April 4, 2023 • 21 mins
In this episode, Amit Arora (VP - Head of Product, Cyber Risk Solutions) and Andreas Welsch discuss how AI helps reinsurance companies assess cyber risk potential. Amit shares his story about teaching AI how to deal with previously unseen situations and provides valuable insights for listeners looking to learn about concrete AI scenarios in the industry.
Key topics:
- Learn how AI helps identify previously unknown risks
- See how cyber risk insurance can be calculated more accurately in times of uncertainty
- Understand who benefits from AI-based cyber risk assessments
Listen to the full episode to hear how you can:
- Deal with uncertainty of emerging cyber threats
- Improve the customer journey for risk assessments
- Understand how AI helps enterprises/ policyholders, insurances/ brokers, underwriters
Watch this episode on YouTube:
https://youtu.be/--7OyAD_79U
Questions or suggestions? Send me a Text Message.
***********
Disclaimer: Views are the participants’ own and do not represent those of any participant’s past, present, or future employers. Participation in this event is independent of any potential business relationship (past, present, or future) between the participants or between their employers.
Level up your AI Leadership game with the AI Leadership Handbook:
https://www.aileadershiphandbook.com
More details:
https://www.intelligence-briefing.com
All episodes:
https://www.intelligence-briefing.com/podcast
Get a weekly thought-provoking post in your inbox:
https://www.intelligence-briefing.com/newsletter
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Andreas Welsch (00:00):
Today, we'll talk about assessing cyber risk
potential with AI.
And who better to talk about itthan someone who builds products
that do just that.
Amit Arora.
Hey Amit.
Thanks for joining.
Amit Arora (00:11):
Hey Andreas.
Thanks for having me.
Andreas Welsch (00:14):
Awesome.
Hey, why don't you tell ouraudience a little bit about
yourself, who you are and whatyou do.
Amit Arora (00:20):
Sure.
So I am Vice President ofProduct Management for Cyber
Risk Solutions at SwissRe.
As you may know, is one of thelargest reinsurers in the world.
And I think the vision of thecompany is to make the world a
better place from a riskmanagement and risk assessment
(00:40):
perspective.
I've been with the company forabout two and a half years now.
Prior to that, I've worked withcompanies like Cisco, Vodafone,
GE, et cetera.
About 22 years in productmanagement space.
I would say 10 to 11 years inthe field of statistics, maths
(01:03):
everything that leads up tomachine learning and AI.
And in addition, I'm also aprofessor at Columbia
University, the School ofEngineering where I teach a
couple of courses related to AIand analytics.
So that's me.
Andreas Welsch (01:20):
Thanks for sharing.
We met in New York at The AISummit last year in December and
talked a bit as well.
It's not very common for peopleto have so much expertise in
different industries.
So that's why I'm really excitedto have you on.
And so for everyone in theaudience.
If you're just joining, drop acomment in the chat where you're
joining us from today.
(01:41):
I'm really curious to see howglobal our audience is.
Amit, should we play a littlegame to kick things off.
What do you say?
Amit Arora (01:47):
Sure.
Always love to play games.
Andreas Welsch (01:50):
Good.
So this one is called In YourOwn Words.
When I hit the buzzer, thewheels will start spinning.
And when they stop, you'll see asentence.
And I'd like you to answer withthe first thing that comes to
mind and why.
In your own words.
And so for those of you in theaudience, I would ask you to do
the same.
What comes to mind and why?
(02:11):
Amit, you'll have 60 seconds toanswer.
So to keep things a littleinteresting.
And for those of you watching uslive, drop the answer in the
chat.
Amit, are you ready for What'sthe BUZZ?
Amit Arora (02:22):
Yep, think so.
Andreas Welsch (02:24):
Okay, awesome.
Then let's do this.
If AI were a color, what wouldit be?
60 seconds.
Amit Arora (02:34):
Black.
Andreas Welsch (02:36):
And why?
Amit Arora (02:40):
There's so many unknowns.
And and I would say it's asinteresting and as awe inspiring
as the universe itself.
