background imagebackground image

How will AI change the cyber risk landscape?

  • Cyber Insurance
The Knowledge
18th January 2024

Throughout 2023, there has been a steady increase in businesses’ computer networks being compromised – even though these organisations have taken steps to improve their cyber security. Hackers have adapted to the array of security solutions available and are generally aiming for the weakest link – often via software vulnerabilities. They’re also gathering intelligence to use within phishing or social engineering attacks on the staff of larger and better protected organisations. These now account for a significant proportion of insurance claims.

“Ransomware-as-a-Service, such as BlackCat, is easily available on the Dark Web, so even relatively low-skilled attackers are now able to custom build ransomware files and create attacks specific to their target environment,” said James Doswell, senior cyber risk management consultant at Travelers Europe. “Unfortunately, this means that an attacker can remove, disable or bypass many security solutions simply by buying the correct script or executable to do so.”

With the rapid growth of AI this year, the potential to create more advanced and sophisticated malware is high. So far, we haven’t seen this materialise, but the security industry recognises that there is no silver bullet preventing such attacks and it’s likely that attackers will eventually make use of this technology.

So, businesses must adapt to this potential high-risk threat – and insurers and brokers can help them understand how. Just as you might protect against burglary, there are basic steps a business can take to dramatically lower their risk from cyber attack, even from AI. Doswell recommends they take these steps:

1.  It’s more important than ever to have the post-breach protections and access to experts that cyber insurance provides to aid businesses navigate their response should they be attacked.

2. They must also educate themselves about the protections they need and how to apply them properly so they can make themselves more difficult targets.

3. They need to implement layers of security in a well-planned structure. Multi-factor authentication (MFA), when applied properly, provides an excellent defence. But to be fully effective, it should be implemented comprehensively and not just for erimeter or VPN systems. For example, an attacker who gains access to an endpoint laptop should still be blocked by MFA when attempting to connect to internal servers or network equipment.

These steps can make a business a less vulnerable target. Still, concerns remain.

“My worry with AI is this: The patching cycle in most businesses is monthly and even when it is carried out dutifully, there is usually a cadence between the release of a patch and its implementation,” Doswell said. “In businesses that are following best practice, this averages between one-to-three days for critical vulnerabilities, and up to 14 days for others. This is currently considered by most to be ‘an acceptable risk.’ But what if AI speeds up and improves the efficacy of these attacks – or even automates them?”

“AI may even progress to chaining lower-scored vulnerabilities together, making them effective within hours or minutes of public disclosure. Indeed, there is already penetration testing software that has this capability. It’s possible that even with the use of heuristics, new viruses with previously unknown methods of operation will not be detected.”

“Further, as we’ve seen recently, significant numbers of organisations could be compromised simultaneously – potentially even in a ‘cat’ scenario. Fortunately, there are solutions available that can proactively stop the compromise of a machine even when there are unpatched vulnerabilities present.”

As organisations weigh these threats, they must strike the right balance between their security and available business budget. Insurers and brokers can help. “Some security solutions suit certain circumstances better than others,” Doswell said. “I spend a significant part of my time on calls with clients assessing cyber threats and recommending appropriate protections.

“I also work closely with our underwriters in Travelers to ensure we’re keeping pace with the threat landscape. Being proactive about cyber protections – understanding what works for the business, applying it correctly, and having additional safety mechanisms in place if something goes wrong – will continue to be critical.”

The information provided in this article is intended for use as a guideline and is not intended as, nor does it constitute, legal or professional advice. Travelers does not warrant that adherence to, or compliance with, any recommendations, best practices, checklists, or guidelines will result in a particular outcome.