IS CYBER RISK STILL INSURABLE IN THE AI ERA?
- 2 days ago
- 2 min read
'Is cyber risk still insurable?,' one of our clients asked yesterday. 'There's no final conclusion on that,' was the reply.
We were chatting about Mythos - Anthropic's new model, withheld from public release after it autonomously discovered thousands of zero-day vulnerabilities. Including bugs that had gone undetected for 27 years.
Anthropic shared it under restricted access to other tech firms so they could harden their code against it.
But what does this mean for insurers? Most institutions have built pricing assuming that sophisticated attacks require scarce human expertise. But Mythos-class AI erodes that scarcity.
And, in this new world, historical loss data can't project future claims. While risks become correlated - because a single exploit can propagate globally. And the threat actor pool is no longer identifiable or stable. Plus, you might reasonably believe that the maximum loss might not be knowable.
All of which breaks important assumptions of actuarial logic.
Previous modelling by Gallagher Re, Beazley, and Munich Re concluded that a single systemic malware event could generate insured losses equivalent to all global cyber premiums. Roughly $16 billion. In one incident.
So is this game over? Will the rest of the economy have to bear cyber risk?
Perhaps not. There are signs that coping mechanics are emerging.
Firstly, its worth remembering that the same AI capability that makes cyber offense more accessible also makes cyber defense easier. That's why Anthropic is sharing to others ahead of release.
And the insurance market is a creative place to live. Beazley issued a $300 million cyber catastrophe bond to date late last year - capital market appetite for cyber insurance linked securities is growing, spreading the risk to a wider investor pool.
Then there's the role of government. In the US, the Treasury published a Federal Register notice asking whether catastrophic cyber risk is adequately covered under the Terrorism Risk Insurance Program.
None of which might be enough to close the gap in the immediate term. The mismatch between the speed of the threat and the rapidity of institutional response is where the real issues sit.
So in-the-end-at-the-end?
Continue not to panic. But you might want to check your security regimes, insurance policies and be certain of your liabilities now - before the institutional response comes to its final conclusion.
