How Technology Advances Are Increasing Overall Cyber Risk (and How Insurance Is Responding)

It's a brave new world out there. Why? Rapid technological advances like generative artificial intelligence (AI) and cloud technology, for starters. Here's a deeper look at how these advances increase cyber risk.

Generative AI

Generative AI can create realistic text, images and even code. But this innovation brings several challenges:

• Enhanced phishing attacks. Generative AI can produce highly convincing phishing emails and messages, making it harder for individuals to distinguish between legitimate and malicious communications. These sophisticated attacks can deceive users into divulging sensitive information or clicking harmful links.
• Automated exploitation. AI can automate and scale the discovery of vulnerabilities in systems. Attackers can use AI to write malicious code or scripts that exploit these vulnerabilities more efficiently and on a larger scale.
• Deepfakes. Generative AI can create convincing deepfakes, which are manipulated videos or audio recordings that can be used for fraud, blackmail or misinformation campaigns. Deepfakes can erode trust and lead to security breaches.
• Advanced threat modelling. While AI can enhance threat detection and response, it can also be used by attackers to model potential security weaknesses in sophisticated ways that are difficult for traditional methods to counter.

Cloud Technology

Cloud technology has transformed how organizations store and manage data, but it also introduces new risks:

• Increased attack surface. Cloud environments often involve numerous interconnected services and applications, expanding the attack surface. Each connection or service can be a potential entry point for cybercriminals.
• Data sovereignty and compliance. Storing data across various cloud providers and regions can create compliance and regulatory challenges. Ensuring that data is handled according to legal requirements adds complexity to managing cyber risk.
• Shared responsibility model. In cloud environments, security responsibilities are divided between the cloud provider and the customer. Misunderstandings or gaps in this model can lead to vulnerabilities. For instance, while the provider secures the infrastructure, the customer must secure their data and applications.
• Misconfiguration. Cloud resources are often subject to configuration errors or mismanagement. For example, publicly accessible cloud storage buckets due to misconfigurations can lead to data breaches.

General Technological Trends

In addition to generative AI and cloud technology, some general tech trends are upping cyber risk as well:

• Increased connectivity. The proliferation of Internet of Things (IoT) devices and other connected technologies expands the potential vectors for cyberattacks. Each connected device represents a potential entry point for attackers.
• Complexity and interdependence. As systems become more complex and interconnected, vulnerabilities in one system can have cascading effects across multiple platforms. This complexity can make it challenging to implement comprehensive security measures and respond to incidents effectively.
• Rapid technological change. The pace at which technology evolves means that security measures often lag behind new innovations. Organizations might struggle to keep up with securing new technologies and addressing emerging threats.

How These Risks Affect Cyber Insurance

Rapid advancements in technology have had a significant impact on the Cyber insurance industry. Here's how these developments have influenced the market.

Increased Demand for Coverage

As organizations become more aware of the increased risks associated with new technologies, demand is growing for Cyber insurance to protect against potential breaches and losses. The complexity advanced technologies introduce often leads organizations to seek comprehensive coverage that can address a wide range of emerging threats.

Higher Premiums and Costs

The introduction of generative AI and widespread cloud adoption has continued to expand the attack surface, leading to higher potential losses from cyber incidents. While robust carrier capacity has delayed rate increases, the trend of higher frequency and severity for cyber incidents related to new technologies has many watching rates expectantly as we enter 2025.

Evolving Coverage Requirements

Insurers are now offering more tailored policies to address specific risks associated with new technologies, including coverage for AI-related incidents, cloud security breaches and data loss due to misconfigurations. Additionally, the need for detailed risk assessments has grown. Insurers are increasingly focusing on understanding an organization's use of generative AI, cloud services and other advanced technologies to better evaluate risk and set appropriate premiums.

Underwriting Challenges

The rapid pace of technological change makes it challenging for insurers to accurately assess and price cyber risk. Limited historical data on incidents involving new technologies adds to the uncertainty. As threats evolve quickly, insurers must continuously update their risk models and underwriting practices. This dynamic nature can lead to volatility in pricing and coverage terms.

Increased Emphasis on Cyber Hygiene

Insurers are placing greater emphasis on organizations' cybersecurity practices and controls. Companies that demonstrate robust security measures and proactive risk management may benefit from lower premiums and better coverage terms. Some insurers require thorough cybersecurity assessments and regular updates to qualify for coverage. Cyber hygiene helps mitigate risks and ensure that policies are aligned with the latest threats and technology.

Market Adjustments and Innovations

The Cyber insurance market is evolving to include products specifically designed for new technology risks, such as AI-driven threat scenarios and cloud service outages. In tandem, insurers are collaborating with cybersecurity firms to provide integrated risk management solutions and enhance their understanding of emerging threats. This collaboration helps in creating more effective and relevant insurance products.

Regulatory and Compliance Pressures

Insurers must navigate a complex landscape of evolving regulations related to data protection and cybersecurity. Compliance with these regulations influences policy terms and coverage. There's a push towards standardizing Cyber insurance practices and coverage terms to address the diverse risks associated with new technologies and ensure clearer expectations for policyholders.

Business Interruption Coverage Considerations

In the past five years, we've seen cyber criminals shift from targeting companies with large amounts of sensitive data to companies of all sizes, with the aim of gaining access to their network infrastructure and disrupting overall operations. This strategy has led to huge payoffs in the form of extortion payments, with average payments rising. Beyond the initial extortion phase of the claim, many companies experience a secondary claim cost related to business interruption and extra expenses, which typically comes into play after a waiting period of eight to 12 hours.

Depending on the extent of the attack, it's common for companies to experience disruptions and delays lasting days or weeks before they're finally back to pre-claim operating levels. With the increase in outsourced service providers, more companies are relying on third-party networks for their mission-critical operations. This reliance has increased the need for Cyber policies to address not only direct business interruption events stemming from a cyber attack, but also contingent/dependent business interruption events from system failure when a third party that provides services or products to the insured goes down.

As we saw in a major incident this past summer, a single automated software update glitch brought much of the global economy to a sudden halt. This event underscores the need for brokers and insureds to thoroughly review business interruption language and, where necessary, negotiate for broader language to ensure their Cyber policy provides the necessary triggers and critical coverage grants to avoid out-of-pocket expenses for insureds after an uncovered or underinsured claim.

While generative AI, cloud technology and other advances offer significant benefits and efficiencies, they've also introduced new and evolving cyber risks and driven significant changes in the Cyber insurance landscape. The rapid advancement of these technologies necessitates continuous adaptation in cybersecurity practices and strategies to mitigate risks effectively; at the same time, insurers are adjusting their offerings, pricing models and risk assessment practices to keep pace with the evolving threat environment and meet the growing demand for comprehensive Cyber coverage.