AI and Cyber Risk: Navigating the Obstacles and Opportunities for Carriers' Claims and Risk Management Strategies

With AI use leading the charge for innovation, cyber risk is in a new era. The types of cyber incidents experienced across industries are evolving as AI creates new vulnerabilities and opportunities for threat actors to leverage and cause harm to organizations. They can elevate current attack strategies to be more sophisticated and can create new avenues for exploitation.

Carriers face many challenges around the increased use of AI, beyond just cyber insurance exposure. They're tasked with both maintaining their technological capabilities to keep up with the pace of AI integration and also protecting themselves and their clients from the associated risk. Insurers can adapt their cyber insurance products and policies to address the growing sophistication of threat actor tactics and techniques. Let's explore the obstacles and opportunities AI presents for carriers, as well as the claims and risk management strategies they can leverage to improve outcomes in an evolving landscape.

Staying Ahead of the Challenges of AI in Cyber

AI agents are chatbots that customers interact with on certain websites with automated customer service. As more organizations implement these legitimate AI agents, we expect threat actors to target them. There's been an increase in injection attacks, where threat actors use the agents to get victims to disclose sensitive information, reset passwords, and disclose passwords, even tricking users into transferring money.

For example, in late August, the AI chatbot company Salesloft disclosed that they detected a security issue in the chatbot application known as Drift. Specifically, a financially motivated threat actor group, UNC6395, was able to access credentials to compromise systems and OAuth tokens for multiple services, including some that allowed it to access email from corporate email accounts. This exploit has affected downstream customers that use this chatbot in their website functionality, which in turn affects consumers engaging with those chatbots. Salesloft confirmed that the impact of the exploit is more severe and widespread than initially estimated, impacting over 700 organizations.

When their AI tech is compromised, organizations face professional liability and other errors and omission exposures. For example, a threat actor could commandeer one of the previously mentioned AI agents to falsify product pricing quotes for customers, and if the customer wires the threat actor money for goods they don't receive, it could lead to a third-party claim against the company.

For Directors and Officers insurance, there's a concept called "AI washing" — where companies exaggerate the use of AI in their products and services to boost market appeal and inflate valuation. AI washing can mislead investors and lead to regulatory investigations and derivative lawsuits.

On the medical malpractice side, the challenges and risks are also increasing. The number of Federal Drug Administration (FDA)-approved AI-enabled medical devices has increased in recent years, resulting in AI being present in more doctors' offices (e.g., to synthesize conversation to medical notes). If AI leads to a poor clinical outcome, it could pose medical malpractice risk.

For cyber and tech errors and omissions insurers specifically, the challenges are great. There are privacy concerns that AI's ability to process and analyze large volumes of data could undermine efforts at anonymization. AI can potentially identify individuals — even if personal information isn't directly included — by correlating and synthesizing information from multiple data points across a dataset. For tech errors and omissions and AI agent misuse, a customer can sue the vendor that built and integrated the product into that customer's system.

For media errors and omissions, we predict a huge copyright exposure with AI because their models rely on large amounts of data sourced from third parties. So far, there seems to be a lack of transparency in the source of data and how the information is stored, presenting potential copyright issues.

Defamation and discrimination exposure are also increased because AI can generate inaccurate info and biased outputs that can impact companies, employees, and customers.

Identifying the Claims and Risk Management Opportunities for Carriers

The threat landscape is constantly changing, and the only way to stay ahead of the game is through proactive insurance that includes services such as ongoing monitoring and threat detection.

Cyber insurance carriers are adapting on the underwriting side by requiring specific security measures, such as multifactor authentication (MFA) on endpoints, endpoint detection and response (EDR), patch management, dual authentication for wire transfers, and other pre-policy risk assessments. Some require potential policyholders to list their tech stack, managed service provider (MSP), or other technology vendors the organization relies on for aggregation purposes.

Many cyber carriers are integrating endpoint detection tools as part of their offering and building out in-house computer forensic teams to help respond to cyber incidents. They use this forensic information when investigating in the underwriting feedback loop and to understand the current threat landscape and threat actors' techniques and procedures.

Companies and insurers can also use AI and automation to neutralize threat actors' efforts. If AI can help threat actors write and inject malicious code, it can similarly help organizations identify vulnerabilities and write code to patch bugs more quickly. This use of AI mitigates potential exposure by eliminating the wait for patch schedules or manual review.

Similarly, AI in data breaches can provide significant cost mitigation because organizations using AI can detect and contain data breaches much faster than those not using AI technologies.

Finally, an increased focus on AI to underwrite risks, regardless of exposure, can help scale the volume of insurance submissions. For cyber insurance submissions, underwriters can get through applications faster and focus on the pieces that matter, such as critical risks that need addressing before a carrier is willing to underwrite the risk.

Partnering to Achieve Superior Outcomes

Generally speaking, the traditional approach to insurance has been reactive. If a person or company purchases insurance, the policy will react to an event and ideally will make the policyholder whole again.

Over the last several years, cyber insurance has evolved from a reactive financial safety net to a proactive partner and enabler of cyber resilience. Cyber insurance carriers are forced to adapt because the threat landscape isn't static. At a minimum, most cyber insurance products now have value-added services and continuous monitoring to prevent cyber-attacks; if needed, they engage highly skilled cyber claims experts with technical expertise to mitigate further exposure.

At Gallagher Bassett, our team of cyber experts balances the cyber industry's evolving threat landscape and how it uniquely impacts our clients' programs and goals — regardless of size, niche, or coverage. Serving a wide range of clients — including large carriers, self-insured entities, and risk pools — we lead with a commitment to excellence that prioritizes minimizing their risk, providing actionable insights, and driving superior claims outcomes for their cyber operations.