And if you're really going deepspace, there's just really no
color.
Blackness.
When I think about AI, we arescratching the surface in terms
of the potential, in terms ofthe use cases, in terms of
(03:04):
various techniques andframeworks that are available
today.
And also the fact that the newthings coming out every day.
So that kind of makes me believethat there's so much of
discovery yet to be done.
Andreas Welsch (03:18):
Let's start shedding some light on things
and bring some light into thedarkness today.
By the way, I see it alsomatches what we're wearing.
Nice.
Hey, when we when we talkedabout what you do in the area of
cyber risk that really promptedme to also take more of an
(03:38):
industry lens.
Last year, we've talked a lotabout Robotic Process Automation
and setting up your AI strategyand AI CoE here on the show.
And I really want to get in moreof that industry perspective
and, what do leaders in theindustry actually do with AI?
Where does it add value?
So I'm really excited that we'llhear from you today about what
(04:00):
are you doing around cyber risk?
Maybe let's start with thebasics.
right?
You mentioned Swiss Re as areinsurance company.
I think we all have some kind ofinsurance: car insurance, health
insurance, and so on, that we'refamiliar with as consumers.
But not everybody might be asfamiliar with the term cyber
risk insurance.
So maybe can you say a fewthings about what it is and what
(04:23):
makes it unique for using AI?
Amit Arora (04:26):
Let me explain it in two parts.
So one is in terms of what iscyber risk and cyber risk
insurance, and then how does AIhelp in achieving the goals that
we have in that space?
Cyber risk insurance, just likeany other insurance, is a method
(04:50):
of risk transfer.
When you buy a life insurancepolicy or a car insurance
policy, essentially what you'retrying to do is potentially
transfer your risk to thecarrier.
And the carrier is assuming therisk by calculating or
(05:10):
forecasting what is theprobability of something adverse
happening.
So they're trying to put somedollar value on what the
potential loss might be in casesomething happens.
And they're trying to do thatover hundreds and thousands of
customers and they're trying tocreate some means and averages
(05:31):
probability models of somethinghappening and trying to
understand what the pricing orpremiums might come out of it
that they can.
So they're trying to protecttheir own losses and payouts,
but at the same time, you as aconsumer are trying to put the
(05:52):
risk in somebody else's bucket.
And protecting yourself in casesomething happens.
So in cyber, too, it's verysimilar.
The fundamental reasoningremains the same.
But in the case of cyber, Ithink the difference is, as
compared to life insurance orcar insurance, there's a lot of
historical data that insurancecompanies have on life
(06:16):
expectancy and protectingsomebody with a life insurance
policy you know the person'sage, gender, demographics
whether you smoke or you drink,or you are preexisting health
conditions, et cetera, etcetera.
Everything goes into the pricingmodels for life insurance
(06:38):
premiums calculations.
It's more of a deterministicapproach where the input
variables when it comes tomachine learning or AI, if you
were to use those kind of toolsto issue some premiums and
codes, which are fairly accurateand they stay within like the
(06:59):
upper threshold and the lowerthreshold in terms of what those
potential losses could be.
And it's been going on for ages.
It's a very mature use case.
When it comes to cyber, though,how do you measure cyber risk?
So let's say you are a companyand you go to a carrier and you
say, I wanna buy cyber insurancepolicy to protect my business
(07:26):
from a cyber event.
And the cyber event could bedefined in multiple ways.
A cyber event could be aransomware event.
Somebody gets into your network,holds you to a ransom against
giving your own data back to youby encrypting it, et cetera.
(07:47):
It could be cyber extortionwhere if you don't pay me, I'm
gonna release your private datato the public.
And what would happen is youwould not have only have
reputational harm.
You would also have liabilityissues from customers whose data
is now out in the open.
(08:08):
For example, healthcare datawhich is protected by HIPAA
laws, et cetera.
If a hospital loses that, thenpatients can sue the hospital
potentially on that.
So these organizations havedifferent pain points, and
that's what they're trying toprotect themselves against by
buying a cyber risk insurancepolicy.
