The insurance and reinsurance industry is currently treating artificial intelligence (AI) as a potential “force-multiplier” for cyber losses, but the pace of development of AI and its roll-out is reshaping cyber risk in general and introduces portfolio aggregation and loss correlation risks, specialist modeller CyberCube has explained.
CyberCube cautions in a recent report that both underwriting and modelling approaches for cyber risk may need to evolve, as “AI is reshaping cyber risk by increasing the speed, scale, and coordination of attacks.”
With the help of AI, threat actors are able to exploit security gaps increasingly quickly, and at the current pace of change security engineering is struggling to keep pace.
William Altman, Director of Cyber Threat Intelligence Services at CyberCube explained, “AI is compressing the cyberattack lifecycle, reducing the time threat actors spend between initial compromise and operational disruption, and in some cases enabling impact to occur before detection and containment are effective.
“As a result, recovery capability may become a more important determinant of business interruption (BI) loss severity than traditional preventative controls.”
CyberCube calls on cyber catastrophe and aggregation risk modellers to incorporate specific AI risk dynamics into their thinking and output.
The company warns that, “such analysis will become increasingly necessary if AI evolves from an augmentative capability into core operational infrastructure. In that scenario, dependencies across compute, cloud, and model providers could act as shared points of failure, requiring explicit modeling of how disruptions at these layers might propagate across insured portfolios and generate correlated, cross-sector losses.”
CyberCube notes that artificial intelligence (AI) is currently “treated by (re)insurers as a force multiplier within existing loss frameworks rather than a distinct risk class.”
That view is now being challenged as AI evolves and attack timelines compress, while emerging developments such as identity-layer propagation and the proliferation of AI Agents add to the uncertainty around this approach.
“Adapting (re)insurance to AI-driven cyber risk requires focus across several key dimensions. These include understanding how AI technologies are developed, controlled, and deployed across enterprises; assessing how attackers are operationalizing AI in real-world campaigns and the resulting impact; and evaluating whether AI introduces new single points of failure (SPoF) or concentrated technology dependencies within the supply chain,” CyberCube said.
The urgency of discussions and analysis around how AI advancements will change the cyber threat landscape ramped up a level recently with the news that the latest model release from Anthropic was sophisticated enough to create new exploits and threats in software systems that have been deemed some of the most secure in the past.
Anthropic’s Claude Mythos release has been held back from general availability due to concerns over the cyber security threat it could pose in the wrong hands.
Demonstrating just how seriously that threat is being taken, Anthropic is working with industries and leading software companies to help them test out Claude Mythos, better understand its implications and patch security holes the AI had found or developed exploits to find.
In the wrong hands AI technology like this could put the software and cyber security industry under immense pressure, as they need to keep up with the pace of AI developments to ensure the integrity and efficacy of their products.
For the cyber insurance and reinsurance industry, forward-leaps in the abilities of artificial intelligence (AI) and AI agents are a concern, as they can introduce meaningful new risk exposures and entirely new vectors that haven’t been seen or considered in the past.
There are potential ramifications for cyber catastrophe bonds and any insurance-linked securities (ILS) arrangements exposed to cyber attack risks as well, as naturally they could find their exposure to loss evolving as new and often unexpected threat vectors emerge.
CyberCube particularly cautions of the threats of increases to loss frequency, heightened correlation risk across portfolios and the potential for new aggregation pathways to test current reinsurance structures.
“Concentration across compute, cloud, and model providers creates the potential for aggregation risk, while expanding enterprise adoption embeds AI deeper into critical operations. As a result, the severity and correlation of losses are increasingly driven by recovery capability, identity security, and dependency management, suggesting that underwriting and modeling approaches may need to evolve,” CyberCube explains.
Adding, “For cyber catastrophe and aggregation risk modelers, the key implication is that risk concentration could be structurally embedded at multiple critical layers, particularly where market dominance ortechnological centralization exists (e.g., lithography, advanced chip fabrication, GPU compute, foundation models, and hyperscale clouds). Disruption or compromise at any of these nodes, whether through cyber intrusion, operational failure, or geopolitical constraint, has the potential to propagate downstream across a wide set of insureds simultaneously, creating correlated loss scenarios rather than isolated events.
“The extent to which AI-driven single points of failure should be explicitly modeled within cyber catastrophe scenarios that are not currently contemplated in existing frameworks depends on how deeply AI becomes embedded in business-critical functions across industries. If AI shifts from an augmentative capability to core operational infrastructure, including decision-making, automation, and control planes, failures at concentrated points in the AI supply chain could be more likely to translate into systemic, cross-sector loss events.”
Dependencies are a critical point for the cyber risk modelling and underwriting community to get to grips with.
William Altman of CyberCube stated, “As AI becomes more deeply embedded in critical business operations and increasingly concentrated across compute infrastructure, hyperscale cloud platforms, and foundation model providers, the potential for portfolio aggregation risk may rise. This reflects the tightly coupled nature of the AI supply chain, where dependencies on a small number of dominant providers create shared points of exposure across insureds. This increases the likelihood of correlated losses rather than isolated events, particularly as AI systems take on greater roles in automation, decision-making, and operational control.”
In some ways, AI advancement introduces an element of potentially unmodelled risk to in-force deals, as the range of threats evolves such that there are entirely new vectors and potential attack scenarios which could ultimately affect or create losses to cyber insurance and reinsurance structures.
Not to mention the systemic threat of aggregation and correlation of exposures, delivered through the rapid roll-out and adoption of AI technologies.
The new threats and risk of aggregation or correlation will be factored into cyber risk modelling tools and other cyber security analytics at some pace it seems, given the rapid pace of change and AI evolution.
For the cyber catastrophe bonds and other cyber ILS instruments, it’s going to be important for the industry to consider how the changing threat landscape could affect outstanding transactions and how the pace of AI development and potential for new threats and aggregation risks to emerge should be accounted for within new transaction terms and conditions.
There’s no certainty that AI developments drive incremental financial losses for re/insurers at this stage, but it’s an evolving landscape those in cyber risk underwriting and investment need to stay abreast of.
Read about every cyber cat bond transaction issued so far, including the first private cat bond deals and the more recent 144A cyber cat bond issuances, by filtering our Deal Directory by peril to view only cyber cat bond transactions.
Read all of our cyber insurance-linked securities news.
View all of our Artemis Live video interviews and subscribe to our podcast.
All of our Artemis Live insurance-linked securities (ILS), catastrophe bonds and reinsurance video content and video interviews can be accessed online.
Our Artemis Live podcast can be subscribed to using the typical podcast services providers, including Apple, Google, Spotify and more.
