London, 29 September 2025
Insurance, financial and technology leaders have warned that businesses must overhaul crisis management strategies to reflect today’s increasingly complex cyber and operational threats.
The call came during a high-level roundtable in London co-hosted by Intersys and Semperis, which brought together 15 senior executives from across sectors including healthcare, energy, insurance, exposure management, and technology.
Attendees analysed recent global incidents and debated lessons learned, such as how organisations can better prepare for crises ranging from cyber attacks and supply chain disruption to physical damage and deepfake-driven fraud.
Speakers highlighted recurring weaknesses across organisations, including:
- Failing to run realistic simulations, instead rehearsing in “ideal states”
- Lack of clarity on roles, responsibilities and decision-making beyond the C‑suite
- Inadequate information sharing on supply chains, with some firms reliant on thousands of third parties
- Over-reliance on informal or “shadow IT” communications such as WhatsApp
- The human factor – from tired crisis teams to “bad leavers” retaining system access
The roundtable — Crisis Management: Adapting to a Changing Threat Landscape — reflected on high profile incidents such as the Iberian energy blackout and ongoing cyber-attacks against major retailers and manufacturers, and their impact on related supply chains.
Attendees included:
- Hannah Brambani, Head of Operational Performance at Pro Global
- Catherine Geyman, Director, Enterprise Risk Management, Intersys
- Simon Hodgkinson, Strategic Advisor to Semperis and ex CISO of BP
- Yunus Jawaheer, Head of Risk and Compliance, Affinia
- Kumu Kumar, Managing Director International, Sigma7 Paragon
- Nhamo Nyakambangwe, Senior Manager, Operational Resilience, Investec
- Guy Williams, Exposure Subject Matter Expert, Ebix Europe
Catherine Geyman, Director, Enterprise Risk Management, Intersys, said: “I’d like to thank all the participants for a very insightful and forward-thinking discussion. The takeaway is clear: resilience isn’t just about technology – it’s about people, processes, and culture. This year the FCA gave organisations, including banks, insurers, and PRA-designated firms, up until 31 March 2025, to implement the new requirements in UK operational resilience. Organisations must move beyond box-ticking, run realistic crisis exercises, and ensure infrastructure and communication systems are given a voice. The next wave of threats – from deepfakes to systemic infrastructure failures – is already here. Preparedness is the only defence.”
Simon Hodgkinson, Strategic Advisor to Semperis and ex CISO of BP, stressed the need to rethink how resilience is framed: “Too often, incident response playbooks don’t account for communication breakdowns, global cultural differences in risk appetite, or the need for clear escalation and authority outside the C‑suite. Businesses need to know not just what to do, but who can do it when the crisis hits.”
Hannah Brambani, Head of Operational Performance at Pro Global, added: “All companies need to take a hard look at their own operational risk. Too often, resilience is treated as a compliance exercise led by group functions, but real preparedness means stress-testing your own systems, people and processes. For re/insurers in particular, proactively identifying weaknesses, from access management to supplier dependencies, is vital.”
Guy Williams, Exposure SME at Ebix Europe, said: “For exposure managers, one of the biggest gaps is lack of visibility. Businesses often can’t provide meaningful supply chain data, yet expect cover. That opacity makes exposure management harder for insurers, and crisis response harder for organisations — increasing the risk for everyone involved.”
