Agencies
Cyber risk management is one of the foremost concerns for today’s corporate leaders, from locally owned private companies to the Fortune 500.
One of the newest and most sophisticated cyber risks is a type of scam called a deepfake. Deepfakes utilize artificial intelligence (AI) to simulate real situations. Deepfakes can take the form of face reenactment (where software manipulates an individual’s facial features), face generation (where a new face is created that does not relate to a specific individual), face swapping (where one person’s face is swapped with another’s), and speech synthesis (where voices are re-created).Cyber criminals utilize a wide variety of deepfake techniques to target businesses. One recent example, opens new tab in Hong Kong highlights the challenges and risks companies face from deepfakes. According to a CNN report quoting the Hong Kong police, the Hong Kong deepfake used virtual recreations of numerous employees on a fake video conference to convince an employee at an accounting firm into making several fraudulent payments.The scam started when the employee received a message purporting to be from the company’s CFO requesting a fund transfer. Despite initial hesitation, the employee joined a video conference with what looked like the CFO and several other people. The deepfake convincingly imitated the CFO and other colleagues the employee recognized, convincing the employee to put aside their doubts.
In the end, the employee was tricked into making a series of payments. The employee ultimately transferred more than $25 million to the criminals. It was not until the employee later checked in with the corporation’s head office that they realized their mistake.While this type of virtual simulation of a real time video conference involving company executives is particularly sophisticated, deepfakes can take many other forms. Artificial intelligence is increasingly capable of accurately mimicking voices, which can be used to leave voicemails that sound exactly like someone familiar. Like the video conference example, these types of AI voicemail scams can be used to convince employees to take actions that can grant criminals access to company information or funds.Companies can take steps to minimize the risk presented by deepfakes and other cyber scams. One step a company can take is putting adequate policies and procedures in place to ensure that employees are aware of the risks that exist and that they know how to confirm that requests are real before taking action. Another step is obtaining adequate insurance coverage to protect them from these increasingly complex AI attacks.
Before cyber insurance became prevalent in the property-casualty insurance market, policyholders turned to commercial crime insurance policies to cover claims and loss resulting from dishonesty, embezzlement, and theft of property and money, both from employees and non-employee third parties.
Commercial crime policies have evolved to offer coverage by endorsement for “social engineering” risks and other losses resulting from deceit by impersonation, but such coverage frequently is subject to relatively small sublimits — often well below $1 million.
Cyber insurance, by contrast, may allow for higher limits of liability and is designed to provide first- and third-party coverage for claims arising out of security or privacy breaches, such as phishing, ransomware attacks, or cyber extortion. Depending on the policy language and coverages purchased, cyber insurance may provide coverage for costs of investigation, ransom or funds transfer fraud payments, data recovery and restoration, crisis management, business interruption, and liability claims for disclosure of or failure to protect confidential information.
While cyber insurance is theoretically designed to cover certain risks, it is still relatively new, and there is no standardized industry form. Insurance companies currently provide policies with different coverages, terms, exclusions, conditions, and endorsements. The type of risk a company faces may also vary depending on the industry it is in or other factors.
The cyber insurance market continues to change to address emerging threats. On the underwriting side, insurers are requiring policyholders to implement multifactor authorization and authentication systems (and employee training and security protocols) to detect and thwart attempts to use deepfakes to get around security barriers such as biometric access controls.
Relatedly, insurers also may require employers confirm in their cyber insurance applications their utilization of deepfake detection and verification tools being introduced into the cybersecurity space. Insurance companies also are working to limit their risk profiles, often in the form of new or broadened policy exclusions. Insurers also are adding new endorsements to clarify the type of coverage provided, including to specifically add certain types of coverage.
For example, one company, Coalition, just recently announced a new affirmative AI endorsement to provide clarity around AI incidents. According to the company, in a statement as reported in Insurance Business magazine, the endorsement “broadens the scope of what constitutes a security failure or data breach, now encompassing incidents triggered by artificial intelligence.” (March 27, 2024) The endorsement also directly addresses fund transfer fraud (FTF), “now including fraudulent requests made using deepfake technology or any AI-driven mechanism.”
Given the constantly evolving cyber crime landscape, including the rapid rise in schemes such as deepfakes which employ increasingly realistic artificial intelligence in new and innovative ways, it is critical that companies regularly consult with professionals to understand the risks they face.
At the same time, it is important for companies to regularly review their cyber coverage to make sure that they are obtaining the right insurance for their organization. Coverage counsel can provide valuable guidance by analyzing insurance gaps, enhancing policy language, and resolving coverage claims.
Staying on top of current cyber threats and the corresponding availability of coverage can help companies ensure that they are adequately protected against potentially serious liabilities.
