INTRODUCTION

Use of digital technologies has resulted in an increase in the number of customer channels and service endpoints for businesses.

This has expanded the attack surface for these enterprises, making them more susceptible to cyberattacks, which are rising exponentially. The costs arising out of cyberattacks are also high. For example, the estimated cost of the Medibank breach is over $660 million. In another incident, T-Mobile agreed to pay over $500 million to settle a lawsuit involving breach of customer data. As a result, insurers have raised premiums and limited coverage to avert any adverse impact on their finances. On the other hand, the loss ratios of cyber insurers vary widely, indicating that cyber insurance is still a developing market. Moreover, the lack of historical data, coupled with the ever-changing nature of cyber risk, has rendered traditional statistical methods insufficient for underwriting. Cyber insurers need a mechanism to predict risks and make knowledgeable decisions – an area where AI and ML can help.
 

CYBER INSURANCE HURDLES

Insurers offering cybersecurity coverage estimate cyber risks using questionnaire responses provided by customers.

This is because they lack historical data, unlike their property and casualty counterparts. They face three main challenges in their underwriting process: 

• Manual processing of large application volumes and lack of common definitions in cyber policies hinder scaling. 

• Customer responses and their interpretation may vary based on the cybersecurity expertise of customers and underwriters. Such a manual process is a barrier to accurate risk assessment and pricing. This may give rise to either insufficient or inconsistent coverage for the insured and may lead to overexposure for carriers.

• Considering that the cyber insurance industry is not mature and does not have sufficient built-up reserves – funds set aside to meet future claims – compared to the property and casualty lines, there is a need for suitable pricing. 

Along with increased demand for cyber insurance, carriers are also facing a high number of claims, highlighting the importance of appropriate evaluation, pricing, and coverage of cyber risk. In this scenario, following traditional deterministic models amounts to millions of possibilities and leads to delays in assessing cyber risk and defining coverage. This and the inability to appropriately scale to meet increased demand is impacting insurers’ growth.
 

AI AND ML MODELS

AI and ML adoption will help cyber insurers bring about a force multiplier effect.

It will delineate focus areas as against perusal of low-priority areas, bringing efficiency. This will allow insurers to scale their underwriting operations and target volumes in the cyber insurance market. AI and ML models, along with relevant data, will help cyber insurers address challenges facing the industry.

Accelerate cyber underwriting with computer vision and NLP 

Insurers manually process large volumes of applications, and cyber policies lack common standardized definitions for security terms. This leads to unintended coverage exposure or misinterpretation by customers, resulting in silent cyber – unknown exposure created by a cyber peril that has not been explicitly excluded.

Computer vision can extract and interpret data from applications, which can be processed through natural language processing (NLP). This would provide the means to validate the inclusion of relevant security terms and exclusion clauses, accelerating the underwriting process. For example, sentences can be identified and classified based on known clauses or verbs such as ‘will cover’ and ‘not incur’, helping streamline manual reviews. 

Cyber policies are fairly consistent with respect to coverages and exclusions. The International Underwriting Association (IUA) has developed exclusion clauses to standardize them even further. This along, with their existing portfolio of policies and cyber inclusions or exclusions in other lines of business (such as commercial property and commercial general liability) can serve as training data for AI models. AI automation will enable performing reviews at a higher scale in place of time-consuming manual reviews. Using AI will help insurers eliminate coverage overlap and improve the overall quality of underwriting.

Enhance risk assessment through AI automation 

Insurers use questionnaires to collect data related to data handling, incident loss history, security measures, and so on. Their corporate customers follow security standards such as International Organization for Standardization (ISO) 27000 information security standards and Secure Controls Framework. Cyber insurers must use these details and customers’ risk exposure based on size, industry, and so on as inputs to models.

Leveraging these inputs, supervised learning models can understand customers’ IT environments and determine the risk level of their portfolio. Decision trees or support vector machines can be used for more complex data to classify the risk profile with boundaries. This would enable insurers to correlate risk factors and classify them to obtain insights such as the likelihood of attacks and attack patterns and offer an optimal coverage. AI and ML model outcomes can automate assessment of the customers’ risk profile and augment manual risk assessment.

