Brokers face AI-driven cyber risk shift
The efficiency and scalability gains from artificial intelligence (AI) adoption cut both ways. As financial services firms embrace the technology to perform a range of administrative and operational functions, cyber threat actors are using it to identify new vulnerabilities and launch widescale attacks at speed. As humankind spirals into the 21st Century, AI is being unleashed in both traditional computer fraud and the ever-evolving cybercrime realm.
Join the debate around AI in claims
The overlap of AI with traditional business email compromise (BEC) and phishing attacks is of great concern to local brokers, corporate risk managers and insurers, many of whom are already using AI and AI Agents to perform administrative and customer-facing tasks in their own businesses. It is, for example, common knowledge that some of the country’s short-term insurers are piloting AI Agents in the claims role, a development that FAnews is keen to get your opinion on. Please take a minute to share your thoughts on ‘The AI debate in claims processing’.
Getting back on topic, in an hour-long presentation on cyber risks, hosted by ITOO Special Risks, Danny Myburgh, MD of Cyanre: The Digital Forensic Lab, said that cyberattacks, data compromises and ransomware were so prolific that those tasked with combatting such crimes risked losing sight of conventional computer and internet fraud. “One of the main trends that we are seeing is the impact that AI is having on the automation of attacks; the threat actors are really jumping onto the AI bandwagon and using it to great effect,” he said.
Cybercriminals are using AI to improve every stage of their cyberattacks. During the planning stage, they often use AI to ‘scrape’ social media platforms to draw up an organogram of a target firm. “Once they have the data, they use it to identify who is in what position within the firm and what that person’s interests are; within a short period, they can have an extensive AI-generated intelligence report on the firm,” Myburgh said. At this stage they will tailor a BEC or phishing attack featuring or targeting that individual.
AI is doing the hacker’s heavy lifting
On the one hand, cybercriminals are using AI Agents to model the BEC or phishing attack with the highest probability of success given what they know about the individual. On the other, they use AI to automate attacks, bypass credentials and logins, disable firewalls and virus scanning tools and execute scripts. According to Myburgh, AI has reset the timelines of system compromises. In the past, human hackers had to stay in the system environment for days, creating opportunities to trace them; nowadays, AI can execute in minutes.
So, while IBM’s Cost of a Data Breach reporting shows that organisations are identifying breaches more quickly than in the past, experts like Myburgh warn that AI is compressing the time between initial access and attack execution, reducing the window for detection before damage is done. “IBM did surveys in 2022 and 2023 where they found that the average duration of a hacker in an environment was more than 200 days, now just think of what the hackers can do with AI in that period,” he said.
The presenter explained how modern AI applications enabled threat actors to create realistic voice and image replicas using just 30 seconds of speech and a photo or two. Why would Tom Cruise or Michelle Pfeiffer be contacting you, he asked. And why would top-tier businesspersons like Elon Musk or Johann Rupert attach their brand to a local get-rich-quick trading platform? Common sense and vigilance are the best defence against this practice, but humans frequently get caught off guard.
Voice and video deepfakes in action
There are numerous real-world examples of successful deepfake cons. In early 2024, a Hong Kong-based multinational reportedly lost around USD25 million after an employee authorised payments during what appeared to be a routine internal video conference, only to discover that the CFO and other participants had been impersonated using AI-generated deepfake video and voice cloning technology. AI strengthens BEC scams by adding a layer of visual and audio credibility to social engineering attempts.
Myburgh commented on individuals from Gen Y and Z being “too free” with their personal data, citing the recent trend of sharing photos and social media profiles with an AI to create caricatures for posting on Facebook or LinkedIn. “People are keen on playing around with these type of ‘toys’ but they do not appreciate the risks,” he said.
Discussion moderator, Lwando Cwane, Cyber Underwriting Team Lead at ITOO, chimed in at this point, saying that the terms and conditions of AI and social media channels typically grant providers broad rights to collect, store and repurpose user data for training and commercial use. Overall, the presentation laid out a perfect storm of factors playing into cybercriminals’ hands.
First, cryptocurrencies and adjoining fintech infrastructure created new channels through which to move stolen funds with limited traceability. Second, data protection regulations like GDPR (EU) and the Protection of Personal Information (POPI) Act (South Africa) created an incentive to steal data. “POPI-type legislation places a responsibility on firms to notify data subjects, and they are subject to regulatory fines and penalties for breaches,” Myburgh explained. And third, there are now an abundance of tech-related portals into systems.
Organised cybercriminal syndicates
Another factor causing brokers, risk managers and underwriters sleepless nights centres on the commercialisation and professionalisation of cybercrime. Over the years, the environment has gone from one dominated by hackers testing their skills for fun to one where criminal outfits specialise in one aspect of the compromise chain. “We are seeing ransomware as a service … and there are groups that just focus on system penetration, or credential harvesting,” Myburgh said. Hackers on-sell credentials while others rent out IT infrastructure for cyberattacks.
Stepping out of the forensic expert’s shoes, and back into those of the broker or insurer, the session served as a reminder that baseline risk identification and mitigation matter. Cwane pointed out that Multi-factor Authentication (MFA) was now included in ITOO’s cyber risk questionnaire by default, calling it an important defence against credential harvesting and account takeover that insureds should rather implement than not. Experts view MFA as a minimum standard, with both presenters recommending it despite conceding that threat actors were primed to find workarounds to any security measure.
The presentation also dwelled on the old school practice of sensible verification as an effective countermeasure against impersonation scams and payment diversions. “The best way to combat these scams is to verify before making a payment,” Cwane said, cautioning that finance teams should avoid relying on contact details supplied in an email when confirming bank account changes or payment instructions.
Managing third party risks
The ITOO staffer also confirmed that BEC features prominently in insureds’ portfolios, describing these attacks as “a big driver of the notifications and claims that ITOO was seeing.” This has reinforced the importance of verification protocols, particularly where payment instructions or banking details are received via email. Separately, policy wordings are evolving to reflect insureds’ reliance on outsourced service providers, where a breach at a critical vendor may trigger financial loss or business interruption for the principal organisation.
As for your writer, he concurs with Myburgh’s observation that while the scam types have remained relatively unchanged over the past few years, AI is enabling threat actors to execute them faster and at greater scale.
Writer’s thoughts:
AI is not introducing new cyber risks so much as accelerating the ones brokers and underwriters already deal with. Have you noticed this shift in your practice, or is your experience in the cyber insurance field still limited? Please comment below, interact with us on X at @fanews_online or email us your thoughts [email protected].
Comments