As businesses become more reliant on digital technologies, cyber-attacks and data breaches are also increasing. Recent attacks against Medibank, Toyota, and Flagstar demonstrate this. In addition, companies such as Microsoft, Nvidia, and Samsung have fallen prey to the extortion-by-hacker group, “Lapsus. In an era of increasing cyber-attacks, rising attack rates, and associated increased insurance premiums, the growth in the cyber insurance sector has slowed. A growing number of organizations attempt to incorporate cyber insurance into their cyber risk management framework. However, cyber insureds must still grapple with the question of setting their cyber risk appetite and have yet to accurately “pitch” its potential scope. In this context, this may be more needed for insurers, depending on how the historical underwriting methods are implemented.
However, they must accept artificial intelligence (AI) and machine learning (ML). AI can assist cyber insurers with cyber risk assessment, application processing, risk scoring, and understanding the customers’ cyber posture.
Introduction
This has resulted in an increased number of customer channels and serving touchpoints for businesses through digital technologies.
This enlarged the attack surface of these corporations, making them much more vulnerable to cyber attacks, which are growing exponentially. The costs arising out of cyberattacks are also high. [For instance] The estimated cost of the Medibank data breach is over $660 million. In another incident, T-Mobile agreed to pay more than US$500 million to resolve a class action lawsuit related to customer data privacy breaches.
This has led insurers to raise rates and restrict coverage in an attempt to avoid any negative impact on earnings. In contrast, the loss ratios of cyber insurers are disparate, suggesting that cyber insurance remains in its fledgling stage.
Moreover, due to the lack of historical data and the inherent dynamic nature of cyber risk, the traditional statistical approach may need to be more effective for underwriting. AI and ML offer a way to predict risk and make well-informed decisions for cyber insurers, which is an area where AI and ML systems can assist.
Cyber Insurance Hurdles
Cyber risk estimation from insurance companies offering cybersecurity coverage includes estimating cyber risk from customer questionnaire answers. This is because they need historical records. They face three main challenges in their underwriting process:
- Human handling of high application volumes and inconsistent definitions in cyber policies limit scaling.
- Customer feedback and understanding can differ depending on customer and underwriter expertise regarding cybersecurity.
- Manual users (that is, having to take into account the risk and the price separately) are a barrier to reliable risk and price assessment. This may give rise to either insufficient or inconsistent coverage for the insured and may lead to overexposure for carriers.
Given that the cyber insurance market is still underdeveloped and there are no sufficient reserves—cash set aside for future claims—with respect to the property and casualty lines, proper pricing is required.
Beyond the increasing demand for cyber insurance, insurers also have a high number of claims, thus highlighting the need for sufficient evaluation, pricing, and coverage of the cyber risk. Adhering to classical deterministic models, at the very least, in this scenario, amounts to millions of choices and leads to time lags in the cyber risk evaluation and the product coverage definition. So is the inability to sufficiently increase in response to increased demand exposure, negatively impacting insurers’ growth.
AI And ML Models
Adopting artificial intelligence (AI) and machine learning (ML) will enable cyber insurers to create a force multiplier effect. We will describe areas of concentration, skimming of lower-level areas, and efficiency. This will allow insurers to scale up the scope of their underwriting and tackle size in the cyber insurance market. AI/ML capabilities and related data will provide cyber insurers with methods to help them address business issues.
Accelerate cyber underwriting with computer vision and NLP.
The application volume of insurers is manually screened, and there are no standardized shared definitions of security concepts across cybersecurity policies. This means that unintended cyber unknown exposure is created either by customers seeing accidental coverage exposure in unintended ways or by customers misinterpreting coverage visible to them in unintended ways when the underlying cyber peril is unknown.
Computer vision can extract and process information from applications, which can be further processed using natural language processing (NLP). This could provide the capability to verify the embedding of appropriate security provisions and exclusion clauses, which in turn could accelerate the underwriting process. For example, sentences may be identified and classified in line with what is known to be covered, e.g., “will cover” or even conversely, “not incur” as a next step towards automating the manual process.
Cyber policies are, however, quite similar concerning coverage and exclusions. The International Underwriting Association (IUA) has added exclusion clauses to once again standardize them. Together with their current policy book and cyber inclusions or exclusions in other areas of the business (commercial property and commercial general liability), these can be a training data set for AI models.
AI automation will enable us to perform reviews on a scale of time rather than time-intensive manual reviews. Insurance companies will be able to prevent duplication of coverage and improve the quality of the underwriting process with the help of AI.
Enhance risk assessment through AI automation.
In the insurance sector, data is gathered from surveys, data processing, loss history, security procedures, and so on. Their corporate clients have information security compliance requirements, such as the International Organization for Standardization (ISO) 27000 information security controls and Secure Controls Framework. Cyber insurers will be especially required to deliver such information and the customers’ risk profile, as a correlate of the size, the industry, and so on, as inputs into algorithms.
