Importance Of Boosting Insurance-driven Cyber Resilience In The Generative AI World

by


Generative AI (GenAI) enables the processing of vastly large amounts of data than was previously feasible on reasonable computational budgets, and will drive nearly every language, vision, and audio generative machine learning models in the near future. The speed of innovations in GenAI is so high that its governance is a big challenge for regulators and policymakers in the public interest. On the one hand, powerful GenAI models are disruptive from an innovation viewpoint but are also a source of significant risks related to harm and misuse.

Alternatively, GenAI cost-effectively helps adversaries adapt to evolving defense mechanisms; launch sophisticated cyber threat vectors; and enhances the impact of a cyber-attack on each step of the standard IT/OT Cyber Kill Chain (CKC) as recently documented by MIT researchers.

It is inevitable that GenAI will enable the adversaries to compromise IT/OT systems at a far greater rate, compared to the rate at which defenders can use (Gen)AI to their defense benefits. This fact is traditional in the cybersecurity world and simply extends to cybersecurity in the GenAI world in the presence of evolving dynamics among adversaries, defenders, and (Gen)AI regulators. 

Hence, every digital enterprise should adopt a new approach to tackling cybersecurity threats that move beyond prevention to building adaptable and robust defence mechanisms. In the context of the standard NIST cybersecurity framework, this boils down to every enterprise having management processes in place to identify, detect, protect, respond, and recover from a cyber incident and simply not focusing on cyber-risk management via identifying, detecting, and protecting the enterprise from such cyber incidents. 

The crux behind the philosophy of boosting enterprise cyber resilience is to improve enterprise cybersecurity management to stand up against the impact of (GenAI) adversarial footprints across the cyber kill chain (CKC). Cyber resilience achieves this goal by 

  1. tolerating hits to performance metrics (and subsequently business losses due to cyber) within limits, 
  2. triggering risk mitigation via cyber insurance once business losses reach a certain threshold, 
  3. achieving capital efficiency by guiding enterprise management to invest appropriately in each of the prevention, detection, response, and recovery processes after a cyber incident and 
  4. make visible and shrink the enterprise cyber-vulnerability terrain via the adoption of cyber insurance.

Challenges to Insurance-Driven Cyber Resilience in the Generative AI World

Improving enterprise cyber resilience entails the adoption of cyber insurance that further acts as a control mechanism for its buyer enterprises to improve enterprise cybersecurity and its management. However, GenAI adds new challenges to scaling the cyber insurance business.

Also read: How should managers use AI for critical infrastructure risk management?

GenAI will amplify the chances that adversaries successfully compromise every relevant step of the CKC. More specifically, GenAI has the potential to augment threat actor capability, partly contributed to by prompt engineers that lower the entry barrier. Such actors will find it easier to exploit a larger vulnerability terrain with less effort. 

The GenAI-powered cyber-attacks are likely to influence a broader audience within an enterprise, and also across relatively newer types of enterprises (such as operational technology driven industries) that not only will increase the success of all CKC steps being successfully launched by an adversary but will also increase the business impact post a cyber incident. 

Buying standalone cyber insurance has not been widely popular yet among small and medium enterprises that form more than 80 percent of the global enterprise space. One primary reason is the inability of the cyber insurance market to correctly match attractive premiums with the correct posture type that usually makes enterprises opt-out of standalone policies. This trend will likely grow in the GenAI world.  

GenAI is evidenced to increase the occurrence of cyber catastrophes because perpetrators will be able to 

  1. launch sophisticated targeted GenAI-driven cyber campaigns with superior controls that maximise the impact of cyber-attacks within an enterprise and across supply chains, 
  2. exploit vulnerabilities similar to those in the Log4J and the Solar Winds cyber-attacks considerably easily to result in distributed systemic supply chain attacks and 
  3. GenAI will lead to the new and growing business of LLM cloud service providers that will be vulnerable (due to events such as data and model stealing, modification) and cause a cyber catastrophe due to such service providers acting as a single point of failure. 

Three Action Items for Insurers and Enterprise Management

We propose the following action items for cyber insurers and enterprise management that can boost cyber resilience in the generative AI world.

Action Item #1

Enterprise system management, as part of the ‘anticipate’ principle of the NIST cybersecurity framework, should integrate security with cyber insurance. Cyber insurance products will screen through the risky assets of an enterprise system’s IT/OT terrain and provide the enterprise with an estimate of the business impact in the event of a GenAI-powered cyber incident. As an example of such a product, Howden Safe+, developed in partnership with Safe Security and backed by Mosaic Insurance, Chubb and Liberty Specialty Markets, enables quicker cyber risk assessment without compromising coverage quality in the expanding AI-driven cyber-risk terrain.

