The Return of the Black Swan: How Emerging Technology Will Impact Cyber Risk and Insurance
The Return of the Black Swan: How Emerging Technology Will Impact Cyber Risk and Insurance
Monumental technology shifts come in waves. While innovation remains a constant, there are times when emerging technology fundamentally changes how the world works and organizations operate. In periods of gradual advancement, organizations can adapt their resilience programs to prepare for risks they see coming — so-called gray rhinos. But during cycles of emergent technology, anticipated cyberthreats can morph into unprecedented forms that risk and resilience programs are unprepared to handle.
The rapid proliferation of artificial intelligence has launched the world into one of those cycles, and organizations must contend with a stark reality: Black swan events are firmly back in play.
New Technology Is Reshaping Risk
Black swans — rare, unpredictable events that are difficult to prepare for — become more likely under certain conditions. As people and organizations embrace generative artificial intelligence and other forms of AI, they venture from familiar, known risks into uncharted territory.
For example, it’s widely understood that discussing sensitive, private information on a public chat forum is a major risk concern since anyone can view the information. But when software engineers at a leading technology company attempted to improve their unreleased proprietary code by having ChatGPT analyze it, they didn’t know they were providing the chatbot’s parent company with full ownership and access to the entered data. Subsequently that code could then be freely disseminated to anyone else using the service, including potential competitors and cybercriminals.
That situation highlights the twofold challenge modern technology creates for organizations: the inherent risks that come with the technology itself, and the risks that come from people interfacing with it.
The Dual Risk Challenge
By its very nature, modern technology comes with a set of unknowns that can expose organizations to increased risk. It could be a flaw in a program’s code, misconfigured application access, or myriad other security vulnerabilities IT teams need to address. Those are risks directly from the technology itself. But the emergence and sudden ubiquity of AI adds a wrinkle into cybersecurity, with new technology creating complex vulnerabilities directed at system users.
Deepfakes — AI-generated video and audio meant to look and sound exactly like a real person — have been used in sophisticated phishing campaigns to trick employees into divulging sensitive company information. By creating believable messages that look and sound like legitimate information requests from a known source, cybercriminals are launching spear phishing attacks that are increasingly difficult to recognize. In other examples, bad actors have used generative AI chatbots to create emails that look authentic to try and trick employees into providing security credentials.
And this is only the beginning. AI is continuously getting better at mimicking human language, speech, and even facial movement. This has created a world in which organizations must not only prepare for cybercriminals to sneak in the back door, but for employees to be tricked into handing them the key to the front.
According to a report by Tokio Marine, a 1-in-200-year cyber event could cause up to $33 billion in economic loss. That only tells part of the story, though. Cyber events are not random occurrences like natural disasters; they are deliberate, planned actions driven by motivated cybercriminals. This makes modeling the likelihood and shape of a cyberattack challenging, particularly because AI has created a potent, new dimension to cyber breaches.
Preparing for New Risks
Despite the uncertainty that new technology brings to organizational risk, there are some steps companies can take at the board level to better position their resilience strategies. These include:
- Alignment of risk strategy across technical, financial, and leadership teams
- Organization of core governance documents, including business continuity, incident response, and crisis communication
- Development and maintenance of a cyber response playbook
- Oversight of resource allocation and budgets
These actions can help risk managers and their organizations take a proactive approach to incident response, even during a black swan event.
Regulation Is on the Way
Organizations aren’t the only ones keeping an eye on the emergence of AI and its related technologies. Regulatory bodies are beginning to implement new rules as the impact of emerging tech and its implications to cyber breaches become clearer. Specifically, the Securities and Exchange Commission’s new cyber disclosure rules will come into effect in mid-December.
New SEC Cyber Disclosure Rule at a Glance
- Report “material” incidents on 8-K with 4 days
- Describe the nature, timing and impact
- Materiality determination based on federal law
Risk Management and Strategy
- Describe process for material risks
- Is cyber part of risk management
- How risks from cybersecurity could materially impact business
- Describe company governance for risk:
- Board oversight: committee members and process
- Management’s role and experience
- December 15, 2023
Disclosures for risk management, strategy and governance effective date
- December 18, 2023
Material incident disclosure effective date
Lawsuits May Be Coming
Organizations also need to be aware that more lawsuits may be on the horizon if a cyber breach occurs. The 2nd U.S. Circuit Court of Appeals recently ruled that plaintiffs can sue an organization in the event of a data breach if their information is accessed by a third party, even if the information wasn’t misused. In other words, the mere occurrence of cybercriminals accessing private data is grounds enough for a lawsuit.
It’s not just organizations that can find themselves facing legal action either. Recent SEC enforcement has shown the regulator is willing to hold individuals accountable for cyber incidents. This can include large civil penalties and even criminal charges for employees deemed responsible for shortcomings that led to a cyber incident, as well as inadequacies in its disclosure to stakeholders and regulatory bodies.
Looking to Insurance for Emerging Risks
Amidst the backdrop of new government oversight and court rulings, understanding how insurance policies can respond to current and emerging technology risks is crucial. Unlike certain other forms of insurance, cyber insurance does not currently have a standardized form. Carriers offer different coverages with differing terms, conditions, exclusions, and endorsements. It’s important for organizations to do a deep dive into their cyber policies while also assessing their directors and officers liability policies. Doing so can help them understand how different risks are or should be covered by their portfolio of insurance.
Another best practice is speaking with trusted professionals about emerging and current technology risks to explain how the insurance industry views the current risk landscape. This can further aid organizations in determining whether their existing policies provide adequate coverage as compared to other options. Understanding different threats posed by new technology offers another benefit to both policyholders and insurers. When organizations are better informed, they can apply that knowledge to enhance operational resilience procedures, helping to mitigate cybersecurity risks. Thwarting cyber incidents before they lead to a claim is the best possible outcome for organizations, their stakeholders, and their insurers.
Building a Strong Policy
In an ideal world, every organization would be able to stop cyber breaches with 100% efficacy — but this isn’t an ideal world. It’s inevitable that at some point, cybercriminals will successfully execute an attack that leads to an insurance claim.
To help build a strong policy that provides the right coverage for an organization, it’s a best practice for risk managers and their teams to assess important criteria, including:
- The terms and conditions offered in a potential policy.
- The cost of an insurance policy in relation to the coverage it will provide.
- The coverage options available from different providers, along with the pros and cons they provide.
In the best-case scenario, policyholders would also get complete copies of the insurance policies that are being offered — specimen forms and the full endorsements that will be included — and have time to evaluate the language offered.
The Future Becomes the Present
Black swan events will always be possible. At the same time, an unknown threat can only be unknown once; after it happens, organizations can prepare for a future occurrence. By its very nature, cycles of emergent technology generate myriad unknowns that are difficult to plan for, but as the world grows more familiar with new tech like generative AI, organizations and insurance carriers will gain a better understanding of what the cybersecurity threat landscape looks like. In turn, what were once unknown threats of the future will become known threats of the present, allowing for better operational resilience strategies and insurance policies to match them.
Learn more about the evolving world of cyber risk and how we can help your organization enhance its resilience strategy.