WHAT IS CYBER INSURANCE?
Cyber insurance aka cyber liability insurance or cybersecurity insurance, offers coverage for financial losses incurred by companies due to ransomware attacks, data breaches, and other cyber incidents. Much like how car insurance covers vehicle damage and bodily injuries in accidents, cyber insurance policies provide compensation for compromised computer systems, revenue losses, legal fees, and other expenses stemming from cyberattacks. With security breaches becoming increasingly frequent and expensive, businesses must mitigate their financial risks. IBM’s Cost of a Data Breach Report 2023 indicates that 83% of organisations have experienced multiple data breaches, with the average breach costing USD 4.35 million. Cyber insurance serves as a vital component of modern risk management strategies, helping to alleviate the financial burdens associated with such breaches. Reinsurance expert Torsten Jeworrek says:
“Cyber insurance is fundamental for the successful digitalisation of the economy.”
WHO NEEDS CYBER INSURANCE?
Every company that stores customer information or relies on technology, essentially the majority of businesses, are exposed to cyber risks. While security teams can take measures to mitigate these threats, they cannot entirely prevent them. According to the Travelers Risk Index, 57% of business leaders believe that cyberattacks are unavoidable. Traditional business insurance offerings, such as general liability coverage and errors and omissions policies, typically do not protect against losses resulting from cyber events. This leaves companies susceptible to bearing the full cost of ransomware attacks, business email compromise scams, and other cybercrimes. The financial repercussions of such attacks can be substantial. For instance, the average ransomware attack costs USD 4.54 million, excluding ransom payments. To address this coverage gap, cyber insurance policies have emerged. By covering expenses like ransom payments and malware remediation, these policies enable companies to mitigate their losses, expedite their recovery process, and enhance their overall cyber resilience. In his latest international bestseller, You Don’t Need a £1 Million Cybersecurity Budget, Zhero CEo Izak Oosthuizen asked Roger Oldham, a London insurance guru, why SMEs need cyber insurance:
“I think mostly because of the support system that comes along with cyber insurance, the extent to which will depend on the policy coverage you’ve purchased. When you invest in a cyber insurance policy, you are getting more than just a risk transfer mechanism. It’s more than just ringing up a number and trying to get some kind of compensation or indemnity for the loss that you’ve suffered. When you have a cyber incident, you’ll naturally want assistance as soon as possible.”
THE IMPACT OF AI ON CYBER THREAT
The NCSC Assessment summarises the near-term impact of AI on the cyber threat landscape as follows:
- AI will boost both the volume and impact of cyber attacks in the UK in the next two years.
- The main threat until 2025 will arise from the advancement of existing tactics, techniques, and procedures (TTPs).
- AI adoption spans all types of cyber threat actors, albeit to varying extents.
- AI enhances surveillance and social engineering effectiveness and efficiency.
- More sophisticated AI-driven cyber operations will be limited to actors with access to quality training data, expertise, and resources, likely not before 2025.
- AI will intensify cyber attacks against the UK by facilitating rapid data analysis and AI model refinement.
- AI reduces barriers for novice cybercriminals, hackers-for-hire, and hacktivists, increasing access and effectiveness.
- By 2025 and beyond, the commodification of AI-enabled capabilities will democratise cyber capabilities for both criminal and state actors.
THE IMPACT OF AI ON CYBER INSURANCE
Cyber insurance companies and their policyholders are facing the need to anticipate the transformative impact of AI on cybersecurity and insurance coverage. How will cyber insurance be reshaped by the explosion of AI technology? Artificial intelligence can be a double-edged sword. While it holds promise for reinforcing defence mechanisms, it also poses challenges as threat actors leverage its capabilities for more sophisticated and effective attacks. This dual nature of AI presents a complex scenario, wherein organizations must navigate the potential benefits and risks. With threat actors advancing their AI capabilities, organisations are compelled to enhance their defences accordingly, potentially requiring the adoption of AI-based defensive tools capable of matching the speed of evolving threats. Moreover, the role of AI in threat detection and prevention becomes increasingly critical as cyber risks evolve. Sharmeen Rehman, a cyber insurance evangelist, says:
“To identify possible cyberattacks, AI-based systems may continuously analyze network traffic, user activity, and system logs. These systems can proactively identify and mitigate risks by studying patterns and abnormalities, assisting policyholders in preventing or minimizing cyber disasters.”
AI AND CYBER INSURANCE PREMIUMS
Changes in the risk landscape and underwriting processes raise questions about the future of cyber insurance premiums. The surge in cyber insurance premiums over recent years, as highlighted by a report from insurance broker Howden Broking showing annual rates increasing by over 100% in the first half of last year, has been a notable trend. However, premiums have stabilized or even slightly declined in recent months. Despite this, the persistent growth in cyber risk and demand for coverage remains a significant factor. The integration of AI into underwriting processes holds the potential for more precise risk assessment, which could ultimately lead to reduced costs for policyholders. Yet, achieving lower premiums will require policyholders to demonstrate robust cybersecurity capabilities, likely involving the adoption of AI in their defence strategies. Failure to effectively defend against AI-driven threats may result in higher premiums, highlighting the crucial role of cybersecurity preparedness in shaping the future cost of cyber insurance. Danny Allan, the CTO of Veeam, tells us:
“Insurance companies will use AI to determine the cyber resilience of their customers across different factors including deployed network security, data security capabilities, policy settings and training and education, which can, in turn, be reflected in a quoted premium.”
AI AND CYBER INSURANCE CLAIMS
AI automation has the potential to streamline the claims filing, evaluation, and settlement processes within the insurance industry. Machine learning algorithms can analyse claims data, identify anomalies, and flag potential fraudulent activities, thereby enhancing efficiency, reducing costs, and expediting the fulfilment of policyholders’ needs. AI also enables insurance companies to gain deeper insights into the correlation between risk controls and losses by examining claims data. Theoretically, this could lead to improved claims management and a reduction in the loss ratio, provided that the insights derived from AI analysis can be effectively communicated to clients. Claims linked to the villainous use of AI are also likely to increase, as expressed by cyber risk specialist, Paul Bantick:
“We have already begun to see claims notifications as a result of deepfakes used in social engineering attacks where AI has been used to replicate the voices of C-suite members on audio calls and in images and video.”
GET COMPLIANT AND STAY COMPLIANT
This is me, Izak. I have over 25 years of experience in IT support and specialise in cybersecurity and compliance. Being an IT thought leader and a respected London entrepreneur, I understand full well the importance of data protection and privacy for a business to survive. Cyber insurance helps to protect you against some of the shortcomings of AI, but not everything. If you are currently developing or deploying AI or if it is on the cards, please reach out to me. Together we can ensure that you get compliant, stay compliant, and always be on the right side of the EU AI Act and the GDPR. Together we can avoid any risk from the use of AI along with those enormous penalties for non-compliance. I bet your cyber insurance premiums will also be much less.