What large companies are learning from AI-based cyber breaches

Takeaways:

• Ransomware capturing data pulls third parties into attacks
• Human error causes single points of failure in cyber defenses
• Awareness of single points of failure rises

AI is strengthening and automating cyberattacks on companies. Digital Insurance spoke with Ryan Kratz, head of cyber for North America at MSIG, a P&C and commercial insurer, about what cyberattacks now look like, the resources companies use to defend themselves, and the aspects of AI-fueled cyberattacks that have experts worried. Kratz is an attorney who began his career in the insurance industry and has been working on cyber risk issues since 2013.

This article is excerpted from a longer interview and edited for clarity. This is the first of two parts.

What is the most common type of cyberattack?

Hand-out/MSIG USA

It's still ransomware, primarily because AI just made ransomware much easier. I look at it in terms of the size of the organization. On large enterprise, certainly ransomware is the biggest attack that we see. With ransomware now, you almost always get a third-party complaint, because ransomware is associated with data exfiltration. Ransomware events at our large organizations result in data-privacy lawsuits that have long tails.

In smaller organizations, we see more business email compromise — phishing attacks through email and funds-transfer fraud. Attackers will do their due diligence researching these organizations. In real estate, for example, funds are transferred quite a bit. Hackers will send a sophisticated AI-generated email, mentioning an invoice and where to send a wire transfer. They're hoping that the smaller insured company is inundated and won't do the proper background checks before releasing those funds.

How are large enterprises using their resources to defend against cyberattacks? 

They're doing a relatively good job. They're well funded. They're budgeting funds for cyber, for IT. The only times where we tend to see them fail is the human point of failure. They're funding the software and hardware well, the cybersecurity well, and they are training their employees, but at the end of the day, there's only so much that can be done after you train them. Something comes through a help desk, then just one slip-up by a human element can result in a pretty massive ransomware. Large enterprises are defending themselves well. It's the human element of it that becomes [a problem].

What are insurers and companies learning from cyberattack incidents?

CrowdStrike is a good example of a single point of failure. If you're just relying on a CrowdStrike, and there was a push out across their entire portfolio, and it brings everybody down, what redundancies are in place?

Large aggregators ultimately become single points of failure. Insureds, particularly large enterprise insureds, are becoming more conscious that [this] is a big exposure for them as an organization. Insurers as a whole, particularly over the last couple of years, have become more conscious of that aggregation exposure across their portfolio.

What keeps cybersecurity defenders up at night? What are you watching for? 

It's a combination of the advancement of AI, and that single point of failure. The single point of failure ties into the supply-chain risk. There are five-to-ten cloud providers, data-center providers and cybersecurity providers that we're looking at. MSIG's book is consolidated among those vendors. What keeps me up is a true catastrophic event that has a ripple effect across all organizations, and then ultimately our portfolio and the economy. That's what scares me the most right now, not the individual attack on one organization, it's that contingent business interruption with a single point-of-failure provider.