Fedotov: The biggest drivers are DORA, NIS2, the AI Act and GDPR. DORA has raised the bar on ICT risk management, incident reporting, resilience testing and third-party oversight in financial services. NIS2 has expanded expectations across critical/important sectors, and the AI Act has forced companies to know where AI is used, what data it touches, how outputs are controlled and where human oversight is required.
Digitalisation can’t be only faster sales. It has to connect with governance, documentation, incident management, third-party oversight, data protection, continuity and management reporting.
Spittau: What should good AI governance look like for IIZI?
Fedotov: Keep it practical: list your AI use cases, approve tools, set data rules, classify higher risk uses, require human review where it matters, and make vendor due diligence and escalation clear.
AI should assist, not silently decide; especially in advice, wording interpretation, renewal recommendations and claims advocacy.
What underwriters reward (and punish)
Spittau: Which data points, certifications and controls are most rewarded by cyber underwriters in Estonia?
Fedotov: Underwriters reward evidence: what’s critical, where data sits, key cloud/outsourced providers, prior incidents, backup maturity and recovery objectives, plus incident response readiness. On controls, Multi Factor Authentication (MFA) is close to a minimum; tested backups, patching, endpoint protection, and privileged access management are strong signals. Certifications help only if they reflect real maturity.
Spittau: What should companies prepare before approaching the insurance market?
Fedotov: Companies should bring a concise cyber-risk profile: critical systems, data locations, essential vendors, key controls, how backups are tested, and what happens on day one of an incident.
Clear, consistent submissions win. If a client cannot explain dependencies, the insurer assumes uncertainty and terms harden. IIZI’s value is finding gaps early and presenting risk in underwriter language.
Case Study: a breach close to home
Spittau: Can you give an Estonian cyber or digital-disruption case that illustrates the main risk lessons for companies?
Fedotov: For Estonia, three local cases work better than one global example because they show cyber risk as a continuity, trust and insurance issue, not just an IT problem.
First, the Allium UPI / Apotheka breach showed how exposed customer-data systems can be: criminals accessed large volumes of personal data from the customer-card database. The lesson is that even a loyalty database can trigger major regulatory, reputational and fraud-related fallout.
Second, the Asper Biogene case showed how much more severe an incident becomes when highly sensitive data is involved: around 100,000 files containing personal, genetic and health data were reportedly accessed. That sharply increases legal, regulatory and reputational exposure.
Third, recent ransomware cases highlighted business interruption: Järvamaa Vocational Education Centre lost server data after encryption with no backups, while a South Estonian retailer had server data encrypted, backups deleted and operations halted. The lesson is that downtime and failed recovery can be the biggest loss.
Spittau: What were the business impacts? What worked and what failed?
Fedotov: The main impacts were business disruption, recovery costs, regulatory fallout and loss of trust; in ransomware cases, operations can stop immediately, sales can freeze and customer service may be paralysed. What worked was that these incidents became public lessons, forcing companies and advisers to take resilience more seriously and making the consequences easier to explain to boards. What failed was the resilience chain: access control, monitoring, patching, supplier oversight and recoverable backups were often too weak or not tested in practice. For insurers, the key lesson is to clarify cover before a crisis, especially around business interruption, incident response, data restoration and where exclusions or conditions may limit recovery.
Spittau: Which three actions should companies take now?
Fedotov: First, map critical systems, data and dependencies: what’s held, where, who can access it, which vendors matter, and how long you can operate without key systems.
Second, test the basics: MFA, least privilege, monitoring, patching, endpoint protection, and offline/immutable backups with proven restore, plus a clear incident-response plan.
Third, treat renewal as a resilience review. Explain controls, dependencies, backup maturity, supplier exposure and a realistic BI scenario so coverage and appetite become concrete.
Spittau: How does the AI perspective change the lesson from these incidents?
Fedotov: AI helps detection but makes attacks more convincing and scalable (personalised phishing, deepfake fraud). Internally, it adds risk through unapproved tools and wrong outputs. So, AI governance (approved tools, data classification, human review and training) now sits inside cyber resilience.
Paul Johannes Spittau
Head of Group Carrier Relations & Insurance Mediation
T +43 664 537 17 42
Igor Fedotov
CEO
IIZI Estonia
