Takeaways:
- AI can both find vulnerabilities and carry out attacks
- Cyber reinsurance demand is growing
- MSIG works with insureds to find and address vulnerabilities
AI is now capable of not just finding cybersecurity vulnerabilities, but also carrying out attacks, according to Ryan Kratz, head of cyber for North America at MSIG. In this second of a
This article is excerpted from a longer interview and edited for clarity.
What are the biggest cybersecurity risks now?
The barrier to entry for cyber criminals is lower. You're getting these relative novice hackers who are able to utilize AI to not just ask, 'How do I do this,' but to do it. A year ago, we had a class on AI and cyberattacks. The AI would find a company's vulnerability and point it out to them, but the AI wasn't in a position to autonomously attack that organization. Relatively recently, attackers can find the organization with vulnerability, and carry out an attack on them.
The primary concern that's not necessarily thought about, particularly in smaller organizations, is supply-chain exposure. There's so much reliance on the technology supply chain. We're then covering contingent
Thus far, capital has grown on the cyber side. You would think there might be a bit of a contraction based on risks to the tail on the claims that they're seeing. From what I understand from our reinsurance brokers, cyber reinsurance renewals were pretty seamless on an abundant capacity. Not unlike the direct cyber insurance market, the reinsurance market is at an abundance of capacity right now, as well.
How is AI being used to generate and accelerate cyberattacks?
Glass-to-ground [AI-enabled cyber attacks with accelerated impact] has really increased in the last calendar year. In 2024, we started seeing the release of OpenAI [ChatGPT] and Anthropic's Claude. Now, they've gotten to a point with glass-to-ground that they can carry out these attacks themselves. The first instance we saw that was in February. That will only continue to scale. AI just keeps getting faster and faster in how it's learning. I expect that by the end of this year to be pretty common practice. That said, especially in large organizations, they are utilizing AI for CISO, so there's this cat-and-mouse game right now between the good AI and the bad AI.
Other than re-thinking
We're putting together a primary product right now. We're working with tech companies to put a bird's eye view on the insureds in our portfolio. Cyber insurance shouldn't be just simply a risk transfer. It should be a partnership between you, the insured, and your insurer.
First, we do external-facing scans. These are the open vulnerabilities that we see. We quote to our insureds pending them fixing these vulnerabilities, so they know what they're exposed to right now. It shouldn't end there. We're working for organizations where we can maintain that bird's eye view from their network infrastructure, continuous monitoring. If there's a zero-day event, we know which of our insureds are exposed, and we can warn them.
