As artificial intelligence technologies evolve, businesses of all shapes and sizes face increasingly sophisticated cyber threats “at scale”. Insurance experts warn it’s “a numbers game” and that cyber insurance, alone, is unlikely to be enough.
A recent report by S&P Global Ratings cautioned that AI is intensifying the sophistication and scale of cyber threats. Researchers warn that the widespread use of AI technologies by businesses will fuel the frequency and severity of cyberattacks, with AI accelerating the automation of hacking and Ransomware-as-a-Service (RaaS). S&P also examined the implications of the 2024 CrowdStrike outage, which exposed the vulnerabilities in software chains - affecting millions of systems globally.
Cyber insurance experts are calling for proactive responses to the rising risks, encouraging business owners to take a deep dive into the nuances of cyber security strategies and coverage.
Caroline de Vries, senior risk consultant at CMB Insurance Brokers, Tiago Henriques (pictured), head of research at Coalition, and Danish Yusuf, founder and CEO of Zensurance, shared some tips with Insurance Business Canada on how to offset the evolving risks.
“When you look at some of the large companies that have been hit, if it can happen to them, it can happen to anybody,” de Vries pointed out.
“The evolving threat landscape just means that threat actors are always changing their tactics to maximize the financial rewards from their attacks and avoid detection,” said Henriques.
Henriques told Insurance Business that the main challenge has to do with AI’s ability to make cyberattacks, like phishing, much harder to detect.
“With better AI, (phishing) emails are much more coherent and specific, leveraging as much information about a person online as possible to ensure the attack is believable,” Henriques cautioned.
Yusuf pointed out that social engineering scams are going beyond phishing emails or text, taking the form of videos or audio communications instead.
“With AI, once it gets really good (a phishing scam) could be an AI model talking to you. You wouldn't really know,” he said.
Another tactic that AI makes possible is the automation of cyberattacks.
“These criminals are letting loose these automated tools and it's at scale and it's a completely a numbers game. So 10,000 people can be hit at the same time,” said Yusuf.
The types of businesses impacted by cyber threats is growing: from ‘mom-and-pop shops’, to water treatment plants, to hospitals, and even insurance companies themselves.
“I don't think you should be running a business without a proper cyber policy anymore, just given the amount of risk out there,” said Yusuf.
“It's really tough to make yourself bulletproof,” he added, explaining that there are some basic measures businesses can take to offset the risks.
These include awareness programs, device management, restricted access, multi-factor authentication and encryption to improve security.
One question insurance companies ask business owners looking to purchase cyber insurance is whether they have training for employees to help them recognize and avoid cyber threats like phishing emails.
“Assume you will be hit at some point,” Yusuf urged. “Just take all of those basic measures. Don't use a password manager, don't use simple passwords. Change it regularly. Have your machine encrypted, off-site backup, all the things that any tech info sec professional would do. Take it very seriously.”
Businesses need to be able to respond quickly to identify risks and patch systems, said de Vries. The key is to have a strong, in-house IT service provider, that can respond in real time.
DeVries pointed out that businesses need to think about how they handle private information. If hackers break into a business network they can take over the system, hold data hostage or steal private information. Business owners would not only be stuck with recovery costs, but can also be held liable for damages.
Potential losses go beyond financial - they can take the form of intellectual property, as well as reputational losses.
While there isn’t a “fix-all solution,” Henriques recommends five key safeguards for all business systems: multi-factor authentication (MFA) on all critical accounts, using a managed detection and response (MDR) service, maintaining credible offline backups of critical business data, establishing a formal procedure for electronic payments and patching all software and firmware regularly.
Businesses should use all the tools available to protect their system from cyber threats, and that can also include AI technology, said Henriques.
“While we definitely see the bad guys using AI, we also see defenders starting to implement AI to speed up detection and response by spotting abnormal activity in a network,” he said.
Henriques said that any business using AI technologies should have specific security protocols in place, including backup systems along with AI evaluators.
Some cyber insurers are offering specialized insurance policies to ensure coverage for AI cyber threats.
“You have to be aware of what the client does, what their needs are. And then you have to make sure you're selecting the right product for that client,” said de Vries.
There are different kinds of coverages for companies using third-party AI tools versus if a company is building AI tools for others to use. These both fall under the category of technology professional liability, but within that there are separate coverages, explained Yusuf.
In these early days of using AI, business owners are putting certain “guardrails” in place to control the ways their system interacts with AI technologies.
“So step by step, taking it forward, I think every business should be thinking about it that way bit by bit, don't just let it loose,” advised Yusuf.
