This article is by Visesh Gosrani, Director, CAT modelling, Cowbell, and it looks at the cyber risk landscape in general, the value of data analytics, security, automated systems and more.
Cybersecurity is a hot topic right now.
From remote working and the increase in cloud services to the Internet of Things and data privacy demands, organisations are spinning many different cybersecurity plates – yet they are finding it increasingly difficult to secure the services of qualified professionals to do so. Skills shortages in cybersecurity are a pressing issue. According to the (ISC)2 Cybersecurity Workforce Study, there was a security workforce gap of 3.4 million globally at the end of 2022, while the UK reported an estimated shortfall of 11,200 people to meet the demand of the cyber workforce this year.
With such a stark shortage of professionals, organisations are seeking innovative, alternative means of protecting their assets and managing their risks, with cyber insurance often landing near the top of the priority list when seeking external support. The demand for cyber insurance is undoubtedly there. The global cyber insurance market tripled in volume in the last five years, expanding to gross direct premiums of around $13 billion in 2022, according to the Swiss Re Institute.
However, putting together comprehensive policies hasn’t been without its challenges.
Quantifying cyber risk is notoriously difficult. When pricing risks such as burglary, the entry points to a building are easily identifiable, allowing for ease of evaluation of defensive measures. In the case of cybersecurity, it’s not so easy; it’s a landscape where threats, risks and potential entry points are evolving and changing all the time.
The significance of AI in a dynamic cyber risk environment
Fortunately, market unpredictability is being confronted head-on by increasingly effective cyber insurance mechanisms.
The landscape of risk assessment and pricing in the insurance industry has been undergoing a transformative shift, in large part thanks to advancements in artificial intelligence (AI) and automation. Today, AI-powered tools can be used to layer multiple data streams to pinpoint risk factors effectively, providing a more comprehensive understanding of potential threats.
In a cybersecurity context, this is significant. The power of AI lies in its ability to source and analyse a much greater volume of data than could be done previously to further improve the understanding of the likelihood of a risk and the potential severity. Machine learning techniques enable the analysis of many sources of data to understand what is important and the signal it provides about the risk. And analyses can be rerun frequently in case changes in the risk environment alter the significance of a particular data source.
This matters more for cyber insurance due to the dynamic nature of the risk environment and our evolving understanding of cyber risk. Spotting changes in trends before others do so enables the movement of risks to be identified – be it for worse or better – which can then inform more accurate pricing.
Intelligently connecting and analysing policyholder exposure data
Owing to its ability to layer multiple data streams, AI has become key in connecting and analysing key facets of policyholder exposure data to paint a more comprehensive risk picture.
Cyber insurance costs are determined from a business’ likelihood of suffering a cyber incident, with insurance underwriters relying on data analysis and risk assessment models leveraging a combination of qualitative and quantitative risk factors to calculate the likelihood and costs of claims, and thus, cyber insurance premiums. Here, there are several key metrics to consider, from a company’s size, industry and revenue to the particular security measures and data management practices that a business uses.
In conducting this analysis, insurers can enhance their understanding of a policyholder’s risk profile by incorporating legacy data whenever feasible. In this context, the utilisation of AI plays a pivotal role, contributing to the development of a more comprehensive picture of trends.
In a cybersecurity context, this is significant. The power of AI lies in its ability to source and analyse a much greater volume of data than could be done previously to further improve the understanding of the likelihood of a risk and the potential severity.
It can also be used to assess the IT estate of an insured and the risk posture of the estate on a continuous basis where a short-term change in risk could be impactful. One example of this is the practice of opening RDP ports and then forgetting to close them, which can leave an organisation vulnerable to many different types of attacks.
It’s also important for insurers to be able to connect key data points such as past claims, policyholders, addresses, and IP addresses. Consider third-party liability, for example. Some historic claims have affected large numbers of companies that may only have been collateral damage. This may result in 3rd party liability claims for data breach and business interruption amongst others. These claims will vary significantly for factors such as the type of business, the jurisdiction and the awareness of what can be claimed.
With supply chain attacks such as these becoming increasingly prevalent, companies that have a large supply chain network often find that their exposure to cyber risks extends far beyond their own infrastructure.
It is therefore critical that organisations can evaluate the risks associated with vendors and software – something that AI is facilitating.
Vendors of software and third-party services can change significantly depending on geographical location. Therefore, by tracking geo-location data, which acts as a proxy for the software and third-party dependencies, insurers can evaluate which third-party providers are associated with more attacks and adjust premiums accordingly.
Outlining the challenges of implementation
Of course, these examples merely scratch the surface of the potential of AI in cyber insurance. However, despite the benefits, businesses will still need to overcome several challenges to implement AI and automation for risk assessment.
Not only is the talent to develop AI applications limited, but end users also vary in their ability to understand the limitations of AI and, therefore, how to use the outputs effectively at present.
Despite significant recent progress, AI techniques remain in their relative infancy and thus need care. AI models can make errors due to misinterpretation, partially due to a lack of “common sense”. Therefore, any real-time changes need to work within limited parameters, and guardrails should be put in place to ensure that any significant changes at a point in time or, cumulative changes over a longer period, are flagged for human review.
Training is essential to ensure that AI is used appropriately in the organisation, with limits being placed on hand-offs to humans for more complex interactions. Executives will also need to be upskilled to ensure that data privacy safeguards are not being breached.
This brings us to the ethical risks.
While the additional data that can be used in assessing risk will decrease premiums for some, it will make others uninsurable. However, it should be noted that AI techniques can be used to assist persons and organisations in improving their risk with tailored guidance. This happens today for large risks with specialist risk engineering teams, and AI techniques could provide that same specialist input and support en masse.
In this sense, should sufficient “uninsurables” engage with AI tools to make themselves insurable, this could create greater insurance engagement, reduce premium levels and increase insurance penetration. With these various considerations in mind, some companies will be naturally less inclined to take risks with new technologies, while others may wish to be at the forefront, realising competitive advantages as early adopters.
Companies therefore need to consider their appetite for the risk posed by changing their processes. However, those that embrace AI in the right manner will undoubtedly see benefits, layering multiple data streams effectively to pinpoint cyber risk factors. The key at present is to use mechanisms that sit between the AI techniques and the actual pricing and underwriting of polices. These will act in a supportive manner for underwriters, highlighting important insights and trends that can, in turn, be used to accurately price risks.
Solutions such as these are arguably the future of cyber insurance. Moving forward, the benefits of AI and automation in risk assessment and pricing will only continue to become clearer.
Be the first to comment