Cyber resilience is improving but AI is a double-edged sword

Organisations are much more resilient to cyber threats than they used to be. But the landscape is moving quickly with artificial intelligence (AI) creating both threats and opportunities and systemic risk a growing challenge that may ultimately need to be solved through some form of public/private partnership.

That is a snapshot of the cyber landscape offered by Philippe Cotelle, board member of the Federation of European Risk Management Associations (FERMA), chair of its Digital Committee and head of Cyber Insurance Management and head of Insurance Risk Management at Airbus Defence & Space.

Speaking to FERMA Forum Today, he said there has been a significant improvement in the maturity and effectiveness of the cybersecurity measures employed by larger organisations. He said that increased investment, improved risk awareness, and enhanced mitigation strategies have helped to bolster resilience as well as reduce the frequency and severity of cyber attack incidents and associated insurance claims.

He praised small-to-medium sized organisations (SMEs), many of which have implemented a notable enhancement in overall cyber resilience levels, reflecting a more proactive approach to managing cyber risk. However, he said, the pace of this process has been slower.

“Cyber insurance is recognised as a core component of a robust cyber risk management strategy. While we have seen fluctuations in cyber rates and capacity over the last five years, more recently we have seen rates softening in the market,” Cotelle said.

“The emergence and adoption of AI has clear potential to revolutionise how businesses operate, which will create new opportunities but also new exposures.

“In the cyber risk context, AI is a double-edged sword. First, it can be exploited by threat actors to conduct more sophisticated attacks between agencies to address ransomware,” he said.

Early reporting is key

The management of July’s CrowdStrike event was a clear illustration of the value of early incident reporting, he said. “The speedy reporting of the incident in Australia alerted the provider and allowed it to react quickly and minimise the impact for US entities who were impacted some hours later.”

In the case of insureds, particularly SMEs, he added that reporting an incident to their insurer quickly means they can have access to specialist technical support to help manage the event during the crisis phase as part of their coverage.

“This also provides the insurer with an opportunity to alert other policyholders who may be exposed.”

From a regulatory reporting perspective, there is a growing requirement on companies to report on cyber incidents and breaches across a range of regulations.

"Collaboration has greatly improved in recent years between insurers and risk managers."

While it is vital that such reporting is carried out and regulatory bodies are informed, Cotelle noted that FERMA, in a report called “Cyber Reporting Stack: Navigating EU incident reporting requirements for risk managers” which was produced in conjunction with WTW, has called upon European institutions to consider ways to simplify the reporting process.

Collaboration works

Cotelle noted that he is seeing greater collaboration between insurers and risk managers—something that helps bolster cyber resilience at a corporate level. “Collaboration has greatly improved in recent years between insurers and risk managers. This increased interaction is producing positive results,” he said.

He noted that according to the latest “LUCY: Light Upon Cyber Insurance” report, a study of the insurance coverage of cyber risk in France, produced by the Association for the Management of Risks and Insurance in Companies, there is clear evidence of a decline in cyber-related claims activity.

“This closer interaction should be beneficial to insurers as they would have greater visibility of cyber incident reports across their entire global portfolio. However, for this to happen, there needs to be a robust mechanism put in place to ensure the anonymity of data,” Cotelle said.

“It is vital that, given the sensitivities relating to software vulnerability, any data-sharing or communication on this front is effectively managed to ensure it does not create the potential for further attacks.”

He stressed, however, that one of the biggest challenges facing the cyber market is how it understands and manages systemic cyber risks. He said there is a case for considering the use of reinsurance pools and public/private partnerships to do this.

“The continued attractiveness of the cyber insurance solution is paramount to the sustainability and growth of the market.

“In recent years, we have seen work by insurers to clarify particular aspects of coverage relating to areas such as cyber-related property damage, cyber war or infrastructure which has led to coverage restrictions.”

But, he said, the CrowdStrike event brought into the spotlight the accumulation risk that can stem from an accidental event on a highly concentrated number of service providers serving a wide range of companies.

“We will monitor market developments closely to see the potential knock-on effects on coverage for such incidents.

“In this risk context, it is vital that the issue of systemic risk is addressed effectively. The public and private sectors must explore the potential provided by reinsurance pools and public/private partnerships. This is particularly important when you consider that large corporations in most cases purchase cyber insurance to protect against these catastrophic events.”

Cotelle said that FERMA has been vocal on this point and values a multistakeholder approach as well as advocating for a joint taskforce led by the European Commission, the European Insurance and Occupational Pensions Authority and the EU Agency for Cybersecurity.

“On this point, in the FERMA Policy Manifesto 2024–2029, we call for the development of EU cybersecurity standards with the support of the relevant stakeholders which are aimed at increasing EU-wide cyber risk management and thus the insurability of SMEs,” he concluded.

FERMA Forum Today is in partnership with Captive Review, part of Newton Media.

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.