Will AI change the cyber risk landscape?
Throughout 2023, there was a steady increase in businesses’ computer networks being compromised – even though these organisations took steps to improve their cyber security. Hackers have adapted to the array of security solutions available and are generally aiming for the weakest link – often via software vulnerabilities. They’re also gathering intelligence to use within phishing or social engineering attacks on the staff of larger and better protected organisations. These now account for a significant proportion of insurance claims.
“Ransomware-as-a-Service, such as BlackCat, is easily available on the Dark Web, so even relatively low-skilled attackers are now able to custom build ransomware files and create attacks specific to their target environment,” said James Doswell (pictured), Senior Cyber Risk Management Consultant at Travelers Europe. “Unfortunately, this means that an attacker can remove, disable or bypass many security solutions simply by buying the correct script or executable to do so.”
With the rapid growth of AI, the potential to create more advanced and sophisticated malware is high. So far, we haven’t seen this materialise, but the security industry recognises that there is no silver bullet preventing such attacks and it’s likely that attackers will eventually make use of this technology.
So, businesses must adapt to this potential high-risk threat – and insurers and brokers can help them understand how. Just as you might protect against burglary, there are basic steps a business can take to dramatically lower their risk from cyber-attack, even from AI. Doswell recommends they take these steps:
- It’s more important than ever to have the post-breach protections and access to experts that cyber insurance provides to aid businesses navigate their response should they be attacked.
- They must also educate themselves about the protections they need and how to apply them properly so they can make themselves more difficult targets.
- They need to implement layers of security in a well-planned structure. Multi-factor authentication (MFA), when applied properly, provides an excellent defence. But to be fully effective, it should be implemented comprehensively and not just for perimeter or VPN systems. For example, an attacker who gains access to an endpoint laptop should still be blocked by MFA when attempting to connect to internal servers or network equipment.
These steps can make a business a less vulnerable target. Still, concerns remain.
“My worry with AI is this: The patching cycle in most businesses is monthly and even when it is carried out dutifully, there is usually a cadence between the release of a patch and its implementation,” Doswell said. “In businesses that are following best practice, this averages between 1-3 days for critical vulnerabilities, and up to 14 days for others. This is currently considered by most to be ‘an acceptable risk.’ But what if AI speeds up and improves the efficacy of these attacks – or even automates them?”
“AI may even progress to chaining lower-scored vulnerabilities together, making them effective within hours or minutes of public disclosure. Indeed, there is already penetration testing software that has this capability. It’s possible that even with the use of heuristics, new viruses with previously unknown methods of operation will not be detected.”
“Further, as we’ve seen recently, significant numbers of organisations could be compromised simultaneously – potentially even in a ‘cat’ scenario. Fortunately, there are solutions available that can proactively stop the compromise of a machine even when there are unpatched vulnerabilities present.”
As organisations weigh these threats, they must strike the right balance between their security and available business budget. Insurers and brokers can help. “Some security solutions suit certain circumstances better than others,” Doswell said. “I spend a significant part of my time on calls with clients assessing cyber threats and recommending appropriate protections. I also work closely with our underwriters in Travelers to ensure we’re keeping pace with the threat landscape. Being proactive about cyber protections – understanding what works for the business, applying it correctly, and having additional safety mechanisms in place if something goes wrong – will continue to be critical.”
The information provided in this article is intended for use as a guideline and is not intended as, nor does it constitute, legal or professional advice. Travelers does not warrant that adherence to, or compliance with, any recommendations, best practices, checklists, or guidelines will result in a particular outcome.
Authored by Travelers
We wrote the first auto insurance, the first aircraft liability insurance, and even the first personal accident cover for astronauts.
In today’s fast-changing world, this heritage of adventure really counts. With an extended network of underwriting, claims management, and industry experts in 125 countries, we’re here to insure your clients’ ambitions – no matter their size and scope. Our expertise and experience deliver policies that help them continue their journey.
With businesses facing ever more emerging and evolving issues, our suite of insurance products offers bespoke cover for each risk, and our commitment to genuine, caring partnerships means we’ll always be there to advise and support our clients and our broker partners, – whatever the future holds.
The Travelers Companies, Inc. (“TRV”) is a leading provider of property liability insurance for motor, home and business. The Group has more than 30,000 employees and operations in the United States, Canada, UK and Ireland.
The group has total assets of approximately $110 billion, shareholders’ equity of $26 billion and total revenue of $32 billion, as of December 31, 2019. Our European based operations offer our customers a wide range of coverage through Travelers Insurance Company Limited, Travelers Syndicate Management Limited (Syndicate 5000 at Lloyd’s), Travelers Underwriting Agency Limited and Travelers Insurance Designated Activity Company.