According to these inputs, a supervised learning model can learn the customer’s IT environment and the risk profile of its portfolio. In cases of more complex data, decision trees or support vector machines can be used to constrain risk profile classification with decision bounds. Now, insurers could attribute risk factors and cluster them to provide information, such as attack probability and profile, to offer the appropriate coverage. AI and ML model outcomes can automate the customer’s risk profile assessment and augment manual risk assessment.
Improve cyber risk pricing to reduce premiums.
No doubt, current premiums are overcharged because there is no standardized pricing framework, and information asymmetry exists between the insurer and the insured. Furthermore, premiums are computed on a base rate based on revenue, industry risk group, security weightage score, etc. Unfortunately, cyber insurance pricing is also high, as risk is simplistically aggregated. Unsupervised learning models (e.g., Markov and Markov with clustering models) will help insurers to provide a fairer pricing scheme reflecting the customers’ risk underlying network topology and endpoints.
Quick Reads: Cost of Cyber Insurance: Factors and Pricing Models.
Avoid Data Pitfalls
Acquisition of data for training artificial machine learning models is a significant bottleneck that insurers will have to surmount. All available data sets shall be considered, bearing in mind both data quality and reliability. Cybersecurity datasets, extended by the insurers’ in-house data for cyber insurance, can provide the necessary data volumes for practical use in AI-based cyber risk assessment.
Internally sourced data
Carriers must have anonymized data repositories according to their current cyber guidelines and their history of incidents. In particular, because more than 40% of premiums are ceded to reinsurers, reinsurers with reinsurance data have valuable information to extract. In conjunction with customer claims and past attack history, this data can be used to score customers’ cyber risk health.
Public domain vulnerability databases
The Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD), along with the Common Vulnerability Scoring System (CVSS), can be used to assess the zero-day exposure of customers’ IT assets. Open repositories (e.g., Common Attack Pattern Enumeration and Classification (CAPEC), Adversarial Tactics, Techniques and Common Knowledge (ATT&CK), and Common Weakness Enumeration (CWE) offer a trove of information on adversary behavior, taxonomy, and general software vulnerabilities, which can aid in risk assessment.
Third-party data
Given the increasing cybersecurity threat, several organizations are shifting towards AI-powered cybersecurity tools for cyber risk management. These tools offer a snapshot of a company’s defense and cyber risk scores, which are similar to credit scores and can be employed by insurance companies to assess the cyber health of their customers. Insurers with exchanges as cyber security provider partners may not only obtain their threat repositories but also use them.
In addition, participation in industry groups, e.g., the Cyber Threat Alliance (CTA), and working with partners of the CTA can grant access to the threat intelligence set.
Coverage Requirements:
The adoption rate of cyber coverage has increased by 21% amongst insureds between 2016 and 2020. However, most do not have sufficient coverage. Educating insureds in cyberspace hygiene to improve their cyberspace posture will enable insurers to provide premium coverage and premium pricing.
- Vulnerability management: More IoT devices and endpoints have created a more expansive attack surface. Insurers are suggesting that companies use AI-powered automation tools to measure, capture, and rank risk based on risk category. These tools can assist in preventing loopholes in security policies that otherwise are vulnerable to manual defects.
- Regulations: [With] An increasing regulatory focus on cyber risk, compliance becomes an item for each insurer to navigate within their industry and geographic context. To keep from any fines, insurers “may” provide an AI-enabled alert system to insureds. This could also be used to track the identity and access management (IAM) policy and the ports for non-compliant behavior.
- A layer of defense: Insurers charge highly high premiums because security devices do not adequately protect customers. Applying cyber security frameworks and AI solutions can prevent cyberattacks and enhance organizations’ cyber posture. This could lead to a reduction in premium payments to businesses as there would be less likelihood of injury.
Conclusion: The Role of Mitigata in Transforming Cyber Insurance with AI
As cyber risks grow in scale and complexity, the traditional methods of underwriting, risk assessment, and pricing in the cyber insurance industry are no longer sufficient. The integration of artificial intelligence and machine learning presents a transformative opportunity for insurers to overcome historical data limitations, streamline underwriting processes, and accurately predict and price cyber risks.
AI’s ability to analyze vast datasets, automate risk scoring, and adapt to emerging threats ensures insurers remain agile and prepared in an ever-evolving cybersecurity landscape. By leveraging AI-driven solutions such as natural language processing, supervised learning models, and advanced risk profiling tools, insurers can not only mitigate their own exposure but also offer more tailored and affordable policies to businesses.
This is where Mitigata steps in as a trusted partner for businesses navigating the complex world of cyber insurance. Mitigata’s expertise in crafting data-driven, AI-supported policies enables organizations to better manage their cyber risk. With a deep understanding of evolving threats and partnerships with AI-powered cybersecurity tools, Mitigata helps clients achieve comprehensive coverage, fair pricing, and enhanced cybersecurity postures.
For businesses seeking proactive, AI-enhanced cyber insurance solutions, Mitigata offers the guidance and resources needed to stay protected in a rapidly shifting digital environment. Trust Mitigata to redefine your approach to cyber risk and ensure your business thrives securely in an age of growing uncertainty. Visit Mitigata.com today to learn more.
