Insurance and controls have always gone hand-in-hand in the Cyber insurance market, working together to help mitigate and protect against the risks being presented by hackers and other threat actors.

And insurers for a long time saw control processes as a necessary requirement for insureds looking to access higher levels of cover, but shifting market dynamics are changing that.

"Carriers are being a little bit more flexible now," RPS Area Assistant Vice President Kunal Mallik says. "A year or two ago, if you didn't have multi-factor authentication (MFA), you almost always found yourself in a situation where you weren't going to get full ransomware extortion coverage, or if you did, there would be a limitation via either co-insurance or a smaller sub-limit for ransomware and extortion.

"But due to basic competition, people are now more willing to offer those limits at full capacity with a lower level of controls in place, just because they have to stay in the market and avoid losing business to new entrants that may not be as strict on their requirements."

The rise of generative artificial intelligence (AI), however, may be about to change things again.

"Generative AI is certainly a looming threat for the Cyber insurance market," Mallik says. "We've seen hints of this already with ChatGPT and the sheer capabilities of smart tech. We have to be wary of this technology, because it gives hackers the ability to smart hack, which is very concerning for the industry.

"If these threat actors use generative AI to create malware that not only adapts, but also responds to anti-hacking, then we're in for a whirlwind. Because then malware would be able to evade, change and transform, and ultimately become a threat so big that it can't be taken down."

And these hackers are already using new tools and techniques to get around controls that, historically, have been excellent gatekeepers.

"MFA bombing, or MFA fatigue attack, is a new attack vector that we've been seeing more of lately," Mallik says. "It's when someone uses social engineering or phishing to gain your initial credentials, and then can spam you and get you to react to your second form of verification of identity to gain access to your systems."

So while MFA may have historically protected organizations from the majority of ransomware attacks, that's no longer the case, and security requirements could be about to change again, with Mallik predicting a future increase in the levels of identity verification needed to make a system secure.

"Dual authentication is going to be eradicated as a result of this MFA bombing," he says, "and we're going to have to jump to the next level. But the question is, where does this all stop? Are we just going to keep needing verification on top of verification?"

Learn more about what's next for the Cyber insurance industry in the 2024 US Cyber Market Outlook.

Get the report