Specialty Podcast: Navigating Cyber in 2024 - Predictions for Trends and Challenges

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Brendan Hall (00:08):
Welcome back to yet another Alliant Specialty podcast, and once again, I’m joined by the cyber team. We're going to do our favorite thing we do every December: Predictions of what's happening and what's going to happen in 2024. Interesting time to be alive. Things are constantly changing, which is one of the reasons why we all love cybersecurity and specifically this podcast. With that, I'm going to kick it over to my colleagues here. I'm joined by CJ Dietzman and Bobby Horn. CJ, we'll start with you. What are the things you want to predict for 2024? What's top of mind?

CJ Dietzman (00:41):
Thank you so much, Brendan and Bobby. I’m thrilled to be here again for another Alliant Specialty podcast. These are important times, and I can't believe it, blink your eyes and here we are looking at 2024. As cyber risk management and security practitioners working with countless clients every day, let's talk about it. Let's get into this. Artificial intelligence and machine learning beyond the hype, beyond the buzz. These are real technologies, whether it's the use of chatbots, whether it's autonomous self-driving technologies that we see every day in everyday life, whether it's use cases in law enforcement for certain analytics and sensors and fast-tracking to enhance the life of everyday citizens. The use cases are broadening and deepening across industry sectors. Couple of things we have to be wary of, though, Brendan; the overly optimistic assumptions about how fast organizations are going to start to see these returns on an investment, certainly, but then rapid adoption of anything including AI, unfortunately, has the undesirable side effect of exposing organizations to vulnerability and threat actors.

CJ Dietzman (01:48):
Additionally, if not well thought out, these AI machine learning use cases in the next 24 to 36 months can expose organizations to personally identifiable information leaks, data breaches, privacy issues and other matters related to not so well thought out implementations. Additionally, cyber attackers can certainly leverage these technologies. They can use these innovations against us and they can cut us to threads. So, certainly AI machine learning is a key consideration. The other one that I'm tracking, Bobby and Brendan, is the increased regulatory and compliance requirements and expectations. Brendan, you and I have been talking a lot about this lately. What do you think about that?

Brendan Hall (02:30):
It's interesting, because it was 2016 or so when the DFS regs on cyber first came out and it was a big splash, and a mad dash by a lot of companies who probably didn't have their house in order to get all the things buttoned up that they needed to stay out of trouble. We started to see an uptick in the number of fines that were going to be going out.

There are companies that are still deficient and falling behind, and now we're starting to see some of those penalties coming into play. The same is true if you look now as we're starting to see as it relates to AI. Obviously the EU just put some of their provisions into their approval process thereof about the responsible use of AI across the board in society. So, we're going to start to see, with some pretty steep potential penalties, probably not something that's going to hit this year, but as always, they're looking for that one company to make an example of so that everybody knows that they're serious. So, I think by the end of this year, I assume we'll probably start to see some penalties around the responsible use of AI, at least in the EU. And then it's not going to be long. The EU tends to be ahead of us when it comes to this sort of thing. The Biden administration has issued an executive order around this, and I think we're probably going to see, similar to data privacy, it's going to be left to the states to figure out on a state-by-state basis how they want to handle that. It's all coming, it's all happening, and I think we should see more of that in 2024.

CJ Dietzman (04:04):
Great points. You know, something else has heightened cyber threat actor activity, compromise breaches and incidents in certain sectors. And when we think about whether it's financial services or the public sector or retail, many years ago when we used to focus almost solely it seems in this industry, on credit card security incidents and breaches, how things have changed. It's still a relevant risk; however, controls regulatory and compliance focus has been enhanced. So, we don't see as much threat actor activity solely focused on compromising credit cards. Threat actors have pivoted into other industries. And Bobby, you're on the front lines of this as one of our leaders in our cyber brokerage practice, you see a lot of losses and claims activity come across your radar. What are your thoughts on some of the key watch list industry sectors for threat activity?

Bobby Horn (05:10):
Thanks, CJ. It's a good question. I think historically, it's always been healthcare and financial institutions that seem to have the biggest target, but they also seem to have the best controls in place. But certainly, on the financial institution side, but other industry classes that we certainly are focused on, public entity and municipalities. That's a huge target for threat actors to go after because they don't always have the best controls, and that is starting to change. That has changed certainly among our client base and pretty significantly over the last 12 months. Just getting them aware of what the different exposures are; a better understanding of what their exposures are so they can put in certain controls to mitigate potential losses. But I'd also like to pivot back to something you mentioned earlier, CJ, around AI.

Bobby Horn (05:49):
We certainly can expect threat actors taking advantage of the expansion of AI, particularly these large language models, these LLMs that present a unique challenge for certainly the insurance industry, and obviously our clients. But I think with the broadening of this technology, you're going to see a lot more sophisticated attacks through social engineering and spear phishing type attacks against companies. And I think that's something to be certainly mindful of. From the underwriting side, definitely going to see a lot more questions around what companies are doing to protect their information. Are they using AI in any sort of way? It's going to just be built more into these applications or supplemental applications that carriers are asking, exposure to what they see as an oncoming threat.