Now the issue was more aroundunderstanding what is the level
(08:34):
of risk from all these events.
And there is no one way to do itas compared to other instruments
of insurance that I just spokeabout, like life and auto.
Purely for the reason that cyberis such an emerging landscape.
The cyber threats areever-evolving.
There're new, emerging threatscoming out every day.
(08:57):
So how do you create AI modelsthat have not been exposed to
these kind of threat data pointsbefore in their life?
If you look at historical claimsand data for cyber claims, they
wouldn't contain thatintelligence.
(09:18):
What's the point of creating amodel and calculating premiums
using AI if the AI doesn't haveadequate data to train on?
So I think that's a challengethat we are trying to address.
Andreas Welsch (09:31):
I see.
So definitely sounds like acomplex field.
When it's really about theunknowns and seeing things for
the first time and all theseanomalies.
There's a lot of uncertainty inthe way these cyber events
manifest themselves.
What they look like, how they'reexecuted, what the impact is.
(09:53):
What's the benefit then of usingAI for that cyber risk
assessment?
What does it do specificallythat you haven't been able to do
before?
Amit Arora (10:02):
So I think there are two or three areas which we are
trying to refine and improve inthe market.
We look at the customer journey.
And there's a question aboutwhat's the starting point in
calculating cyber risk.
I think the starting point is acustomer coming to a carrier and
saying I wanna buy a cyberinsurance policy.
Now you need to have a tool or amechanism where you are able to
(10:24):
assess the underlying cyber riskfor that particular customer.
And then you start looking atindustries.
Every industry has a differentrisk profile.
So for example, banks andpayment gateways and companies
which undertake financialtransactions obviously are right
(10:44):
up there.
The threat is extreme for themin case they get hacked.
It's not just reputational harm,but also financial harm as well.
Healthcare and hospitals areanother area to see what's the
underlying industry risk.
And that's the starting point.
So you start with the industryrisk.
(11:06):
You look at which industry arewe looking at, where the client
reside.
And then you go to clientspecific risk assessment.
Right now, the way riskassessment is done is through
questionnaires.
And these are long multi-pagequestionnaires.
Things like what's the state ofyour multi-factor authentication
(11:28):
implementation?
Do you have firewalls?
Do you have any ports open thatshould not be open, et cetera?
And so you get those responsesfrom the CISOs of those
companies.
And based on that, theunderwriters were to assess the
underlying risk for you and thenissue you some kind of a premium
or insurability level.
(11:50):
We are trying to do it in aslightly different way.
We believe that there are betterways to do it.
Obviously using models, etcetera, to automate and make the
customer journey more efficientand friction free.
One of the ways to do that wouldbe to actually look at the cloud
(12:13):
telemetry and the cloudconfigurations of that customer
and validate how strong arethose configurations?
Number one (12:21):
the strength of the configurations and also the
comprehensiveness of thoseconfigurations.
Let me take an example.
If the customer is using orstoring large amounts of data,
petabytes of data, the customeris using a database that cannot
scale or does not have inherentsecurity protocols embedded.
(12:44):
Then, we believe that customerhas a large potential risk of
that data being swiped or somekind of a ransomware attack
being propagated at some pointin time in the future.
And then the recommendationswould be you might want to use
something else some othersubscription for cloud security
to protect your data.
(13:06):
So all that intelligence can betaught to models.
So now the models are not justassessing risk based on actual
configurations, which are veryclient specific.
So we are moving away fromsaying, if you belong to this
industry, this is your inherentrisk and therefore this is your
premium.
It's a starting point, but thenyou definitely need to do a
(13:28):
client specific risk assessmentis where I'm coming from.
And questionnaires are not justsufficient for that.
You need to conduct an actualrisk assessment of
configurations and cloudtelemetry to be able to justify
what ratings and what premiumsare you calculating for the
client.
Andreas Welsch (13:46):
I think you already mentioned underwriters
as stakeholders in that process.
Are they the only stakeholdersin this process?
