Assess Cyber Risk Potential with AI (Guest: Amit Arora)

Andreas Welsch: 0:21

Today, we'll talk about assessing cyber risk potential with AI. And who better to talk about it than someone who builds products that do just that. Amit Arora. Hey Amit. Thanks for joining.

Amit Arora: 0:33

Hey Andreas. Thanks for having me.

Andreas Welsch: 0:35

Awesome. Hey, why don't you tell our audience a little bit about yourself, who you are and what you do.

Amit Arora: 0:41

Sure. So I am Vice President of Product Management for Cyber Risk Solutions at SwissRe. As you may know, is one of the largest reinsurers in the world. And I think the vision of the company is to make the world a better place from a risk management and risk assessment perspective. I've been with the company for about two and a half years now. Prior to that, I've worked with companies like Cisco, Vodafone, GE, et cetera. About 22 years in product management space. I would say 10 to 11 years in the field of statistics, maths everything that leads up to machine learning and AI. And in addition, I'm also a professor at Columbia University, the School of Engineering where I teach a couple of courses related to AI and analytics. So that's me.

Andreas Welsch: 1:42

Thanks for sharing. We met in New York at The AI Summit last year in December and talked a bit as well. It's not very common for people to have so much expertise in different industries. So that's why I'm really excited to have you on. And so for everyone in the audience. If you're just joining, drop a comment in the chat where you're joining us from today. I'm really curious to see how global our audience is. Amit, should we play a little game to kick things off. What do you say?

Amit Arora: 2:09

Sure. Always love to play games.

Andreas Welsch: 2:11

Good. So this one is called In Your Own Words. When I hit the buzzer, the wheels will start spinning. And when they stop, you'll see a sentence. And I'd like you to answer with the first thing that comes to mind and why. In your own words. And so for those of you in the audience, I would ask you to do the same. What comes to mind and why? Amit, you'll have 60 seconds to answer. So to keep things a little interesting. And for those of you watching us live, drop the answer in the chat. Amit, are you ready for What's the BUZZ?

Amit Arora: 2:44

Yep, think so.

Andreas Welsch: 2:45

Okay, awesome. Then let's do this. If AI were a color, what would it be? 60 seconds.

Amit Arora: 2:56

Black.

Andreas Welsch: 2:58

And why?

Amit Arora: 3:01

There's so many unknowns. And and I would say it's as interesting and as awe inspiring as the universe itself. And if you're really going deep space, there's just really no color. Blackness. When I think about AI, we are scratching the surface in terms of the potential, in terms of the use cases, in terms of various techniques and frameworks that are available today. And also the fact that the new things coming out every day. So that kind of makes me believe that there's so much of discovery yet to be done.

Andreas Welsch: 3:40

Let's start shedding some light on things and bring some light into the darkness today. By the way, I see it also matches what we're wearing. Nice. Hey, when we when we talked about what you do in the area of cyber risk that really prompted me to also take more of an industry lens. Last year, we've talked a lot about Robotic Process Automation and setting up your AI strategy and AI CoE here on the show. And I really want to get in more of that industry perspective and, what do leaders in the industry actually do with AI? Where does it add value? So I'm really excited that we'll hear from you today about what are you doing around cyber risk? Maybe let's start with the basics. right? You mentioned Swiss Re as a reinsurance company. I think we all have some kind of insurance: car insurance, health insurance, and so on, that we're familiar with as consumers. But not everybody might be as familiar with the term cyber risk insurance. So maybe can you say a few things about what it is and what makes it unique for using AI?

