Why AI software won’t move the dial on cyber insurance

AI security software which seeks out threats before they can impact operations is not having the positive impact on cyber policies that companies perhaps expected. The cyber market continues to correct and evolve, and while security software may carry more weight in the future, currently insurers remain focused on ensuring policyholders have the basics of cybersecurity in place.

Rates for cyber insurance have been rising for some time: driven by heightened activity in claims that has left insurers needing to adjust price models. In the first months of 2022, the premium per million of limit has increased 161% year-on-year, with some firms seeing increases above 500%, according to Lockton.

Some available AI Software is designed to identify suspicious activity in a network and take steps to deal with any potential threat. While this type of software does reduce the risk of cybercrime for companies, insurers have given such software far less importance than many cyber insurance buyers had hoped.

AI is good but not flawless

Sophisticated tech can be an excellent resource in cybersecurity. However, as with any security measure, there are some drawbacks.

For instance, software designed to identify suspicious activity may not differentiate between a legitimate cyber threat, and a task that may only need to be carried out once or twice a year. These tasks could include essential system maintenance, or updating and implementing software updates.

Day-to-day business rarely follows a strict pattern, so it is difficult for AI to accurately judge how a “normal” network should behave. It does mean that such software carries the potential to disrupt operations as much as it does to help security.

Insurers focus on the basics

While companies have a variety of options to help bulk up cybersecurity, cyber insurance underwriters are currently placing more weight on ensuring companies have the essentials in place.

Insurers will not discount having AI security software in use, however, they will be more focused on seeing:

  • Multi-factor authentication in place for all company devices

  • Up-to-date security patches

  • Adequate network segregation in place

  • Back up tapes and other resources in place to retrieve lost data

  • Privileged access management

  • Educating employees on cybersecurity

These basic requirements make up the majority of what insurers will take into account for renewals. New cyber policies in this environment will be difficult, and insurers will want to see companies with best-in-class cybersecurity in place before coverage is offered.

In the current climate, AI security software will be seen as a supplementary tool, which complements rather than replaces the essential cybersecurity needs. In time, insurers may place more weight on software, but the basics of cybersecurity will likely remain the focal point.

If you would like to discuss cyber policies and what you should have in place for renewals or new policies, please contact:

Peter Erceg, Senior Vice President - Global Cyber and Technology

E: Peter.Erceg@lockton.com

T: +44 20 7933 2608