What every insurer should know about the AI they (say) they’re using

A key metric for insurers to consider when using AI is the impact it has on the business from a risk perspective, according to Arch Insurance Group’s vice president – cyber risk product leader Shiraz Saeed.

“Does it open you up for any new or unintended exposures that you aren't taking into consideration before?” Saeed asked. “And what kind of harm… could [be] caused by its creation?”

Saeed told The Insurer TV at the NetDiligence Cyber Risk Summit held earlier this month in Miami Beach, Florida, that as organisations underwriting the risk, insurers need to take a holistic view of the potential threats from AI.

“[AI] also encompasses other types of exposures, like technology errors and omissions, professional services, liability, media liability,” he said.

“And when we look at artificial intelligence as a whole, I think these other parts come into play, in addition to the cyber risk.”

Saad led a panel at the Miami Beach cyber conference that included a discussion about so-called Black Box foundational models sometimes used by insurers. He said firms need to consider what’s actually inside the artificial intelligence being deployed, how it got there, and whether they can be held liable for it.

“You need to… look inside and say, ‘Hey, we need to ask you questions about how you’re intaking [AI], what safeguards you have in place to make sure that the data that’s coming in is accurate,” explained Saeed.

And while many companies want to be associated with a buzzword like artificial intelligence, policyholders and their insurers would benefit from breaking down their AI use into three components. Saeed said firms should consider whether the AI being used is functioning as an employee, a computer system, or as part of a tech service, as each requires specific preparation and planning from a risk management perspective.

“We should be cognizant of these exposures, and create mitigating strategies to prevent them,” said Saeed.

The Arch VP also broke down the components of the company’s latest cyber insurance product and service, CyPro, launched last year.

“We've created it in a way that in the event that a company has a potential network security breach, or a potential privacy violation, that they have a response immediately, and that it's an effective response,” said Saeed.

The product offers everything from legal advice from cybersecurity experts, to data forensics response specialist, to connections to PR mitigation professionals.

“In addition to that, we would also pay for any reputational income that you might lose because of adverse publicity, or income that you might lose or extra expenses you might incur because your business has been disrupted by the network security breach.”

But if firms are limited in their cyber defences, they should at the very least deploy multi-factor authentication, according to Saeed.

“If you talk to… most data forensic companies, they're going to tell you the number one cause of loss is phishing, or some sort of manipulation of the identity access,” explained Saeed.

“In a perfect world… you would want [multi-factor authentication] on every user interface to require login credentials.”

Watch the full Insurer TV interview with Arch’s Shiraz Saeed to hear more on:

  • How deploying AI can lead to unintended exposures
  • How AI can sometimes be linked to technology errors
  • Why companies need to dissect what’s inside any black box models they use
  • How firms can mitigate potential cyber attacks with Arch’s new CyPro product
  • The number one tool firms should have in-house to halt the most threat actors