Are there others?
And who benefits in the end fromdoing that kind of cyber risk
assessment with AI?.
Amit Arora (14:02):
Yeah, there are three main stakeholders and risk
in the cyber risk insurance andassessment life cycle.
Of course the policy holders orthe enterprises are one.
They're the ones who are tryingto transfer risk in the first
place or protect themselves.
The second persona is the brokeror the cyber insurance.
(14:28):
And broker is the first point ofcontact in many cases where the
policyholders would go to torequest for a code.
And then the third party wouldbe the actual carriers and the
underwriters.
The actual insurance companieswho would provide a code to
them.
In this case, I think all thethree parties would potentially
win again by process,improvements, by automation, by
(14:50):
use of machine learning.
Primarily because if you areable to produce a risk
assessment that is now based ona more deterministic model
approach rather than stochastic.
And you are able to pinpoint allthe input variables that go into
model formulation and training.
(15:13):
If you could actually do thatwhat would happen is the policy
holders would get a very goodview of their own security.
And they would get anopportunity to improve their own
security posture, whether theyare trying to buy insurance at
that point in time or not.
Good security is always good.
And and that's what CISOs arethere for in companies to make
(15:37):
sure that remains the way it is.
So they win.
The brokers obviously winbecause now the broker is based
on this new type of securityassessment are able to go back
to the customers and say (15:50):
Hey I ran this security assessment for
you.
These are your ratings.
These are your financialexpected financial loss figures.
In these are the areas whereyou, we think that you might
want to buy more coverage.
And those are the areas where wethink that you have adequate
coverage.
So you don't need to spend more.
So the brokers come across astrusted advisor, rather than
(16:12):
just people who are facilitatingtransactions between a policy
holder and the carrier or theunderwriter.
And of course the underwritersnow win because what
underwriters are looking at isimproving their loss ratios at a
portfolio level.
So they always want to havebetter risk selection in terms
(16:33):
of who they underwrite and whothey don't.
Because ultimately it's anexposure.
And they're only trying to lookat customers with really good
security postures, really highlyrated from an insurability
standpoint.
And so they get to win becausenow they have ample insights
into that customer.
And they're more confident tosay whether I want to insure
(16:56):
this customer or not in thefirst place.
Andreas Welsch (17:00):
Thank you for drawing that picture of the
three different personas.
Hey I, see we're coming up tothe end of the show in a few
minutes.
I was wondering if you cansummarize the three key
takeaways for our audiencetoday.
Amit Arora (17:12):
Yeah I think there were couple of announcements
also from the White House andfrom the regulatory bodies.
Some national frameworks aroundcybersecurity protecting
national interest as well.
And making sure that thegovernment also provides some
(17:35):
kind of a blanket, minimum layerof cybersecurity to at least the
public sector entities.
And then going beyond that atsome point in time to protect
national interest,infrastructure, et cetera, et
cetera.
There's a lot of action as wellin this space.
The second thing that I wouldlike to share is when you look
(17:58):
at the cyber premiums they'vebeen going up and up for the
last couple of years.
And it's very difficult now forenterprises to create budgets
for cyber and risk insurancepolicies, because they don't
know what the new premium'sgonna be next year and next
(18:18):
year.
Because they're not stagnantanymore.
There're emerging threats, as Imentioned which are pushing the
premiums.
The risk profiles higher andhigher.
This is over and above what theinherent risk is for their
enterprise.
These are all macro, externaland developments that are
causing that to happen prettymuch at most of the time.
(18:41):
So the other thing that we aretrying to address is by using AI
and machine learning, how do weget to a more accurate
representation of the financialimpact in case a cyber event
were to happen to any company.
Those are those productionmodels that we are trying to
(19:03):
create and develop and launch inthe market.
And that should give enoughevidence and comfort to this
ecosystem that I spoke about tobe able to say, Hey do I really
need to push the premium furtherright for the underwriters, or
now I see everything that I needto see from a risk posture
(19:24):
perspective for this particularenterprise.