Amit Arora: 4:48

Let me explain it in two parts. So one is in terms of what is cyber risk and cyber risk insurance, and then how does AI help in achieving the goals that we have in that space? Cyber risk insurance, just like any other insurance, is a method of risk transfer. When you buy a life insurance policy or a car insurance policy, essentially what you're trying to do is potentially transfer your risk to the carrier. And the carrier is assuming the risk by calculating or forecasting what is the probability of something adverse happening. So they're trying to put some dollar value on what the potential loss might be in case something happens. And they're trying to do that over hundreds and thousands of customers and they're trying to create some means and averages probability models of something happening and trying to understand what the pricing or premiums might come out of it that they can. So they're trying to protect their own losses and payouts, but at the same time, you as a consumer are trying to put the risk in somebody else's bucket. And protecting yourself in case something happens. So in cyber, too, it's very similar. The fundamental reasoning remains the same. But in the case of cyber, I think the difference is, as compared to life insurance or car insurance, there's a lot of historical data that insurance companies have on life expectancy and protecting somebody with a life insurance policy you know the person's age, gender, demographics whether you smoke or you drink, or you are preexisting health conditions, et cetera, et cetera. Everything goes into the pricing models for life insurance premiums calculations. It's more of a deterministic approach where the input variables when it comes to machine learning or AI, if you were to use those kind of tools to issue some premiums and codes, which are fairly accurate and they stay within like the upper threshold and the lower threshold in terms of what those potential losses could be. And it's been going on for ages. It's a very mature use case. When it comes to cyber, though, how do you measure cyber risk? So let's say you are a company and you go to a carrier and you say, I wanna buy cyber insurance policy to protect my business from a cyber event. And the cyber event could be defined in multiple ways. A cyber event could be a ransomware event. Somebody gets into your network, holds you to a ransom against giving your own data back to you by encrypting it, et cetera. It could be cyber extortion where if you don't pay me, I'm gonna release your private data to the public. And what would happen is you would not have only have reputational harm. You would also have liability issues from customers whose data is now out in the open. For example, healthcare data which is protected by HIPAA laws, et cetera. If a hospital loses that, then patients can sue the hospital potentially on that. So these organizations have different pain points, and that's what they're trying to protect themselves against by buying a cyber risk insurance policy. Now the issue was more around understanding what is the level of risk from all these events. And there is no one way to do it as compared to other instruments of insurance that I just spoke about, like life and auto. Purely for the reason that cyber is such an emerging landscape. The cyber threats are ever-evolving. There're new, emerging threats coming out every day. So how do you create AI models that have not been exposed to these kind of threat data points before in their life? If you look at historical claims and data for cyber claims, they wouldn't contain that intelligence. What's the point of creating a model and calculating premiums using AI if the AI doesn't have adequate data to train on? So I think that's a challenge that we are trying to address.

Andreas Welsch: 9:52

I see. So definitely sounds like a complex field. When it's really about the unknowns and seeing things for the first time and all these anomalies. There's a lot of uncertainty in the way these cyber events manifest themselves. What they look like, how they're executed, what the impact is. What's the benefit then of using AI for that cyber risk assessment? What does it do specifically that you haven't been able to do before?

Amit Arora: 10:24

So I think there are two or three areas which we are trying to refine and improve in the market. We look at the customer journey. And there's a question about what's the starting point in calculating cyber risk. I think the starting point is a customer coming to a carrier and saying I wanna buy a cyber insurance policy. Now you need to have a tool or a mechanism where you are able to assess the underlying cyber risk for that particular customer. And then you start looking at industries. Every industry has a different risk profile. So for example, banks and payment gateways and companies which undertake financial transactions obviously are right up there. The threat is extreme for them in case they get hacked. It's not just reputational harm, but also financial harm as well. Healthcare and hospitals are another area to see what's the underlying industry risk. And that's the starting point. So you start with the industry risk. You look at which industry are we looking at, where the client reside. And then you go to client specific risk assessment. Right now, the way risk assessment is done is through questionnaires. And these are long multi-page questionnaires. Things like what's the state of your multi-factor authentication implementation? Do you have firewalls? Do you have any ports open that should not be open, et cetera? And so you get those responses from the CISOs of those companies. And based on that, the underwriters were to assess the underlying risk for you and then issue you some kind of a premium or insurability level. We are trying to do it in a slightly different way. We believe that there are better ways to do it. Obviously using models, et cetera, to automate and make the customer journey more efficient and friction free. One of the ways to do that would be to actually look at the cloud telemetry and the cloud configurations of that customer and validate how strong are those configurations? Number one: the strength of the configurations and also the comprehensiveness of those configurations. Let me take an example. If the customer is using or storing large amounts of data, petabytes of data, the customer is using a database that cannot scale or does not have inherent security protocols embedded. Then, we believe that customer has a large potential risk of that data being swiped or some kind of a ransomware attack being propagated at some point in time in the future. And then the recommendations would be you might want to use something else some other subscription for cloud security to protect your data. So all that intelligence can be taught to models. So now the models are not just assessing risk based on actual configurations, which are very client specific. So we are moving away from saying, if you belong to this industry, this is your inherent risk and therefore this is your premium. It's a starting point, but then you definitely need to do a client specific risk assessment is where I'm coming from. And questionnaires are not just sufficient for that. You need to conduct an actual risk assessment of configurations and cloud telemetry to be able to justify what ratings and what premiums are you calculating for the client.

