Focused Insights: At The Crossroads: The Intersection of Cyber Insurance, Cyber Security, Cybercrime and AI Vol II, Issue 8
The Rapid Rise in Demand for Cyber Insurance
Cyber threats are the top business risk globally for 2024, even ahead of economic slowdowns and supply chain issues.2 As businesses become increasingly dependent on technology, including remote work environments and use of cloud-based services, there’s no question that cyberattacks on global businesses and organizations will continue to increase. In addition, these attacks are becoming more sophisticated – and expensive. The average ransom demand by cyber criminals in the first half of 2023 was $1.62 million. This is a 47% increase over the previous six months and a 74% increase over the past year.3
All of this has led to a rising demand for cyber insurance – despite the rising costs for policies, more stringent terms by insurers, and more scrutiny from underwriters. Companies of all sizes, across all industries, are looking for coverage to help pay for financial and physical damages caused by cyber criminals, as well as ransom demands.
Direct premiums written (DPW) in the cyber insurance market have tripled over the past three years with analysts projecting global cyber premiums to reach $23 billion by 2025.4
Cyber Premiums Start to Moderate in Q2 2023
Cyber insurance has seen dramatic rate increases over the past few years. Premium rate increases for U.S. cyber policies peaked in Q4 2021 with a 130% year-over-year (YoY) increase. Rates since then have continued to rise, but at a slower pace, with a quarterly YoY rate increase of 11% in Q1 2023. However, in Q2 2023 rates dropped by 4% – the lowest YoY premium change since Q2 2017.5
Rising premiums through 2021 and 2022 are attributed to the rise in demand for policies along with an increase in risk and loss ratios, forcing underwriters to increase policy prices and requirements. Shortages in supply for coverage also contribute to rising costs.
However, as insurers have demanded that clients do more to protect themselves against attacks (i.e., better cybersecurity partners, better employee education), and with more brokers entering the space – increasing coverage options and adding to the competition – rates are starting to moderate.
Cybercrime on the Rise
Cyberattacks over the past few years have dominated headlines, with no sign of slowing down. Recent attacks include high-profile data breaches on such companies like T-Mobile and AT&T where customer data was compromised and presumably sold on the dark web.6 Ransomware attacks in 2023 are on track to be the most on record with organizations such as the UK’s postal service (Royal Mail), the U.S. Marshals Service, and the City of Dallas – all being forced to either pay ransoms, pay for services to help mitigate damages, or risk data leaks and further financial damage.7
However, measuring the economic impact of cybercrime is a complex and often disputed topic.
Many organizations do not want to voluntarily reveal data or security breaches to their clients or investors. (However, new SEC cybersecurity rules are making it more difficult to withhold this information.8) Other times, the economic cost of a cyberattack is subjective or unknown for years and may not have an immediate financial impact or may only have a reputational or personal impact.
Even so, global cybercrime costs are estimated to top $8 trillion in 2023 and predicted to increase by $1 trillion or more each year.9 Those costs include the financial impact of damaged or destroyed data and/or intellectual property, theft of actual money, data recovery ransom costs, and human resource costs to investigate, restore or rebuild lost assets or reputational damage.
The Benefits That AI Offers the Cyber Insurance Industry
The combination of rising cybercrime and the rising costs due to cybercrime is driving up demand for cyber insurance. So – where does the cyber insurance industry turn to stay ahead of the curve?
AI in insurance is not new and is being used across most insurance categories in customer service (including AI chatbots), claims processing, risk assessment and underwriting. But as AI technologies continue to advance, they have significantly transformed how cyber insurance works. Here are just a few of the benefits of AI in the cyber insurance industry:
- Risk assessment and underwriting: Machine learning models can analyze large amounts of data to identify potential vulnerabilities in an organization’s IT infrastructure, including recognition of things like weak passwords or high-risk practices. Insurers can use these models to determine the probability and impact of a cyberattack. Underwriters spend 40% of their time on unessential tasks, meaning AI may offer an efficiency gain of $85-$160 billion over the next five years.10
- Pricing and premium determination: AI-driven predictive analytics can examine the size and type of business, current cyber security practices, past incidents, and more. By factoring in an organization’s risk profile, AI helps insurers price policies.
- Fraud detection: AI-based fraud detection systems and algorithms drive better identification of fraudulent claims by detecting anomalies in data and unusual or inconsistent claims patterns.
- Claims processing: Automating the claims processing workflow helps policyholders in reporting cyber insurance claims more efficiently. Machine learning models assess the validity and extent of a cyber incident, making the claims process more objective and faster.
- Loss prevention and mitigation: AI-powered cybersecurity tools can help insured parties proactively mitigate potential losses. These tools reduce the likelihood of a cyber incident and offer corrective actions, thus enhancing overall cybersecurity strategies.
- Product development: Insurers can analyze customer data to find trends and patterns in customer cyber needs and inform them of new products and services that are a better fit.
The Challenges That AI Poses to the Cyber Insurance Industry
While AI offers advanced tactics in defending and insuring against cyber threats, there are also some concerns about its use by providers, and its existence in general. Here are some of the current concerns around AI in the cyber insurance industry:
Data bias: AI-generated output is only as good as the data it has access to. If historical data contains underwriting decisions or pricing practices based on human bias, AI can deliver inaccurate risk assessments, inaccurate (or unfair) policy pricing, and unfair claims processing.
