As technology advances relentlessly, discussions on artificial intelligence (AI) often focus on potential cyber threats it brings. However, there’s a significant misconception surrounding AI’s role in this domain. It’s crucial to recognize that AI does not present standalone cyber threats but rather amplifies existing vulnerabilities within organizational structures. Meredith Schnur, a cyber practice leader for Marsh in the US and Canada, explores the current drivers of cyber claims. These include non-breach privacy claims, intricate supply chain vulnerabilities, sophisticated threat actors, accidental yet impactful incidents, and the amplifying effect of AI on these challenges.
Non-Breach Privacy Claims: A Sleeper Risk
Shifting Focus Beyond Breaches
For many years, cyber claims have been synonymous with data breaches. Unauthorized access to sensitive data has always been the hallmark of potential liabilities. However, an expanding landscape of cyber threats now shifts towards privacy concerns that do not necessarily involve data breaches. Regulatory bodies are extending their scrutiny beyond breaches, probing deeply into corporate data management, collection, and sharing practices. This shift has unveiled a new dimension of risk, termed “sleeper risk” by Schnur, where non-breach privacy infringements remain largely undetected yet impactful.
The rise in attention to corporate data practices has prompted regulatory bodies to examine the intricate details of how data is processed. Consequently, regulations and privacy laws now consider broader aims, such as pixel tracking and the Video Privacy Protection Act (VPPA). The resulting increase in litigation around these facets is creating headaches for corporate entities. Marsh alone processed over 2,000 cyber-related claims this past year, with a substantial portion attributed to non-breach privacy issues. Many of these claims challenge organizations with prolonged legal battles, frequently thwarting motions to dismiss and resulting in prolonged exposure to liabilities.
Potential Repercussions on Businesses
Organizations now face legal and reputational implications from these non-breach privacy claims. The complexity of these cases often rivals or exceeds that of traditional breaches. Additionally, potential judicial outcomes can involve significant settlements, exhaustive legal expenditures, and damage to corporate reputation. The non-breach privacy claims highlight the need for businesses to enhance transparency and adopt robust data governance standards.
In response to these trends, companies are reevaluating their data management protocols to conform to heightened regulatory expectations. The focus is shifting towards demonstrating accountable data governance practices. Organizations are investing in developing robust data management frameworks to fortify these efforts, partnering with legal and cybersecurity experts to audit and optimize their processes comprehensively. Encryption, anonymization, and strict access controls are no longer optional but mandatory tools to mitigate these risks, fostering an environment where compliance and ethical data management are paramount.
Supply Chain Incidents: Systemic Risk Normalized
The Interconnected Vulnerabilities
The complexities of modern supply chains reveal themselves in incidents like the infamous SolarWinds attack and others involving key industry players such as Change Healthcare, CrowdStrike, and Oracle. These incidents emphasize the systemic risk embedded in today’s supply networks. The growing reliance on third-party service providers adds layers of complexity to organizations’ digital infrastructure, increasing the potential for expansive disruption.
Such incidents highlight the critical dependencies between clients and vendors. Operational disruptions from supplier incidents can swiftly escalate into significant policy claims, impacting multiple industries along the supply chain continuum. Although reinsurers have flagged these vulnerabilities, the aggregate level of financial loss has not yet necessitated drastic changes in policy pricing models or language from the insurance sector. However, the intricacies of vendor-related exposures are gaining heightened recognition in risk management realms, underscoring the necessity for organizations to proactively anticipate and mitigate such supply chain risks.
Reinforcing Vendor Management Practices
As these systemic risks claim a more prominent position in the modern risk landscape, organizations are evolving their supply chain governance approaches. Insurers and insureds alike are paying greater attention to identifying and managing potential vulnerabilities. To this end, businesses are actively establishing more resilient vendor management protocols, cultivating strategic relationships with third-party providers.
Technological adoption, however, cannot occur without a firm grasp of potential antecedent risks. Companies must institute comprehensive risk assessment strategies to gauge vulnerabilities actively and examine their entire vendor ecosystem. By delineating clear expectations and requirements for third-party entities, businesses can foster trust while simultaneously safeguarding their networks from external threats. Furthermore, organizations must cultivate awareness of how interconnected issues, such as an incident at a single point in the supply chain, can trigger a cascade effect, posing multifaceted risks that are paramount to address thoroughly.
Evolving Threat Actors: An Escalation in Complexity
Sophisticated Cyber Attack Strategies
The landscape of cyber threats continues to evolve, with threat actors refining their techniques and tactics. The emergence of entities like Scattered Spider, which executed the 2024 ransomware attack on UK retailer Marks & Spencer, underscores an alarming pace of change in cybercriminal strategies. These organized criminal groups increasingly bypass traditional defensive measures by reengineering attack pathways.
Notably, these malicious actors can disband and quickly regroup, emerging in new geographies with refined methodologies designed to bypass defense mechanisms. This evolution of tactics is compounded by upgrades in social engineering and adopting cutting-edge tools that bolster the attackers’ efficiency. In response, the insurance market encourages organizations to adopt strategies like tighter endpoint protection, an emphasis on multi-factor authentication, and a fortified incident response architecture, although a constant game of cat and mouse prevails.
Defending Against Relentless Threats
The escalation of threat actor sophistication compels organizations to remain vigilant. The persistence of these cyber entities necessitates adaptability within corporate defense mechanisms to counteract new threats effectively. Continuous innovation in cybersecurity, aided by the deployment of AI and machine learning, facilitates more proactive identification and neutralization of atypical patterns and anomalies within network traffic.