Andreas Welsch: 14:08

I think you already mentioned underwriters as stakeholders in that process. Are they the only stakeholders in this process? Are there others? And who benefits in the end from doing that kind of cyber risk assessment with AI?.

Amit Arora: 14:24

Yeah, there are three main stakeholders and risk in the cyber risk insurance and assessment life cycle. Of course the policy holders or the enterprises are one. They're the ones who are trying to transfer risk in the first place or protect themselves. The second persona is the broker or the cyber insurance. And broker is the first point of contact in many cases where the policyholders would go to to request for a code. And then the third party would be the actual carriers and the underwriters. The actual insurance companies who would provide a code to them. In this case, I think all the three parties would potentially win again by process, improvements, by automation, by use of machine learning. Primarily because if you are able to produce a risk assessment that is now based on a more deterministic model approach rather than stochastic. And you are able to pinpoint all the input variables that go into model formulation and training. If you could actually do that what would happen is the policy holders would get a very good view of their own security. And they would get an opportunity to improve their own security posture, whether they are trying to buy insurance at that point in time or not. Good security is always good. And and that's what CISOs are there for in companies to make sure that remains the way it is. So they win. The brokers obviously win because now the broker is based on this new type of security assessment are able to go back to the customers and say: Hey I ran this security assessment for you. These are your ratings. These are your financial expected financial loss figures. In these are the areas where you, we think that you might want to buy more coverage. And those are the areas where we think that you have adequate coverage. So you don't need to spend more. So the brokers come across as trusted advisor, rather than just people who are facilitating transactions between a policy holder and the carrier or the underwriter. And of course the underwriters now win because what underwriters are looking at is improving their loss ratios at a portfolio level. So they always want to have better risk selection in terms of who they underwrite and who they don't. Because ultimately it's an exposure. And they're only trying to look at customers with really good security postures, really highly rated from an insurability standpoint. And so they get to win because now they have ample insights into that customer. And they're more confident to say whether I want to insure this customer or not in the first place.

Andreas Welsch: 17:21

Thank you for drawing that picture of the three different personas. Hey I, see we're coming up to the end of the show in a few minutes. I was wondering if you can summarize the three key takeaways for our audience today.

Amit Arora: 17:34

Yeah I think there were couple of announcements also from the White House and from the regulatory bodies. Some national frameworks around cybersecurity protecting national interest as well. And making sure that the government also provides some kind of a blanket, minimum layer of cybersecurity to at least the public sector entities. And then going beyond that at some point in time to protect national interest, infrastructure, et cetera, et cetera. There's a lot of action as well in this space. The second thing that I would like to share is when you look at the cyber premiums they've been going up and up for the last couple of years. And it's very difficult now for enterprises to create budgets for cyber and risk insurance policies, because they don't know what the new premium's gonna be next year and next year. Because they're not stagnant anymore. There're emerging threats, as I mentioned which are pushing the premiums. The risk profiles higher and higher. This is over and above what the inherent risk is for their enterprise. These are all macro, external and developments that are causing that to happen pretty much at most of the time. So the other thing that we are trying to address is by using AI and machine learning, how do we get to a more accurate representation of the financial impact in case a cyber event were to happen to any company. Those are those production models that we are trying to create and develop and launch in the market. And that should give enough evidence and comfort to this ecosystem that I spoke about to be able to say, Hey do I really need to push the premium further right for the underwriters, or now I see everything that I need to see from a risk posture perspective for this particular enterprise. I'm happy to give a discount if the company says, I'm gonna fix three of the vulnerabilities that were discovered in the risk assessment. So I think those are the conversations that we hope would be more and more happening on the table.

Andreas Welsch: 20:05

I think that's a great overview of what we talked about. Amit thank you so much for joining us and for sharing your expertise with us and for those of you in, the audience for learning with us. I think that was a very informative session and good to see and to hear what's happening in insurance and specifically around cyber risk because these types of events are hitting the news. There's something very frequently. So, good to see how AI can help address those risks and identify them before they become real issues. Thanks, Amit.

Amit Arora: 20:40

Thank you, Andreas.