Navigating the complexities of the cyber insurance market requires walking the tightrope of balancing historical risk data with projections about how the sector with evolve. The proliferation of new technologies – particularly genAI – has further destabilized this balancing act, as discussed by a panel of cyber specialists in a recent Insurtech Insights webinar.
Sharing some of the dangers he’s seeing when it comes to deep-fake technology and AI-generated social engineering attacks, Connor Brennan, VP at Arch, noted that traditionally these attacks were largely targeted at the “low-hanging fruit” of social engineering. However, this has evolved into more sophisticated phishing schemes where admin credentials are being obtained and ransomware deployed to exfiltrate data.
“AI is evolving very rapidly and it has gotten extremely hard to tell what’s real and not real,” he said. In that context, it’s critical for firms to have the right checks and balances in place, so they can actively verify who is making contact. However, that is becoming increasingly difficult in today’s operating environment given the advancements of technology.
Reflecting on whether the advancement of AI means that there should be standalone AI coverages, Jeff Kulikowski, EVP of cyber & professional liability at Westfield Specialty, highlighted that if it’s part of a company’s service model, it should be covered. “There are two aspects to a lot of these policies, because a lot of the forms are blended with an E&O component. Across most forms and most carriers, there is that embedded coverage, if it's part of a service model, and very few carriers are excluding AI.”
As to whether AI needs to be a standalone product, he said it’s not yet clear whether that’s required, given that it’s hard to see how it could be excluded if it’s embedded in your service model and technology infrastructure. The market is always on the lookout for new products, but there is a question mark over whether this is needed right now. “But that also depends on a lot of the pending regulation that's out there right now.”
In the context of this evolving discussion, there’s a question mark over which industry sectors are likely to be most at risk from the technological advancements of threat actors. In discussions about cyber risk, finance and healthcare tend to stand out as two sectors particularly vulnerable but Brennan added that professional services firms are also a key consideration.
“I think, historically, that’s been one where we didn’t think there was as much exposure,” he said. “[But], they’re handling lots of data, which is always going be an exposure. And we’ve definitely seen an uptick in ransomware claims in the professional services space, and I would throw in manufacturing and distribution networks as well.”
It’s not a new area of concern, Kulikowski said, but the public entities space continues to be in a very difficult spot. That’s because it's difficult to insure, in that the dynamics of a public entity are always evolving - there's constantly shifting management or elected officials coming in, so it's hard to have a consistent philosophy in terms of how they control their risk, and how they manage their security platforms and their balance sheets.
“Then the coverage is much more expensive for them because of that control atmosphere,” he said. “So it’s not a new risk frontier but I feel like it’s a problem that the industry, and frankly both brokers and carriers, have still not really addressed. But it's probably the sector most in need of a consistent offering there because there are so many different issues that prevent us from doing so.”
Steven Schwartz, chief insurance officer at SAFE, underscored the challenges facing the manufacturing industry, and companies with industrial operational technology. He believes that there’s a lot of opportunity for the insurance industry to provide some more meaningful cover, and to start capturing the data required to fully understand these risks.
“When I think of just a unique opportunity… when you think of these large wrap-up CSIP, OSIP contractor programs for large construction projects, and you've got 10/15,000 subcontractors that are working with said contractors on various projects throughout the year, none of them have cyber insurance today,” he said. “[So, finding] the right sort of program opportunities with the right partners in those pockets is a great opportunity for the market.”