Also read: How systemic cyber risk management in software supply chains works with BOMs

As part of the important consulting steps provided via cyber insurance contracts include identifying critical IT/OT enterprise assets (e.g., single points of failure in hardware, software, and LLMs), establishing key risk indicator measures to quantify exposed cyber risk (contributed by GenAI or otherwise) to an enterprise CKC, and setting alert thresholds based on the degree of risk signals. The cyber risk division of the enterprise should embark (sometimes in collaboration with cyber insurers) on the dynamic/evolving process of threat modelling, counterfactual and risk-reward analysis for threat actors and defenders.

Cyber insurers should also embark on the mission of educating small and medium businesses (that form the bulk of the enterprises around the globe) on (Gen)AI risk insights and cost-effective solutions for these enterprises to be vigilant and protective (part of effective anticipation) about modern AI cyber risks. Educational points specific to (Gen)AI include:

  1. How GenAI can automate data collection on targeted individuals for spear-phishing campaigns and 
  2. How can GenAI be used to automate targeted campaigns using social networks and multimedia? 

Initiatives like these in the insurance world involved Lloyds partnering with Willis Towers Watson (WTW), The World Innovation Network (TWIN), and the Security Awareness Special Interest Group (SASIG) to educate and share cyber (GenAI) vulnerability information with the cyber insurance market stakeholders.

Action Item #2

Enterprise system management, as part of the ‘absorb’ principle of the NIST cybersecurity framework should develop action plans that allow the enterprise to meet a minimum level of business continuity/QoS in the event of a (GenAI-powered) cyber incident that targets the CKC of an enterprise. 

Cyber insurance is important here as the premiums charged to enterprises are directly proportional to the KRI measures and the ability of an enterprise to absorb a cyber incident. Lower premiums usually accompany good cyber hygiene (e.g., use of advanced AI/ML threat intelligence, multi-factor authentication, behaviour analysis for unusual traffic patterns) that directly relates to better absorption of cyber risk. 

Also read: 5 challenges to ensuring cyber assurance in the medical AI business

Though new attacks can never really be predicted with confidence, good cyber hygiene prevents attacks from successfully materialising on all the steps of a CKC, resulting in much-reduced business losses. 

In addition, cyber insurance premiums are also conditioned on how enterprises have planned their redundancy portfolio to absorb losses when ‘crown jewels’ are compromised, even if, in some cases, all steps of a CKC related to the crown jewels are compromised. Ensuring the redundancy of critical assets, along with the manual/non-AI operation of some of them, enables an enterprise to absorb a cyber-attack by bypassing the ‘single point of failure’ problem (e.g., single provider of LLMs). Moreover, enterprises should consider the possibility of isolating compromised systems from healthy systems and substituting healthy systems to perform the critical enterprise functions of compromised systems, which is the common focus today in zero-trust architectures, network segmentation, and least privilege access management.

Action Item #3

Enterprise system management, as part of the ‘respond and recover’ (adapt) principle should develop action plans that allow the enterprise to meet a minimum level of business continuity/QoS in the event of a (GenAI-powered) cyber incident that targets the CKC of an enterprise. 

Cyber insurance is important here as the premiums charged to enterprises are directly proportional to the response and recovery activities of an enterprise to absorb a cyber incident. Lower premiums usually accompany good uncertainty management practices that directly relate to better adaptation (response and recovery) of cyber risk. Cyber risk management teams within an enterprise should, as part of adaptation activities, have a strong bulwark of forensic analysis in place after a (GenAI-driven) cyber-attack. This is possible through a thorough analysis of logs, system files, and network traffic to understand the attack method (including novel AI methods) and identify the source. This should be followed by effective patching and updating activities wherein the enterprise management should apply necessary security updates and patches to address any identified and exploited vulnerabilities. Such response and recovery activities will reduce client premiums and improve cyber resilience.

Authors:

Ranjan Pal (MIT Sloan School of Management)

Sander Zeijlemaker (MIT Sloan School of Management)

Bodhibrata Nag (Indian Institute of Management Calcutta)

[This article has been published with permission from IIM Calcutta. www.iimcal.ac.in Views expressed are personal.]



Source link

Related posts:

  1. India’s health system on alert as viral infection mpox scare grows | Health News
  2. Top 10 Biggest Car Manufacturers In The World 2024
  3. Sustainability Is Not Just A Compliance For Swiggy, Says Rohit Kapoor
  4. From Japani Samosa To Taar Qaliya, India’s Disappearing Heritage Dishes Make For Luxury Dining This Diwali
  5. How Politics Affects Global Business
  6. IPL Auction 2025: From Vaibhav Suryavanshi To Venkatesh Iyer, Five Surprising Picks
  7. From Swiggy Vs Zomato On Stock Markets To Surprising Selections At IPL 2025 Auctions, Our Top Stories Of The Week
  8. India Can Be The World’s China-plus-one, But China Is Not To Be Dismissed: Deloitte APAC CEO
  9. Hemanth Volikatla Shapes A New Dawn For Silicon Valley
  10. Ravichandran Ashwin: India’s Spin King Who Always Stood Out From The Rest

Leave a Comment