On Aon Podcast: Insights into Preparing for Evolving Cyber Exposures

April 30, 2024 16 mins

On Aon Podcast: Insights into Preparing for Evolving Cyber Exposures

Episode 74: Aon experts discuss the evolving cyber exposures and the regulatory landscape.

Key Takeaways

In this episode, Aon experts identify the impact of AI and machine learning on underwriting.
Aon’s experts share insights into key takeaways for regulatory actions.
Episode 74 provides an overview of the evolving regulatory environment.

Intro:
Hi everyone, and welcome to the award-winning “On Aon” podcast, where we dive into some of the most pressing topics that businesses and organizations around the world are facing. Today we hear from Karrieann Couture on evolving cyber exposures and the regulatory landscape. Now, please welcome this episode’s host, Matt Chmel.

Matt Chmel:
Hi everyone. My name is Matt Chmel. I'm the Chief Broking Officer of Aon’s Cyber Solutions practice within Aon's Commercial Risk Division. In today's On Aon episode, we're going to be discussing the evolving cyber explosions, including regulatory and AI. This is a hot topic because ransomware's frequency is up compared to last year. Regulatory requirements continue to be introduced, including the SEC disclosure laws, which we will hit on in detail in this podcast.

In 2023, ransomware attacks disrupted businesses across all industry sectors globally. Healthcare, entertainment, manufacturing, education, public entities are just to name a few industry segments that were impacted by a ransomware attack. A consequence of these attacks are increased notices for insurers, potentially severity payments for insurers, and then potential exposure to organizations around public company SEC disclosure laws related to the actual attacks on their organizations.

With me today is Karrieann Couture, our Cyber and E&O Claims Leader. Thank you for being with me today, Karrieann. So, let's get started. The first question: Karrieann, can you tell us a little bit more about the regulatory environment, and particularly the SEC rules that I mentioned earlier?

Karrieann Couture:
Sure. So, Matt, as you know, we see the impact of cyber attacks, and we can see the significant impact they have on public companies, whether it's their operations, their finances, and their reputation. So, the SEC established these rules to ensure that there's accountability, as well as transparency, around the management of these cyber security risks. These new rules will be instrumental and helpful for investors and help them make informed decisions on investments in voting.

I like to think of these rules in sort of like two parts. One, the new rules do require an 8-K reporting of any cyber security incident that's deemed to be material. So, the event must be reported within four business days of discovering that that incident has a material impact and there is an exception if there's a risk to public safety or national security. The reporting typically should include the nature, scope and timing of the incident and should describe the material impact or reasonably likely material impact on the organization, including financial conditions and results of operations.

Now, we know that as these are public filings, I think we hear there might be concern from individuals and organizations about how this information might play into an active ransomware situation. If it's public, then the threat actors may have access to it, and this is where legal counsel comes in to help guide the type of disclosures that should be made during this time, as well as communication with the SEC. So, rules also require annual reports on their 10-K form, disclosing the company's cybersecurity governance, including management and board oversight of security practices, as well as information around events that have occurred throughout that year. And this disclosure of cyber incidents has received additional attention as a result of the SEC's lawsuit brought against SolarWinds and its CISO [Chief Information Security Officer]U. The SEC is alleging that SolarWinds and the CISOU concealed cybersecurity vulnerabilities and cyber events in their own regulatory filings. Now, it remains to be seen how this is going to play out, but it certainly underscores the seriousness that the SEC is placing on cybersecurity.

Matt Chmel:
Thanks, Karrieann. That's great. So, in light of some of these new rules, what would you suggest some of the organizations should be doing to really protect themselves?

Karrieann Couture:
Yes. Well, definitely working closely with legal and compliance advisors for guidance, and advice, and interpreting, and ensuring compliance with new regulations. They also would want to review and improve their cybersecurity and cyber risk governance and ensure the appropriate leaders are engaged in efforts to ensure compliance with security and governance policies, create a culture of awareness and proactiveness in regard to cyber risk, not just with the board of directors, not just with the C-suite, but all across the organization.

Third-party risk is huge, so assess that third-party risk and make sure there's a protocol to manage that risk. When you're engaging with a third party, you're at the mercy of their own cybersecurity, so make sure you have risk transfer protections and understand obligations there as well as what type of cybersecurity they have in place, and make sure you understand that. And then have an updated incident response plan that includes a procedure for identifying and reporting material cybersecurity incidents in line with the new rules. When identifying a material impact, you'd consider things like cost of the event, such as the legal cost forensics, restoration costs, impact on business operations and business interruption, potential expenses, as well as reputational costs. So now, just thinking about all these obligations, how are you seeing this play out in the broking underwriting world, Matt? Maybe you could talk a little bit about that.

Matt Chmel:
Yeah, so happy to. So, what we're seeing right now is underwriters are asking a lot of questions. Right? Especially within public organizations, what are the controls, the procedures that are put in place to follow these new disclosure rules? Also too, the coordination has never needed to be stronger with our financial lines broking colleagues because these may have an impact to management liability, specifically your D&O policies, with the new individuals with the CISO potentially being named in some of these suits, but then as well as the potential for SEC rulings or violations that could potentially impact both policies.

Also too, we're starting to see carriers look to address how to cover some of these actual disclosure parts of it. It may fall within the incident response part of your program. But then again, selection of counsel and appropriate vendors being used is another critical factor that a lot of insurance policies may typically restrict or may need to be specifically endorsed to handle these.

So, reviewing your policy is definitely something we would suggest, especially the event management, the vendor section, and then coordinating within the financial lines of world, so to make sure the management liability policies are being appropriately addressed as well too. So, shifting gears a little bit, obviously, we talked a little bit about the SEC's disclosure laws. Another hot topic we're seeing within the underwriting community and then out there in the world, in general, of cyber is around artificial intelligence in that environment. Anything you're seeing, any trends you're seeing, what's happening with artificial intelligence, how it's being used by some of your clients for good or for potentially threats against them?

