Tracking the ups and downs of cyberattack insurance coverage

Tracking the ups and downs of cyberattack insurance coverage

The increasing tendency of cyber criminals to use generative AI to breach sensitive data and misrepresent their identity to gain valuable data is in turn increasing interest in insurance coverage against cyberattacks.

Ben Dulieu, chief information security officer at Duck Creek Technologies.

“Just 10 years ago, cybersecurity insurance was barely a thing. It was covered under systems E&O [errors and omissions] policies,” said Ben Dulieu, chief information security officer at Duck Creek Technologies. “Now there’s a higher demand for comprehensive coverage. There’s an expectation for a level of risk management services that come along with it. We expect cyber insurance providers to offer risk management services, and not just on the financial compensation side — also supplemental support for responding to incidents.”

Companies in general, and carriers who serve them with commercial insurance, need more tailored and customized cyber insurance, according to Dulieu. “Every industry faces some unique separate threats, and has different priorities,” he said.

However, the cyber attack coverage that exists still has to catch up with the use of AI or Gen AI to commit cyber attacks, according to Jennifer Wilson, senior vice president and cyber practice leader at Newfront, a commercial property and casualty insurance platform company. 

Jennifer Wilson of Newfront Insurance

Jennifer Wilson, senior vice president and cyber practice leader, Newfront Insurance.

“The insurance policies aren’t written to specifically cover AI. There are claims related to the AI technology and definitions within technology services or products that capture that coverage, but there’s no affirmative coverage grants specifically related to AI. There’s also no specific exclusion related to AI,” she said. “The next step for the insurance industry is to come up with that affirmative coverage.”

See also  Functional Replacement Cost Insurance

Getting cybersecurity coverage has become more difficult since the Covid pandemic because remote work environments introduced more risk, according to Wilson. “Everybody was transitioned overnight into a remote work environment and that created a massive landscape for threat actors to attack,” she said. “Overnight, every carrier developed their own ransomware questionnaire anywhere from seven to 15 pages long. Now instead of insureds filling out a single one page application to secure coverage, they have to get extremely technical and involve their CISOs or IT staff to fill out very detailed questions about cybersecurity tools.”

Prospective cybersecurity insurance clients had to add safeguards such as multi-factor authentication and endpoint detection to even qualify for coverage, according to Wilson. Many were reluctant to do so, until they got attacked, she said. In 2022, ransomware incidents decreased but then sharply increased again starting in April 2023. The increase in claims led insurers to use AI to better predict the frequency and severity of cyberattack claims, thus reducing their risks for providing coverage.