AI threats and cyber insurance

The cybersecurity insurance market has evolved from a niche offering in the late 1990s to a multi-billion dollar industry today. This growth mirrors the increasing reliance of businesses on digital systems and the concurrent rise in cyber threats.

Key factors driving the market include the escalating frequency and severity of cyberattacks, growing awareness of cyber risks among businesses, and the financial impact of data breaches and business interruptions. Regulatory requirements and data protection laws have also played a significant role in pushing companies to seek cyber insurance coverage. Separately, cyber attacks now frequently affect small and medium sized businesses; demand for coverage has spread to other segments of the market.

Rising Premiums and Aggregation Risk

The market today faces several challenges. Premiums are rising due to higher claim frequencies and costs. In response, insurers are tightening underwriting standards and demanding better cybersecurity practices from policyholders. Some are even reducing coverage limits or exiting the market due to concerns about aggregation risk. Perhaps the most famous of all insurers – Berkshire Hathaway – is sitting out entirely. Ajit Jain, the firm’s head of insurance operations, said that loss costs have kept the company away from the risk. “The mindset should be you’re not making money.”

As insurers have raised underwriting standards and premiums, businesses have adjusted by adopting a more proactive orientation towards risk. And, apart from these secular changes, emerging AI threats are driving demand for innovation in the category. New technologies like deepfakes and other synthetic media are magnifying the risks associated with traditional security threats like phishing and social engineering.

Insuring AI Risk

Cyber insurers are adapting their approaches to address AI-related risks, recognizing the potential for these technologies to amplify existing threats and create new vulnerabilities. One way they are doing this is by requiring that policyholders have multifactor authentication systems in place. Some  cyber insurance policies now go so far as to cover losses from deepfake-related incidents. Coalition, a leading cyber insurer, added an “affirmative AI” endorsement to its cyber policies. The new endorsement expands the definition of a security failure or data breach to include an AI security event, where artificial intelligence technology caused a failure of computer systems’ security. The new Affirmative AI Endorsement language also expands the trigger for a funds transfer fraud (FTF) event to include fraudulent instruction transmitted through the use of deepfakes or any other artificial intelligence technology.

Security Training and AI Threats

Many insurers are also stepping up their training and security protocol requirements. The relationship between cyber insurance premiums and security training products is becoming increasingly intertwined. Insurers recognize that human error remains a significant factor in many cyber incidents, and well-trained employees can substantially reduce an organization's risk profile.

Many insurers now offer premium discounts for organizations that implement comprehensive security awareness training programs. Some are going a step further by directly providing or partnering with security training platforms as part of their insurance packages. This approach allows insurers to have more control over the quality and consistency of training, potentially reducing their own risk exposure. Data from these training platforms, such as employee completion rates and performance on simulated phishing tests, is increasingly being used in the underwriting process. Organizations that can demonstrate high levels of security awareness among their staff may qualify for lower premiums or higher coverage limits.

As the front line of defense against cyber threats, employees play a crucial role in an organization's security posture. With the rise of sophisticated AI-powered attacks, such as deepfake voice scams and advanced phishing techniques, the human element has become both the greatest vulnerability and the strongest potential safeguard. 

Comprehensive, up-to-date training programs not only equip employees with the skills to recognize and respond to evolving threats but also demonstrate to insurers a commitment to proactive risk management. This can directly impact an organization's insurability and premium rates in the increasingly stringent cybersecurity insurance market. 

Well-trained employees can significantly reduce the likelihood of successful attacks, potentially saving their employers millions in breach-related costs and reputational damage. In essence, investing in employee cybersecurity training is not just a security measure – it's a strategic business decision that can yield substantial returns in both enhanced protection and financial savings.

The integration of security training into cyber insurance offerings reflects a broader shift in the industry towards proactive risk management. Insurers are recognizing that by investing in their clients' security posture through training and other preventative measures, they can reduce the likelihood and impact of cyber incidents, benefiting both the insured organizations and their own bottom lines.

This trend is likely to continue as AI-related risks evolve and the importance of human factors in cybersecurity becomes increasingly apparent. Organizations seeking cyber insurance coverage may find that their commitment to ongoing security training becomes a key factor in their insurability and premium rates.

Adaptive Advantage

In the context of the evolving cybersecurity insurance market, products like Adaptive Security's SAT tool represent a critical link between insurers' risk assessment needs and organizations' security postures. Insurers are increasingly focusing on proactive risk management and data-driven underwriting. Security awareness training tools that offer personalized, up-to-date learning experiences directly address these trends. Such tools can provide insurers with valuable data on employee security awareness levels, completion rates, and performance in simulated threat scenarios. This information can be instrumental in the underwriting process, potentially leading to more accurate risk assessments and tailored insurance premiums.

AI-related risks like deepfakes and advanced social engineering attacks are becoming more prevalent. Training tools that specifically address these emerging threats align with insurers' need to mitigate new and evolving risks. By educating employees on both the risks and productive uses of AI, organizations can demonstrate a forward-thinking approach to cybersecurity, which may be viewed favorably by insurers.

The integration of advanced security awareness training into an organization's overall security strategy could become a key factor in determining insurability and premium rates. As the cybersecurity insurance market continues to adapt to the changing threat landscape, tools like Adaptive that offer comprehensive training may play an increasingly important role in bridging the gap between an organization's security practices and its insurance coverage. Adaptive’s coverage of emerging areas like deepfakes and data secure use of AI tools will help your organization harden its security posture even in the face of uncertain, rapidly developing risks.

The message is clear: in today's high-stakes digital environment, a proactive approach to security awareness is not just a best practice – it's a business imperative with direct financial implications.