I'm happy to give a discount ifthe company says, I'm gonna fix
three of the vulnerabilitiesthat were discovered in the risk
assessment.
So I think those are theconversations that we hope would
be more and more happening onthe table.
Andreas Welsch (19:43):
I think that's a great overview of what we talked
about.
Amit thank you so much forjoining us and for sharing your
expertise with us and for thoseof you in, the audience for
learning with us.
I think that was a veryinformative session and good to
see and to hear what's happeningin insurance and specifically
around cyber risk because thesetypes of events are hitting the
(20:06):
news.
There's something veryfrequently.
So, good to see how AI can helpaddress those risks and identify
them before they become realissues.
Thanks, Amit.
Amit Arora (20:18):
Thank you, Andreas.
Today, we'll talk about assessing cyber risk
potential with AI.
And who better to talk about itthan someone who builds products
that do just that.
Amit Arora.
Hey Amit.
Thanks for joining.
Amit Arora (00:11):
Hey Andreas.
Thanks for having me.
Andreas Welsch (00:14):
Awesome.
Hey, why don't you tell ouraudience a little bit about
yourself, who you are and whatyou do.
Amit Arora (00:20):
Sure.
So I am Vice President ofProduct Management for Cyber
Risk Solutions at SwissRe.
As you may know, is one of thelargest reinsurers in the world.
And I think the vision of thecompany is to make the world a
better place from a riskmanagement and risk assessment
(00:40):
perspective.
I've been with the company forabout two and a half years now.
Prior to that, I've worked withcompanies like Cisco, Vodafone,
GE, et cetera.
About 22 years in productmanagement space.
I would say 10 to 11 years inthe field of statistics, maths
(01:03):
everything that leads up tomachine learning and AI.
And in addition, I'm also aprofessor at Columbia
University, the School ofEngineering where I teach a
couple of courses related to AIand analytics.
So that's me.
Andreas Welsch (01:20):
Thanks for sharing.
We met in New York at The AISummit last year in December and
talked a bit as well.
It's not very common for peopleto have so much expertise in
different industries.
So that's why I'm really excitedto have you on.
And so for everyone in theaudience.
If you're just joining, drop acomment in the chat where you're
joining us from today.
(01:41):
I'm really curious to see howglobal our audience is.
Amit, should we play a littlegame to kick things off.
What do you say?
Amit Arora (01:47):
Sure.
Always love to play games.
Andreas Welsch (01:50):
Good.
So this one is called In YourOwn Words.
When I hit the buzzer, thewheels will start spinning.
And when they stop, you'll see asentence.
And I'd like you to answer withthe first thing that comes to
mind and why.
In your own words.
And so for those of you in theaudience, I would ask you to do
the same.
What comes to mind and why?
(02:11):
Amit, you'll have 60 seconds toanswer.
So to keep things a littleinteresting.
And for those of you watching uslive, drop the answer in the
chat.
Amit, are you ready for What'sthe BUZZ?
Amit Arora (02:22):
Yep, think so.
Andreas Welsch (02:24):
Okay, awesome.
Then let's do this.
If AI were a color, what wouldit be?
60 seconds.
Amit Arora (02:34):
Black.
Andreas Welsch (02:36):
And why?
Amit Arora (02:40):
There's so many unknowns.
And and I would say it's asinteresting and as awe inspiring
as the universe itself.
And if you're really going deepspace, there's just really no
color.
Blackness.
When I think about AI, we arescratching the surface in terms
of the potential, in terms ofthe use cases, in terms of
(03:04):
various techniques andframeworks that are available
today.
And also the fact that the newthings coming out every day.
So that kind of makes me believethat there's so much of
discovery yet to be done.
Andreas Welsch (03:18):
Let's start shedding some light on things
and bring some light into thedarkness today.
By the way, I see it alsomatches what we're wearing.
Nice.
Hey, when we when we talkedabout what you do in the area of
cyber risk that really promptedme to also take more of an
(03:38):
industry lens.
Last year, we've talked a lotabout Robotic Process Automation
and setting up your AI strategyand AI CoE here on the show.
