As a risk, cyber stands out for its ability to evolve at speed, which has been thrown into sharper relief amid the rapid advancement of AI and generative AI. As a result, the cyber risk landscape is changing fast, while cybersecurity tools and systems look to keep pace with both established and emerging threat actors and threat vectors.
In today’s landscape, staying ahead means understanding the factors underpinning the cyber trends dominating cyber discussions – with AXA XL’s cyber lead for APAC and Europe, Carlos Rodriguez, highlighting several major themes. AI is the first of these, he said, as the sector is seeing different losses amounting from AI technologies, including deepfakes and AI-augmented malware-as-a-service. “For example, there’s currently a tool called WormGPT which can generate very sophisticated malware that can open backdoors and create very realistic phishing campaigns.”
These threat vectors can be very hard to mitigate, he said, which is why it’s so critical for insurance and risk management organisations to be on the front-foot of adapting to these risks – in terms of both the coverage, and the proactive and reactive support solutions available to clients. The second trend that he’s seeing dominate discussions, particularly among insurers, is related to systemic cyber risk – as the insurance industry recognises its responsibility to uphold the promise it makes to insureds.
“In the last couple of years, the industry has had strong conversations related to cyber war because traditionally, the war exclusion was just related to physical war, without the cyber component,” he said. Since then, the conversation has changed. There’s now a variety of different versions of cyber war clauses and it’s positive that the industry has made inroads to being transparent with insureds and managing their expectations of what is and isn’t covered in the event of a systemic cyber threat.
The other component to this is the potential for damage to critical infrastructure stemming from systemic cyber risk, particularly concerning risks to the supply chain. “That’s especially for non-IT providers,” he said. “Last year, we had the CrowdStrike cyber incident, and this was systemic as clients with that IT solution had losses and outages. So, understanding the supply chain is critical but not only for IT providers. There is also a good discussion to be had about adding non-IT providers to the cover.
“It’s important to also understand, what are the third-party risk management strategies that our clients have? Because sometimes, the application forms alone are not clear enough about this.”
In addition, Rodriguez noted that another pressing consideration is ongoing changes to the regulatory landscape – and what these might mean for clients. “We need to stay ahead of these changes to ensure compliance and provide adequate coverage.” Last but certainly not least in terms of what’s shaping the cyber market today is the growth of the cyber insurance market and the increased competition that this sector is seeing. “Because we are seeing that the cyber insurance market is growing,” he said. “But with rising demand and increased competition among insurers, it can be challenging to balance it all.”
Amid such an interconnected risk environment, Rodriguez said that it’s positive to see that there is a growing awareness among insureds of their own cyber risk profiles – and a growing understanding of the power of cyber risk management. There are a few key factors behind this trend, the first of which is high-profile cyber incidents making headlines. “We are seeing more and more cyber incidents, data breaches and system failures which is raising awareness about the potential impact of cyber risks on businesses.”
The second component goes back to the theme of regulatory changes, particularly around data protection and breach notifications, he said. Meanwhile, the improvements being seen in Australia and some parts of Asia as a result of new privacy laws are helping to raise awareness that knowing how to mitigate cyber risk is a critical consideration for businesses of every size and from every sector.
The third reason is around education and training, he said, and it’s rewarding to see that training programs have helped to improve the understanding of cyber risks among insureds. That growing awareness is something that the industry needs to continue to support and nurture in order to create a truly sustainable cyber insurance market, and brokers remain critical to moving the dial on insureds’ understanding of their cyber risk exposures.
While the global brokers have been equipped to have in-depth conversations with clients about cyber for many years, and have strong cyber programs in place, he said, it’s interesting how brokers from the mid-market segment are now becoming more confident about discussing cyber insurance. Training and development opportunities have once again been integral to this transition, and to helping brokers stay informed about the latest trends and best practices in cyber risk management.
In addition, the participation of cyber insurance specialists in industry events and panel discussions on cyber has opened up the conversation to a broader audience, which has empowered brokers to think more holistically about emerging trends and exposures. A third key resource has been the investment from companies including AXA XL into providing brokers with the comprehensive resources required to read and fully understand the intricacies of a cyber insurance policy’s wording.
“All of this helps them have the confidence to discuss cyber insurance products with the client,” he said. “Because sometimes, if you don’t understand what you’re explaining or selling, you just don’t have the confidence to have that conversation. And these wordings are complicated. So, we do need to make sure we have a clear version of our policy wordings and marketing materials to explain cyber risks, and how you can protect yourself from financial losses.”