CJ Dietzman (06:26):
Wow, incredible points. Bobby, thanks for sharing that. A couple other things that I've been tracking and thinking a lot about in the context of our clients and the industry in general. The omnipresence, the pervasive risk of third-party compromise and cloud-based attacks, cloud use cases. Cloud service providers continue to deepen and expand across commercial organizations globally as well as public entity organizations. The cloud use cases out of the box, your cloud environment, organization, public entity, your cloud environment may not be secure. You need to assume a state of compromise, not assume a state of hardening and reasonable security. It really takes two, sometimes three, the two in the box model, my cloud environment. I don't outsource that risk to the cloud service provider. On the contrary, I outsource everything but the risk in many ways. I need to look at the configurable security controls.

CJ Dietzman (07:27):
I need to continue to monitor security in the environment. What about my third party's third party? What about fourth parties? What about interconnected cloud systems with legacy infrastructure? A lot to unpack and consider here. Let's remain vigilant when we think about third parties in our cloud service providers. The other thing as well, I'd be remiss if I didn't mention this, resource constraints, the human resource constraints in our industry. It continues to be a challenge, not just doing more with less because of budgetary challenges, but I'm talking about not having enough cyber risk management and security talent to build and maintain and operate a reasonable defensible cyber risk management program. Do we have enough resources? Can we attract them? Can we recruit them? Can we onboard them, retain them, develop them to enable the organization to achieve its objectives? Or are we struggling with trying to do too much with just not enough talent? You know, Brendan, something else you and I have been talking quite a bit about, this is an election year and there are nation state actors. When I think about the big four: Russia, North Korea, Iran, China, what do we think is going to happen in 2024 election year nation state actors? Go ahead.

Brendan Hall (08:47):
It's going to be an interesting year, but I think in terms of predictions for the election, I’m thinking we're going to see more of the same. A lot of you know, deliberate attempts to spread disinformation and misinformation through social media, virtually every other channel possible. What really has me concerned about this coming election is the deep fakes. We saw this a little bit with something that the Russians did with President Zelensky. I watched the video, and it looks a lot like he says, we're ready to surrender. So, I think we're going to start to see a lot of that. It's one of the things that gives me the most afraid of, going in terms of the continual undermining of factual information as it relates to elections and many other things. And so, I think deepfakes is what is just yet another mechanism that can be deployed by people who are trying to sow the seeds of discord and just disrupt an otherwise functioning society. Looking forward to it, just in some ways, because I think it'll be interesting, but also cringing, and buckling a seatbelt here because it's going to be a bumpy ride.

CJ Dietzman (09:48):
No doubt. Thanks for that, Brendan. Bobby, what discussion about cyber risk management and security and building a program that's reasonable and defensible would be complete without talking about the state and the future state of the cyber insurance market? Bobby, what are we looking at here?

Bobby Horn (10:06):
Yeah, 2023 was an important year. As far as the cyber market's maturity level. For two plus years in a very hard cycle where rates were just going up every other week, clients getting hit with huge triple digit increases on their renewals, whereas 2023, we finally saw a leveling off of the marketplace, which I thought was critical for this survival of this product to continue going on. Rates have been coming down pretty consistently for the most of 2023, and we expect that to continue through 2024, at least the first half. We can certainly say that we don't expect there to be any major changes from an underwriting perspective or rate changes in that first half. All that being said, in our conversations we have with our markets and insurers, ransomware attacks continue to increase every year.

Bobby Horn (10:49):
There's a couple reports that we look at on a monthly basis, and ransomware attacks are up every month of the year. And that just shows that 2022 seems to have been a bit of an anomaly. I think a lot of that has to do with the war in Ukraine where the threat actors were, as opposed to deploying their malware against innocent third parties, they were going after each other. But we have seen significant increases in ransomware attacks in 2023, and that doesn't seem to be letting up as we move into 2024. So, at some point there's going to be a breaking point where carriers are going to have to do something that maybe hold a line on rates going down. We'll see when that actually takes place because there are still a lot of carriers out there looking to put more premium on their books. But claims are trending up, rates are still trending down. So, it's an interesting spot to be in, but certainly we're as on top of it as we possibly can be in our discussions with not only our U.S. markets, but also our London partners as well.

CJ Dietzman (11:39):
Fantastic. Well, what a fulsome conversation. Brendan, what do you think?

Brendan Hall (11:45):
Yeah, it will be interesting to see. We'll come back next year around this time to see how accurate our predictions were. But as always, a pleasure to have these conversations with you guys and we thank Alliant for giving us the opportunity to chat through our thoughts on 2024. Unless anyone else has any other thoughts, I'm good to sign off for the year. I'm going to try to take care of this cold and we'll see you in 2024.