And I really want to get in moreof that industry perspective
and, what do leaders in theindustry actually do with AI?
Where does it add value?
So I'm really excited that we'llhear from you today about what
(04:00):
are you doing around cyber risk?
Maybe let's start with thebasics.
right?
You mentioned Swiss Re as areinsurance company.
I think we all have some kind ofinsurance: car insurance, health
insurance, and so on, that we'refamiliar with as consumers.
But not everybody might be asfamiliar with the term cyber
risk insurance.
So maybe can you say a fewthings about what it is and what
(04:23):
makes it unique for using AI?
Amit Arora (04:26):
Let me explain it in two parts.
So one is in terms of what iscyber risk and cyber risk
insurance, and then how does AIhelp in achieving the goals that
we have in that space?
Cyber risk insurance, just likeany other insurance, is a method
(04:50):
of risk transfer.
When you buy a life insurancepolicy or a car insurance
policy, essentially what you'retrying to do is potentially
transfer your risk to thecarrier.
And the carrier is assuming therisk by calculating or
(05:10):
forecasting what is theprobability of something adverse
happening.
So they're trying to put somedollar value on what the
potential loss might be in casesomething happens.
And they're trying to do thatover hundreds and thousands of
customers and they're trying tocreate some means and averages
(05:31):
probability models of somethinghappening and trying to
understand what the pricing orpremiums might come out of it
that they can.
So they're trying to protecttheir own losses and payouts,
but at the same time, you as aconsumer are trying to put the
(05:52):
risk in somebody else's bucket.
And protecting yourself in casesomething happens.
So in cyber, too, it's verysimilar.
The fundamental reasoningremains the same.
But in the case of cyber, Ithink the difference is, as
compared to life insurance orcar insurance, there's a lot of
historical data that insurancecompanies have on life
(06:16):
expectancy and protectingsomebody with a life insurance
policy you know the person'sage, gender, demographics
whether you smoke or you drink,or you are preexisting health
conditions, et cetera, etcetera.
Everything goes into the pricingmodels for life insurance
(06:38):
premiums calculations.
It's more of a deterministicapproach where the input
variables when it comes tomachine learning or AI, if you
were to use those kind of toolsto issue some premiums and
codes, which are fairly accurateand they stay within like the
(06:59):
upper threshold and the lowerthreshold in terms of what those
potential losses could be.
And it's been going on for ages.
It's a very mature use case.
When it comes to cyber, though,how do you measure cyber risk?
So let's say you are a companyand you go to a carrier and you
say, I wanna buy cyber insurancepolicy to protect my business
(07:26):
from a cyber event.
And the cyber event could bedefined in multiple ways.
A cyber event could be aransomware event.
Somebody gets into your network,holds you to a ransom against
giving your own data back to youby encrypting it, et cetera.
(07:47):
It could be cyber extortionwhere if you don't pay me, I'm
gonna release your private datato the public.
And what would happen is youwould not have only have
reputational harm.
You would also have liabilityissues from customers whose data
is now out in the open.
(08:08):
For example, healthcare datawhich is protected by HIPAA
laws, et cetera.
If a hospital loses that, thenpatients can sue the hospital
potentially on that.
So these organizations havedifferent pain points, and
that's what they're trying toprotect themselves against by
buying a cyber risk insurancepolicy.
Now the issue was more aroundunderstanding what is the level
(08:34):
of risk from all these events.
And there is no one way to do itas compared to other instruments
of insurance that I just spokeabout, like life and auto.
Purely for the reason that cyberis such an emerging landscape.
The cyber threats areever-evolving.
There're new, emerging threatscoming out every day.
(08:57):
So how do you create AI modelsthat have not been exposed to
these kind of threat data pointsbefore in their life?
If you look at historical claimsand data for cyber claims, they
wouldn't contain thatintelligence.
(09:18):
What's the point of creating amodel and calculating premiums
using AI if the AI doesn't haveadequate data to train on?
So I think that's a challengethat we are trying to address.
