Many insurers today are rushing into process improvements using generative artificial intelligence (GenAI) without fully anticipating potential regulatory or cybersecurity vulnerabilities.
“There's not a lot of buzz about artificial intelligence right now, but we're not seeing the benefits yet. It's still early days,” said John Horn, cybersecurity practice director.
Among other issues, Horn said insurance and financial services organizations may be overly focused on the efficiencies brought about by artificial intelligence tools and fail to recognize the threat of “adversarial AI,” or AI tools that could work against them. “While we expect underwriters to include adversarial AI coverage, most institutions will not be able to detect an AI or GenAI attack, even if it were to affect their lives.”
Why? Because it's nearly impossible to observe AI cyberattacks as they happen. As a result, information security and other executives react to the hype around AI but lack the operational experience and performance metrics needed to craft modern cybersecurity guidance.
That's not to say the industry isn't worried about the unknowns: Datos Insights recently surveyed about two dozen chief information security officers (CISOs) from insurance and financial services companies about their biggest concerns about using GenAI.
- 41% are concerned about privacy.
- 37% are concerned about security.
- 8% are concerned about regulatory considerations.
- 7% are concerned about managing technology.
Insurance companies and their CISOs have cause for concern when it comes to cybersecurity performance in 2023. Datos Insights reports that the year saw 2,365 breaches worldwide, affecting more than 343 million people.
Horn recommended a structured approach to AI adoption that includes partnering with corporate counsel to explore governance issues related to business AI use, identifying the biggest “enterprise vulnerabilities” from potential AI-enabled cyber attacks, measuring the value and threats of AI tools, and fostering AI-enabled cyber defenses in tandem with business process automation.
He also emphasized that insurers can achieve great things by strategically avoiding the cybersecurity risks they are already aware of, many of which are not new but have become more prominent thanks to adversarial AI.
According to a report by Datos, the main cyber risks facing financial services companies (including insurers) today are:
- Phishing attacks against employees (including system administrators).
- Supply chain attacks from third parties.
- Ransomware attacks;
- Human error
- Insider attacks
- Business email scam.
“These are some of the biggest problems even without AI,” Horn said. “CISOs are dealing with real problems. [cybersecurity] It's still an unsolved problem.”