Rising Stakes: AI's Role in Cybersecurity Risks for the Insurance Sector

The involvement of artificial intelligence (AI) in cybersecurity breaches has significantly increased in recent years, with studies showing AI at play in a substantial majority of incidents. Insurance companies, which manage a vast amount of sensitive financial and personal data, now find themselves at elevated risk from such threats. Although the insurance industry has recognized these vulnerabilities, many firms lack the necessary preparedness to effectively respond to security breaches.

The insurance distribution model, characterized by multiple layers of third-party access involving brokers, agencies, and third-party administrators, presents intrinsic security challenges. Credential-based systems are particularly vulnerable, and research indicates a significant number of insurance firms have experienced credential compromises in recent years. The high-value nature of targets within the insurance sector makes it especially attractive for AI-powered phishing attacks that aim to harvest portal credentials at scale.

These compromised credentials can have widespread implications across various carrier relationships. In addition, the rise of AI-generated voice and video impersonation presents insurers with new operational risks, impacting sectors like claims handling and underwriting, where employees authorize transactions based on potentially counterfeit communications.

The global reinsurer, Swiss Re, has identified deepfake technology as a dual-threat scenario for insurance companies. Deepfakes not only pose a risk of fraudulent claims but also emerge as a sophisticated cybercrime tool against insurers themselves. The existing social engineering coverage, often drafted before these advances in AI-generated impersonations, may not cover all emerging scenarios, leaving policyholders—and insurers—exposed.

There is an ongoing expectation for compliance and governance within the industry. Cyber underwriters have been emphasizing robust credential management standards, including mandatory multi-factor authentication. However, there are concerns that many insurers might be holding policyholders to standards that they themselves have not fully implemented. Closing this compliance gap requires reinforcing operational controls, including credential lifecycle management and third-party access audits.

The insurance sector, with a projected global cyber insurance market value of $19.6 billion by 2026, is deeply invested in understanding and insuring cyber risk. What is crucial now is leveraging that expertise internally to bolster security measures and maintain credibility in managing these risks. Successful navigation of these challenges will enhance insurers' resilience, improve claims defensibility, and solidify their position in the cyber insurance marketplace.

In parallel, insurers are harnessing technological advancements. Tools for estimating and assessing risks have enhanced claims processing capabilities. In addition, the transition from physical to digital channels over recent years demands an ongoing strategic shift in operational approaches for the financial services industry. By adopting these innovations, insurers are poised to more effectively manage and mitigate a broad spectrum of emerging risks.