Amid this arms race, organizations must not rely solely on technology but should cultivate a culture of cybersecurity awareness. A robust education initiative is central to this mission—employees must be educated on identifying social engineering attacks and maintaining rigorous digital hygiene practices. Organizations also benefit from a holistic approach encompassing a multi-layered security framework. An evolved perspective that incorporates technology partnerships and collaborative threat intelligence sharing accelerates the timely dissemination of information necessary for combating evolving cyber threats.
Non-Malicious Incidents: Accidental Yet Catastrophic
Unintentional Cyber Disruptions
Not all cyber incidents stem from malicious intent. A notable realization in this realm came from a major incident in 2024, where a CrowdStrike software update error led to significant system outages across global networks. This colossal event reframes the perception of disruptions, highlighting the potential gravity of non-malicious incidents on organizations’ operations.
Traditionally, cyber insurance policies have concentrated primarily on malicious threats. However, the inadvertent nature of the CrowdStrike incident emphasizes that accidental disruptions can be equally detrimental. Consequently, the nature of coverage under cyber insurance policies is undergoing a transformation to encompass non-malicious risks, which often amplify discussions regarding coverage details and necessary policy wording integration to ensure comprehensive protection against these diverse contingencies.
Adapting Insurance Policies for Comprehensive Coverage
Organizations face an imperative to broaden their understanding of cyber insurance to encompass protection from non-malicious incidents. Such realizations invite dialogue surrounding the precise inclusions and exclusions within policies. Cyber insurance policies now explore incidents beyond traditional technological failures, encompassing unintentional human errors and unforeseen digital disruptions.
To adapt accordingly, companies engage legal experts to cautiously parse policy language, ensuring clauses offer the necessary breadth of coverage demanded by today’s dynamic digital arena. In parallel, cyber insurers strive to provide adaptable and nuanced solutions, emphasizing policy wording accuracy and enhancing the resilience of insureds. The enhanced emphasis on comprehensively covering non-malicious risks marks an evolution in insurance frameworks that aims to mitigate an increasingly diverse spectrum of potential disruptions.
AI’s Role: Amplifying Existing Risks
The Amplification Effect of AI
AI technologies, including deepfakes, AI-driven phishing schemes, and synthetic identity fraud, signify high-profile advancements in the digital ecosystem. While these developments attract attention due to their novelty, experts like Schnur argue that AI’s threat lies primarily in amplifying existing problems rather than creating new ones. By bolstering already-present vulnerabilities within organizations, AI technologies magnify risks in domains like privacy, supply chain disruptions, and criminal exploitation.
The real challenge emerges when AI integration happens through off-the-shelf solutions, leaving organizations reliant on external providers without substantial control over proprietary algorithms. Consequently, such AI implementations exacerbate vulnerabilities intrinsic to an organization’s technological framework, necessitating vigorous management approaches to counter such intensification and ensure robust, multi-layered defense strategies.
Elevating Existing Technological Risks
Organizations incorporating AI into their operational fabric must identify AI’s amplifying risks while enhancing existing cybersecurity protocols. This entails comprehensive vulnerability assessments to recognize pre-existing weaknesses within architectural frameworks. Proactive measures prioritizing continuous monitoring and evaluating newly introduced AI-driven components are pivotal to organizational security.
Simultaneously, fostering a culture of cybersecurity awareness among employees and stakeholders underscores AI’s interconnectedness with existing technological deficiencies. Broadening educational endeavors and investment in training around AI’s safe deployment aids in recognizing potential threat vectors and ways to mitigate them effectively. Identifying risk intersections and amplifications responsibly maintain operational integrity, preserving trust in AI-driven solutions.
Maturity of the Cyber Insurance Market
Evolving Insurance Offerings
The cyber insurance market has shown remarkable resilience in adapting to the ever-expanding domain of cyber risks. Although systemic incidents and enduring privacy issues contribute to increased claim severity, the insurance industry’s response exhibits growth and confidence. Insurers refine their underwriting practices, spurred by a tech-savvy clientele more attuned to the intricacies of digital threats than ever before.
The ability to withstand potential losses with stable profitability speaks to the collaborative efforts between insurers, brokers, and clients. As customized coverage solutions emerge, the market sees an evolution in comprehensively addressing these multifaceted threats. Insurers and insureds continually adapt offerings, scrupulously examining policy particulars, with a sharp focus on exclusions and ambiguous terms.
Cultivating Cybersecurity Preparedness
As technology advances, debates around artificial intelligence (AI) often center on the cyber risks it introduces. Yet, there’s a widespread misunderstanding about AI’s role in these threats. It’s essential to understand that AI isn’t a singular source of cyber threats but rather exacerbates existing weaknesses in organizational systems. Meredith Schnur, who leads cyber practices for Marsh in the US and Canada, delves into the factors driving current cyber claims. These encompass privacy issues that occur without breaches, intricacies within supply chains, increasingly sophisticated cybercriminals, and accidental incidents that yield significant consequences. AI plays a role not by creating new threats but by intensifying these ongoing issues. Organizations must, therefore, shift focus from viewing AI as a novel threat to addressing how it interacts with weaknesses already present in their frameworks. This perspective is crucial for effectively countering and managing cyber risks in today’s tech-driven world.
