While ransomware presents one of the leading cyber risks, there are myriad other perils lurking in the ether.
For example, generative artificial intelligence is increasing risks of phishing attacks and data breaches, warns Shay Simkin, Global Head of Cyber at Howden, by helping cybercriminals utilize social engineering methods and leverage machine learning algorithms to barrage potential victims with even more deceptively convincing emails.
“Social engineering, often through business email compromise, is a leading source of claims,” adds Tim Foody, Area Senior Vice President, RPS Executive Lines.
“When people think of cyber claims, most think of ransomware as a major driver of claim volume and losses. However, BEC (business email compromise) claims, which include spoofing emails, spearfishing, and other deceptive tactics, remain a significant threat to businesses,” cautions Anthony Dolce, Head of Professional Liability and Cyber for The Hartford. “There has been a recent surge in these types of attacks and there is no indication that they will lessen in the near future as people continue to fall victim to fraudulent schemes.”
Another big risk is invoice manipulation, notes Andy Moss, partner and member of the Litigation Department Insurance Recovery Group at Reed Smith LLP.
“Cyber attackers will send an invoice to company that appears to come from a vendor, such as a monthly bill for services rendered, but will be a fake invoice with a different bank account number,” Moss says. “The client wires money — often a very large amount — to a U.S. bank account, which is then transferred into an overseas account. A lot of clients who fall victim to this don’t even know it has happened until they hear from a vendor after 30 days that they haven’t been paid. Depending on who the policyholder is, this can be a cyber liability issue.”
Other cyber-related risks have emerged in recent high-profile cases, nots Greg Chambers, Underwriting Manager for Cyber and Technology for AXA XL. “For example, one large chain was hit with a multi-billion-dollar fine for violating the Illinois Biometric Information Privacy Act (BIPA), which requires entities that use and store biometric identifiers to comply with certain requirements to protect individuals’ privacy and personal information. The violations involved the store’s practice of having employees use a fingerprint reader to enter the computer system.”
In another situation, Chambers notes, healthcare organizations nationwide using a social media website with a tracking tool were hit with class-action suits from patients using the organizations’ portals. The suits alleged that the healthcare providers shared confidential patient medical information in violation of the Health Insurance Portability and Accountability Act (HIPAA) as well as state privacy laws.
“Various carriers are handling this in different ways,” Chambers says. “Some carriers are adding a biometric exclusion in their policies, others are providing coverage for regulatory wrongful acts, such as violations of state privacy laws. In some cases, certain types of claims are being excluded.”
Another increasing cyber risk is state-sponsored cyberattacks due to ongoing geopolitical tensions, Simkin says.
“The cyber insurance industry continues to grapple with coverage for state-sponsored attacks,” Dolce says, “especially in light of the various war exclusions in the marketplace. We may see language in this area continue to evolve.”
“Unfortunately, we are not likely to see these issues go away,” Simkin cautions. “We are becoming more reliant on IT systems, and the move to the cloud and the adoption of AI, presents new and emerging risks we haven’t seen before.”