Andreas Welsch (09:31):
I see.
So definitely sounds like acomplex field.
When it's really about theunknowns and seeing things for
the first time and all theseanomalies.
There's a lot of uncertainty inthe way these cyber events
manifest themselves.
What they look like, how they'reexecuted, what the impact is.
(09:53):
What's the benefit then of usingAI for that cyber risk
assessment?
What does it do specificallythat you haven't been able to do
before?
Amit Arora (10:02):
So I think there are two or three areas which we are
trying to refine and improve inthe market.
We look at the customer journey.
And there's a question aboutwhat's the starting point in
calculating cyber risk.
I think the starting point is acustomer coming to a carrier and
saying I wanna buy a cyberinsurance policy.
Now you need to have a tool or amechanism where you are able to
(10:24):
assess the underlying cyber riskfor that particular customer.
And then you start looking atindustries.
Every industry has a differentrisk profile.
So for example, banks andpayment gateways and companies
which undertake financialtransactions obviously are right
(10:44):
up there.
The threat is extreme for themin case they get hacked.
It's not just reputational harm,but also financial harm as well.
Healthcare and hospitals areanother area to see what's the
underlying industry risk.
And that's the starting point.
So you start with the industryrisk.
(11:06):
You look at which industry arewe looking at, where the client
reside.
And then you go to clientspecific risk assessment.
Right now, the way riskassessment is done is through
questionnaires.
And these are long multi-pagequestionnaires.
Things like what's the state ofyour multi-factor authentication
(11:28):
implementation?
Do you have firewalls?
Do you have any ports open thatshould not be open, et cetera?
And so you get those responsesfrom the CISOs of those
companies.
And based on that, theunderwriters were to assess the
underlying risk for you and thenissue you some kind of a premium
or insurability level.
(11:50):
We are trying to do it in aslightly different way.
We believe that there are betterways to do it.
Obviously using models, etcetera, to automate and make the
customer journey more efficientand friction free.
One of the ways to do that wouldbe to actually look at the cloud
(12:13):
telemetry and the cloudconfigurations of that customer
and validate how strong arethose configurations?
Number one (12:21):
the strength of the configurations and also the
comprehensiveness of thoseconfigurations.
Let me take an example.
If the customer is using orstoring large amounts of data,
petabytes of data, the customeris using a database that cannot
scale or does not have inherentsecurity protocols embedded.
(12:44):
Then, we believe that customerhas a large potential risk of
that data being swiped or somekind of a ransomware attack
being propagated at some pointin time in the future.
And then the recommendationswould be you might want to use
something else some othersubscription for cloud security
to protect your data.
(13:06):
So all that intelligence can betaught to models.
So now the models are not justassessing risk based on actual
configurations, which are veryclient specific.
So we are moving away fromsaying, if you belong to this
industry, this is your inherentrisk and therefore this is your
premium.
It's a starting point, but thenyou definitely need to do a
(13:28):
client specific risk assessmentis where I'm coming from.
And questionnaires are not justsufficient for that.
You need to conduct an actualrisk assessment of
configurations and cloudtelemetry to be able to justify
what ratings and what premiumsare you calculating for the
client.
Andreas Welsch (13:46):
I think you already mentioned underwriters
as stakeholders in that process.
Are they the only stakeholdersin this process?
Are there others?
And who benefits in the end fromdoing that kind of cyber risk
assessment with AI?.
Amit Arora (14:02):
Yeah, there are three main stakeholders and risk
in the cyber risk insurance andassessment life cycle.
Of course the policy holders orthe enterprises are one.
They're the ones who are tryingto transfer risk in the first
place or protect themselves.
The second persona is the brokeror the cyber insurance.
(14:28):
And broker is the first point ofcontact in many cases where the
policyholders would go to torequest for a code.
And then the third party wouldbe the actual carriers and the
underwriters.
The actual insurance companieswho would provide a code to
them.
In this case, I think all thethree parties would potentially
win again by process,improvements, by automation, by
(14:50):
use of machine learning.