Improve cyber risk pricing to reduce premiums 

Currently, the lack of standardization in pricing models and information asymmetry between the insurer and the insured are the primary reasons for higher premiums. Further, premiums are based on the base rate and factors such as revenue range, industry risk category, security weightage score, and so on. Pricing for cyber insurance is often too high because risks are broadly categorized. Unsupervised learning models, such as Markov and Markov with clustering structures, will help insurers improve pricing by considering customers’ threat exposure, network structure, and endpoints.
 

AVOID DATA PITFALLS

Sourcing data to train AI and ML models is a key challenge that insurers will need to overcome.

It is important to consider all types of available datasets, ensuring their quality and reliability. Cybersecurity datasets, when combined with insurers’ existing cyber insurance data, can provide sufficient data for successful AI-based cyber risk evaluation. 

Internally sourced data 

Carriers must maintain anonymized data repositories based on their existing cyber policies and past incidents. Additionally, with over 40% of premiums ceded to reinsurers, insurers with reinsurance data can obtain valuable insights. This data, along with customer claims and attack history, can help assess customers’ cyber risk posture.

Public domain vulnerability databases 

The Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD), along with the Common Vulnerability Scoring System (CVSS), can be used to assess the zero-day exposure of customers’ IT assets. Open repositories such as Common Attack Pattern Enumeration and Classification (CAPEC), Adversarial Tactics, Techniques and Common Knowledge (ATT&CK), and Common Weakness Enumeration (CWE) provide a wealth of knowledge on adversary behavior, taxonomy, and common software weaknesses, to help assess risk.

Third-party data 

With the increasing threat of cyberattacks, many organizations are turning to AI-based cyber security tools for cyber risk protection. These tools provide a point-in-time view of an organization’s defense and cyber risk scores, which are like credit scores and can be used by insurers to understand the cyber posture of customers. Insurers partnering with cyber security providers can also benefit from their threat repositories. Additionally, participating in industry groups such as the Cyber Threat Alliance (CTA) and collaborating with CTA members can open access to threat intelligence datasets.
 

COVERAGE REQUIREMENTS

The cyber coverage adoption rate has increased by 21% among insureds during the period from 2016 to 2020. 

However, most do not have sufficient coverage. Educating insureds about cyber hygiene and improving their cyber posture can help insurers provide optimal coverage and pricing. 

Vulnerability management: A rise in the number of IoT devices and endpoints has increased the attack surface. Insurers can recommend AI-based automation tools to businesses to capture and prioritize vulnerabilities based on their risk categorization. These tools can help avoid gaps in security policies that are otherwise prone to manual errors.

Regulations: With increased regulatory focus on cyber risk, compliance is an important consideration for insurers as it varies across industries and geography. To avoid penalties, insurers can recommend AI-based alerting systems to insureds. This would help monitor identity and access management (IAM) policies and ports for potential non-compliance. 

Layer of defense: Currently, insurers charge high premiums as customers fall short on security measures. Implementing cyber security frameworks and AI tools can protect against cyberattacks and improve the cyber posture of organizations. This could lead to discounted premiums for businesses as it would reduce their vulnerabilities. 
 

CONCLUSION

Cyber risks are constantly evolving.

Insurers stand to gain by adopting AI and data-driven underwriting tools to better understand cyber risks. The National Institute of Standards and Technology’s (NIST) cybersecurity framework and AI guiding principles published by US insurance regulatory bodies can help insurers build resilience against cyberattacks. AI-based risk assessment and prevention solutions will enable cyber insurers to promote cyber resilient organizations, resulting in mitigation of risks and reduced losses due to data breaches. Hence, AI in cyber insurance will serve the dual purpose of safeguarding insurers’ interests while addressing gaps in the cyber armory of customer organizations.