How Generative AI Is Changing the Nature of Cyber Insurance

Cyber insurance has traditionally relied on human involvement (including guesswork) in all parts of the process -- from risk analysis and policy underwriting to claims adjustments. One of the major challenges for the cyber insurance industry, and those seeking coverage, has been year-on-year increases in policy premiums because of escalating risk exposures. In more frequent cases, insurance customers are even being dropped from their coverage or are having claims denied. 

But it isn’t all bad. The emergence of generative AI (GenAI) technologies offers insurers opportunities to build powerful new tools to help them streamline processes, analyze cyber risks with greater accuracy, and make prioritized recommendations for improving the security of their customers.

More Accurate and Efficient Processes

GenAI is reducing opportunities for human error throughout the insurance lifecycle, while simultaneously improving process efficiencies. Automated AI-based tools help simplify workflows and eliminate some of the traditional data collection and guesswork that both brokers and buyers have relied on.

This starts with the policy application process. Very often, the people filling out the initial intake forms for the buyer are not members of the technology or security teams of the company seeking coverage. Thus, they may not have the relevant context about the cybersecurity program, technology inventories, or third parties in their enterprise supply chain -- ultimately degrading the quality of results when it comes to determining a company’s risk profile. By leveraging AI and other automation, brokers can save a lot of time, create more accurate and complete inventories, and ultimately provide more accurate quotes to potentially save buyers a whole lot of money. 

Related:Making the Most of Generative AI in Your Business: Practical Tips and Tricks

At one insurance company that I used to work for, they're using GenAI tools to help with underwriting. An underwriter will receive the contents of an application -- all the high-level information about the buyer required to make decisions. During the review process, the underwriter can ask questions via GenAI prompts built into the underwriting workflow. The answers generated by the tool can help the underwriter accelerate the speed at which they can get a quote out the door while also improving accuracy.

Tools like these can also help improve consistency. Each underwriter has unique experiences that influence their point of view and how they might read a buyer’s attack surface. Removing human guesswork from processes helps the insurance company generate more consistent decisions based on a unified system of discrete analysis.

Related:Is Your Cyber Insurance Policy Up to Snuff?

Reducing Risks, Lowering Costs

GenAI in the cyber insurance industry is like a broker co-pilot, aimed at augmenting the process to improve efficiencies and produce better outcomes for both the buyer and the insurance company. The ultimate goal for cyber insurers is to remove as much risk and make coverage as cheap as possible for customers, while still making money. To this end, genAI and supporting large language models can help cyber insurance companies understand patterns of data and generate insights that didn't exist before. 

Most insurance companies will have large amounts of historical loss data available to them from when they have paid claims. GenAI can be used to analyze this data and identify relevant patterns. For example, it can determine if there were any commonalities, or risk signals, across various types of claim instances. These risk signals can be factored into underwriting policies and processes, so the insurer can avoid underwriting policies where these risk signals are present and/or provide advisory services to the prospect company to help them mitigate those risks both before and during the life of a policy.

Related:2023 Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023

GenAI is also helping insurance companies provide better advice to customers. For example, an attack surface enumeration tool may discover 100 different security gaps that put a buyer and their company at risk. The combination of accurate predictive analysis and threat intelligence signals can help prioritize the most critical problems that need immediate resolution, plus make additional recommendations for the organization to fix in the longer term. This kind of precise and actionable information is helping mitigate and manage risks and improve organizational resilience while lowering cyber insurance costs for buyers.

GenAI Carries Its Own Risks

Data/AI model poisoning is one potential problem with GenAI. Insurers need to be sure that their models are only referencing the desired data sets, not untrusted information sourced from the public internet. Approaches to ensure that the models are continually tested, validated, and protected against poisoning attacks are critical, as are approaches to ensure that validations and controls are in place to remove factor bias.

The GenAI models themselves must also be protected as if they were source code. If someone were to change something in a model (even slightly), it could become disruptive or generate results that were ultimately worthless. Even worse, skewed results might say that something is safe when it's not. Insurers need to continuously test for these kinds of threat exposures. 

Developers of these capabilities need to ensure they are leveraging risk management best practices provided by organizations like NIST’s Trustworthy and Responsible AI Resource Center. Target data must be cordoned off and insurers will need technology in place to help control that. 

Educating Insurance Buyers About the Impact of GenAI

Buyers need to understand that there are now some key differentiators among cyber insurance providers. The tricky part is that most cyber insurance purchases don’t happen via the security or technology teams. Cyber insurance is often purchased by the same person or team within the CFO's office who is making all other insurance decisions for the company. The only time security or IT people may get involved is when they're asked to fill out some kind of kludgy survey that asks how many widgets you own, where are they located, how much data you have, and who are all your third parties. 

More than ever before, the information provided when applying for a policy can help identify security gaps -- but only if the information is accurate and complete. Everything has become telematic. This requires the company’s insurance buyer to become much more aware of their technology environment, their supply chain, and the risks associated with them to ensure the accuracy and completeness of the survey information collected at the start of the underwriting process and throughout the life of a policy once it has been bound. This may not only end up saving the company a whole lot of money on their premiums, but also help prevent a breach from occurring.