Karrieann Couture:
Sure. So, the adoption of AI and machine learning obviously introduces novel risks and changes, underscoring innovation, adaptation within the cyber insurance ecosystem, and different ways it's being used. Right? I mean, it's being used for research, and decisions are made upon research that's being used with AI. AI is used to help create bots to do tasks within organizations, so there's that robotic aspect to it, I guess you could call it. There are also forensic teams who are fighting threat actors who are utilizing AI to try to stay a step ahead, as well as try to address attacks. But then that also means threat actors are using AI to improve their ability to hack into systems and conduct the nefarious activities that they conduct. So, there's a lot of different things going on, and I know we're probably seeing things from underwriters and responses. Maybe, Matt, you could talk to us a little bit about what you're seeing with the underwriters.

Matt Chmel:
Yeah. So, underwriters are definitely asking questions, especially if you have technology or miscellaneous professional liability policies in place, and you're using AI as a service, or potentially offsetting some of the services that you may use to service your clients, and particularly what are the implications and how that AI is being used as part of your business offering. Another area we're seeing underwriters really dig in and ask questions is if you are using any open source AI, and what are your policies, controls, and procedures around the data going into those because that could potentially lead to privacy violations under the policy as well.

So, the two main areas we're seeing being focused on right now are is around the privacy element, making sure you have the appropriate governance and controls around data and how AI is being used. And then if AI is being used as a service-to-service third party, how is that being used? What is being managed? And I know one area we're starting to see some claims come out of this is around copyright infringement claims, Karrieann, specifically around music or images. And I know we've had a couple of them. Maybe you can talk a little bit about that exposure.

Karrieann Couture:
Yeah. It's definitely the early stages, so it'll be interesting to see how that plays out, allegations around utilizing this information without having the appropriate permission. So, like I said, early stages. We're starting to see them come in, and it'll be very interesting how the law plays out there. We're also seeing some discussions in the regulatory environment. The European Union, actually, they have an AI act that is expected to be adopted before the end of their legislative term. This act classifies AI systems by risks and then it establishes obligations for AI providers and users according to the risk category that they fall into.

So, they have these different categories of use. And then this is designed to emphasize things that you were talking about, Matt, like the privacy, the data quality, transparency, so individuals understand if it is their private data, how it's being used, ensuring that there's a human oversight in the process as well as an overall accountability for using AI in the various aspects of their businesses.

In the U.S., there's some legislative proposals involving transparency around AI algorithms and data, again, similar to what we're seeing in the EU. And there's concerns over bias, accuracy, and privacy. Also, there's legislation around the use of deepfakes. So, there are a few states that have passed some laws regarding the use of deepfakes pertaining to elections and can only expect that it will expand from there.

Matt Chmel:
Thanks, Karrieann. So, we've covered a lot in the couple of minutes that we've had so far. As we look to wrap up, what are three or four key takeaways that risk managers, individuals within the organization who are responsible for potentially regulatory matters or AI matters should take away really going into 2024 and beyond?

Karrieann Couture:
Yeah, I think some of these things are things that are probably done regularly or should be done regularly on an annual basis, but certainly quantifying cyber risk. With the introduction of new technologies, we just talked about AI, that can be used in different ways. Cyber risk is changing as technology develops, so we need to stay on top of that and understand what technology is accessing, what data, and what are the privacy concerns around there. So, organizations will want to build stability and bespoke solutions, and this really means understanding the technology and security that's being used. Again, it goes hand in hand with understanding the cyber risk but also taking into account the changes in the legal and regulatory environment and how that, combined with your technology and cyber security, may impact your coverage. And we're seeing this in SolarWinds with the CISO being brought into that action.

Organizations want to make sure that those individuals involved in making impactful decisions around cyber security are covered, and ensuring they're covered under their policies, also ensuring that the policies work together, whether it's your E&O, your cyber policy, your D&O policy, making sure that there's appropriate risk transfer among those policies, and then partner with the whole organization. It's not an individual. It's not an island. The whole organization, it goes hand in hand with what I said earlier about having that culture, having everyone understand the cyber risks and being vigilant about that and working together with the different departments in warming that culture and being able to respond to an incident and really understanding everything that is needed to comply with these regulations and ensure that there's risk protection. Matt, do you have anything that you would like to add as far as some things to think about?

Matt Chmel:
Yeah, I would say just the last thing around the confidential nature of insurance policies, making sure organizations are really treating these in an encrypted format, potentially keeping them offline so threat actors can't get to them. We are seeing a trend or trend re-emerging where demands are starting to match policy limits. Individuals are starting to get reached out to within the organization. So, treating these documents, especially around cyber, kidnap and ransom, very confidentially in nature when disclosing how much limit you have for cyber insurance.

Well, thank you very much today for joining us, Karrieann. This was a great discussion. We covered a lot of information. That's our show. Thank you all for listening. We look forward to having you participate in next month’s. We'll have more discussions around cyber hot topics as well as episodes on workforce resilience, risk transfer, and much more. Until next time, thank you all very much, and have a great day.

Outro:
Thanks for tuning in to the latest episode of “On Aon” with our episode host, Matt Chmel, and today’s expert, Karrieann Couture, for a discussion on evolving cyber exposures and the regulatory landscape. If you enjoyed this episode, don’t forget to subscribe wherever you get your podcasts, and stay tuned for our next conversation featuring industry experts bringing you the latest on topics, including climate risk, workforce wellbeing, ESG trends, and much more. Be sure to check out our show notes and visit our website at Aon dot com to learn more about Aon.

The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.