According to DataRobot, an AI platform provider, 36% of organizations surveyed said they suffered from biased data in one or several of their algorithms. Respondents indicated that the business impact of biased data included lost revenue, lost customers, lost employees, incurred legal fees due to lawsuits and lost customer trust.
Lack of historical data: Compared to traditional insurance lines, the cyber insurance industry is still in its infancy, with limited historical data for AI models to learn from. This can affect the accuracy of risk assessment and underwriting, potentially leading to mispriced policies.
Data privacy, security and compliance: Critics of insurance-used AI systems (especially as it relates to the use of AI systems developed by third parties to access large amounts of sensitive customer data) have raised concerns about privacy, security and regulatory compliance.
At the National Association of Insurance Commissioners (NAIC) meeting, held in August 2023, the benefits of AI integration, and regulatory oversight, were major topics for the organization’s Innovation Cybersecurity and Technology Committee. The committee revealed an interpretive bulletin entitled “Use of Algorithms, Predictive Models, and Artificial Intelligence Systems by Insurers” by which the committee expressed its view that the adoption of AI technology adheres to regulatory standards for underwriting, rating and unfair trade practices, among other practices.11
Ambiguity and transparency: The complexity of AI algorithms and their outputs can make them difficult to understand and interpret. This lack of transparency raises difficult questions regarding how policies are priced, why claims are denied, or what’s excluded vs. what’s covered.
Cybercrime risks to insurers and policyholders: By adding AI to the cyber insurance process for assessing risks and pricing policies, insurers add another vulnerability to their own cybersecurity systems. Cybercriminals can target AI systems to manipulate underwriting processes or gain access to sensitive data, putting insurers and policyholders at risk.
AI’s Contribution to Cybercrime
AI has given cyber criminals the ability to automate various criminal activities. AI tools such as ChatGPT can help generate highly convincing phishing emails or automated social media content to distribute fake news and disinformation. AI-generated deepfake audio and video is being used in socially engineered attacks, making it appear as if a trusted individual is requesting sensitive information or access. AI is also used to generate polymorphic malware that continually changes its code and characteristics, making it harder to detect by traditional antivirus and intrusion detection systems.
This rise in AI-enhanced cybercrime underscores the need for robust cybersecurity measures, continuous monitoring, user education, and ethical use.
Opportunities For Brokers in the Cyber Insurance Industry
As cybercrime and the associated financial and reputational risks rise, so will the demand for cyber insurance. And despite the recent slowdown of rising premiums – insurers, brokers and policyholders can expect future fluctuations in rates as new cyberthreats enter the market.
For independent brokers, other challenges are coming in the form of embedded insurance products from non-traditional insurance competitors. Just like car manufacturers offering auto policies (i.e., Tesla Insurance), or mortgage lenders offering homeowner’s policies – cybersecurity firms are now embedding insurance products into their platforms or partnering with insurers to create an integrated experience.
However, there are still plenty of opportunities for brokers to take advantage of this high-growth specialty segment and prove their value to clients. This may include:
- Building knowledge of cyber risks and what’s insurable vs. what’s excluded.
- Adding cyber risk modeling and data-based insights to help clients understand risks and coverage options.
- Investing in AI and other machine-based learning to further drive efficiencies and accuracy.
- Identifying possible clients who lack the necessary coverage to protect their business from cyberattacks. Some industries are slower in adopting cyber insurance and are more exposed to potential damage from a cyberattack.
- Specializing in industries with specific cybersecurity regulations (like healthcare or finance) and offering specialized expertise or products that align with regulatory mandates.
- Improving consultant skills, providing insights into the latest cyber risks and trends to help clients make informed decisions about their coverage.
This is a pivotal moment in the world of cyber (cybercrime, cybersecurity, and cyber insurance). While cyber insurance can be costly and complex, organizations cannot simply ignore the risks and must be vigilant. It’s imperative that insurers and insureds show a united front by blending robust insurance practices with employee education and upgraded cyber security resources. Business’s vulnerabilities may be greater than ever, and the costs could be higher than ever.
As the cyber industry grows and the risks become more complex, those insurance brokers with the most knowledge and experience will play a vital role in connecting businesses with solutions.
Sources:
2 https://grms.aon.com/2021-global-risk-management-survey/top-10-risks
3 https://finance.yahoo.com/news/cyber-insurance-claims-frequency-severity-170000207.html
5 https://www.wsj.com/articles/quarterly-cyber-insurance-update-august-2023-25bdb48d
6 https://insights.integrity360.com/the-biggest-cyber-attacks-of-2023-so-far-part-1
7 https://www.blackfog.com/most-impactful-ransomware-attacks-of-2023/
8 https://www.thomsonreuters.com/en-us/posts/government/sec-cybersecurity-rules/
9 https://cybersecurityventures.com/cybercrime-to-cost-the-world-8-trillion-annually-in-2023/
10 https://www.accenture.com/us-en/insightsnew/insurance/ai-transforming-claims-underwriting