Primarily because if you areable to produce a risk
assessment that is now based ona more deterministic model
approach rather than stochastic.
And you are able to pinpoint allthe input variables that go into
model formulation and training.
(15:13):
If you could actually do thatwhat would happen is the policy
holders would get a very goodview of their own security.
And they would get anopportunity to improve their own
security posture, whether theyare trying to buy insurance at
that point in time or not.
Good security is always good.
And and that's what CISOs arethere for in companies to make
(15:37):
sure that remains the way it is.
So they win.
The brokers obviously winbecause now the broker is based
on this new type of securityassessment are able to go back
to the customers and say (15:50):
Hey I ran this security assessment for
you.
These are your ratings.
These are your financialexpected financial loss figures.
In these are the areas whereyou, we think that you might
want to buy more coverage.
And those are the areas where wethink that you have adequate
coverage.
So you don't need to spend more.
So the brokers come across astrusted advisor, rather than
(16:12):
just people who are facilitatingtransactions between a policy
holder and the carrier or theunderwriter.
And of course the underwritersnow win because what
underwriters are looking at isimproving their loss ratios at a
portfolio level.
So they always want to havebetter risk selection in terms
(16:33):
of who they underwrite and whothey don't.
Because ultimately it's anexposure.
And they're only trying to lookat customers with really good
security postures, really highlyrated from an insurability
standpoint.
And so they get to win becausenow they have ample insights
into that customer.
And they're more confident tosay whether I want to insure
(16:56):
this customer or not in thefirst place.
Andreas Welsch (17:00):
Thank you for drawing that picture of the
three different personas.
Hey I, see we're coming up tothe end of the show in a few
minutes.
I was wondering if you cansummarize the three key
takeaways for our audiencetoday.
Amit Arora (17:12):
Yeah I think there were couple of announcements
also from the White House andfrom the regulatory bodies.
Some national frameworks aroundcybersecurity protecting
national interest as well.
And making sure that thegovernment also provides some
(17:35):
kind of a blanket, minimum layerof cybersecurity to at least the
public sector entities.
And then going beyond that atsome point in time to protect
national interest,infrastructure, et cetera, et
cetera.
There's a lot of action as wellin this space.
The second thing that I wouldlike to share is when you look
(17:58):
at the cyber premiums they'vebeen going up and up for the
last couple of years.
And it's very difficult now forenterprises to create budgets
for cyber and risk insurancepolicies, because they don't
know what the new premium'sgonna be next year and next
(18:18):
year.
Because they're not stagnantanymore.
There're emerging threats, as Imentioned which are pushing the
premiums.
The risk profiles higher andhigher.
This is over and above what theinherent risk is for their
enterprise.
These are all macro, externaland developments that are
causing that to happen prettymuch at most of the time.
(18:41):
So the other thing that we aretrying to address is by using AI
and machine learning, how do weget to a more accurate
representation of the financialimpact in case a cyber event
were to happen to any company.
Those are those productionmodels that we are trying to
(19:03):
create and develop and launch inthe market.
And that should give enoughevidence and comfort to this
ecosystem that I spoke about tobe able to say, Hey do I really
need to push the premium furtherright for the underwriters, or
now I see everything that I needto see from a risk posture
(19:24):
perspective for this particularenterprise.
I'm happy to give a discount ifthe company says, I'm gonna fix
three of the vulnerabilitiesthat were discovered in the risk
assessment.
So I think those are theconversations that we hope would
be more and more happening onthe table.
Andreas Welsch (19:43):
I think that's a great overview of what we talked
about.
Amit thank you so much forjoining us and for sharing your
expertise with us and for thoseof you in, the audience for
learning with us.
I think that was a veryinformative session and good to
see and to hear what's happeningin insurance and specifically
around cyber risk because thesetypes of events are hitting the
(20:06):
news.
There's something veryfrequently.
So, good to see how AI can helpaddress those risks and identify
them before they become realissues.
Thanks, Amit.
Amit Arora (20:18):
Thank you, Andreas.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.