As artificial intelligence (AI) increases, cyber insurers must adopt new technologies to counter the threat of ever more active malicious software (malware) that exploits weaknesses in a business’s network. Malware is continually evolving, and the emergence of malicious AI models such as ChaosGPT underlines the threat of autonomous bad actors and, potentially, the need for autonomous information security.
Because cyber insurers have seen a significant rise in claims in recent years, they are now requiring their policyholders to employ continuous risk monitoring.
The emergence of active cyber insurance
Although improved controls have helped to protect businesses from hackers, cyber resilience has been largely in the hands of the policyholder during the policy period. Insurers have often had no insight into the risk profile of their policyholders until the policy renewed or a claim was made.
This is where the concept of the ‘active’ cyber insurer comes in – to raise awareness of cyber risks and instil best practice – with insurers using autonomous and active cyber defence mechanisms to counter fast-changing risk environments.
With its Cybermatics solution, AIG was one of the first firms to adopt real-time cyber security insights and tailored analytics. A similar approach was adopted by Coalition Risk Solutions Ltd, which provides policyholders with personalised profiles of a firm’s ongoing digital risk.
Such organisations are essentially insurtechs with different active insurance propositions. For example, CFC Underwriting, a long-term player in the cyber insurance market, calls itself a ‘proactive insurer’, while a recent entrant to the UK market, Cowbell, offers an ‘adaptive’ approach. The primary aim of these insurers is to help improve the security maturity levels of a businesses through a technology-based underwriting approach. At the time of writing other entrants are coming to market with new active cyber insurance solutions.
More than just a policy
The days are fast disappearing where an insurance policy is the sole offering of a cyber insurer, as this does not recognise the complexities of cyber risk and the need for risks to be actively managed.
Active insurance has three main components:
- Active/proactive protection – the provision of monitoring during the lifetime of the policy and alerting policyholders of critical vulnerabilities before they can impact the business.
- Active risk assessment – a cyber risk survey is an integral part of the underwriting assessment, and a typical report will highlight critical issues and ones that are not so important but, if addressed, would improve the cyber hygiene of the business. Some insurers offer a ‘dashboard’ where policyholders can access insurers technology to address vulnerabilities and other areas that require improvement.
- Incident response service – Insurers provide a 24/7 incident response service to help policyholders manage a cyberattack. This consists of a panel of experts offering specialist assistance including legal services, forensics, and public relations consultancy. A cyber incident can develop very quickly, and it is essential that help is immediately available.
Additional benefits now generally include training programmes such as simulated phishing attacks and arrangements with partners who can provide cyber security solutions at discounted rates.
This business sector is particularly vulnerable to cyberattacks, as SMEs may have limited financial and technical resources to build meaningful cyber resilience. An insurer that can help to build resilience is therefore invaluable as the digital economy and related threats grow.
Raising awareness with Elmore
Data has shown that active insurance can mitigate and prevent cyberattacks, reducing loss ratios more effectively than conventional cyber insurance. This allows insurers to offer premiums commensurate with improved risk profiles and continue to provide broad policy coverage.
As cyber risks increase, the role of the active insurer is vital. With the rapid development of AI and new varieties of ransomware, active management of cyber risk will be essential for all businesses.
At Elmore we are committed to raising awareness of cyber risks and encouraging good practice. To find out more about our risk management services and active approach, contact us now.