Category Archives: Technology

Cyber Risk

New U.S. Cyber Strategy Heralds Major Shift
for Addressing Attacks

Leave a comment

By Max Dorfman, Research Writer

A maturing Internet of Things (IoT) calls for measures to increase cybersecurity at the national, international, and private sector levels, according to a recent report by the White House.  

The new National Cybersecurity Strategy comes as cyberattacks continue to wreak havoc across the world, causing billions of dollars in damages. Furthermore, autocratic states such as China, Russia, and North Korea have ramped up aggressive cyber abilities to disrupt other nations’ interests and “broadly accepted international norms.”  

Key Takeaways 

The White House report aims to “build and enhance collaboration” for cybersecurity around five main tenets: 

  1. Defending critical infrastructure, involving mandatory requirements for cybersecurity, as the marketplace insufficiently rewards and even hinders who invest in measures to protect against cyberattacks. 
  1. Disrupting and dismantling threat actors, including diplomatic, military, and law enforcement measures to negate these attacks. 
  1. Shaping market forces to drive security and resilience through driving adoption of best practices in cybersecurity and resilience, utilizing the market to enhance capabilities. 
  1. Investing in a resilient future by engaging strategic public interests involving innovation, R&D, and education to ensure U.S. leadership in these areas. 
  1. Forging international partnerships to pursue shared goals through working with international institutions to identify and progress state behavior in cyberspace, including building peacetime norms and confidence-building measures through the U.N.  

Reimaging collaboration as partnerships and investment 

 According to the report, adhering to these principles require two fundamental changes in how the U.S. “allocates roles, responsibilities, and resources in cyberspace.” 

The first shift involves rebalancing the responsibility to defend cyberspace. The report states that end users are often tasked with far too much responsibility for lowering cyber risks. With small businesses, state and local governments possessing limited resources, a single individual’s failure to judge these risks can have national security consequences—which must be rectified. 

With this in mind, the report states that the government must protect its systems, while safeguarding private entities, particularly critical infrastructure. Further, “core government functions” like diplomacy, intelligence, imposing economics costs, law enforcement, and interrupting cyber threats are all essential to counteracting the threat of cyberattacks.    

The second shift involves realigning incentives to favor long-term investments. This entails defending current systems, while simultaneously advancing a digital ecosystem that is more defensible and resilient. This includes rewarding security and resilience with market forces and public programs, embracing designed security and resilience, and investing in research and development for cybersecurity in a strategic manner.  

While the implementation of these strategies is complex, the National Security Council (NSC), alongside the Office of Management and Budget (OMB), will lead efforts to implement a cohesive strategy, reviewing existing policy and assessing the need for new policy. The Federal Government will also use a data-driven approach to evaluate its efficacy, a much-needed move as cyberattacks continue to threaten the safety and economy of nations around the world.  

Rising cybercrimes create risks for insurers and consumers 

In 2022, 1,802 data compromises affected approximately 422 million people, according to a report by the Identity Theft Resource Center. Although data compromises remained even from 2021, the number of overall breaches has continued to rise. Additionally, losses continue to rise from cybercrime complaints, resulting in 10.3 billion in damages in 2022, according to the Internet Crime Complaint Center.  

As these issues present major problems for consumers, the global cyber insurance market continues to grow, with an estimated reach of over 91.22 billion by 2031. This represents a compound annual growth rate of 23.78 percent from 2023 to 2031. 

This market poses challenges and opportunities for insurers, as more cyber security professionals are needed to examine and prevent these threats. These risks can be addressed through training in cyber intelligence – but it will take significant investment to achieve this market’s expansion.  

Read more: 

Cyber liability risks | III 

Auto Insurance, Highway Safety, Technology

Crash-Avoidance Features Complicate Auto Repairs
But Still Are Valued

Leave a comment

Max Dorfman, Research Writer, Triple-I

As more new vehicles become equipped with crash-avoidance features, some owners report significant issues with the technologies after repairs, according to a recent report from the Insurance Institute of Highway Safety (IIHS).

In the survey, approximately half of those who reported an issue with equipped front crash prevention, blind-spot detection, or rearview or other visibility-enhancing cameras said at least one of those systems presented problems after the repair job was completed. 

Nevertheless, many owners remained eager to have a vehicle with these features and were pleased with the out-of-pocket cost, according to Alexandra Mueller, IIHS senior research scientist.

“These technologies have been proven to reduce crashes and related injuries,” Mueller said. “Our goal is that they continue to deliver those benefits after repairs and for owners to be confident that they’re working properly.”

Still, as problems with these technologies persist, the study notes that it is important to track repair issues to further the adoption of crash avoidance features. IIHS research has shown that front-crash prevention, blind-spot detection, and rearview cameras all substantially reduce the types of crashes they are designed to address. For example, IIHS said, automatic emergency braking reduces police-reported rear-end crashes by 50 percent.

An analysis conducted by the IIHS-affiliated Highway Loss Data Institute (HLDI) showed the reduction in insurance claims associated with Subaru and Honda crash-avoidance systems remained essentially constant, even in vehicles more than five years old. But repairs can make it necessary to calibrate the cameras and sensors that the features rely on to work properly, making repairs complicated and costly.

For example, a simple windshield replacement can cost as little as $250, while a separate HLDI study found vehicles equipped with front crash prevention were much more likely to have glass claims of $1,000 or more. Much of that higher cost is likely related to calibration.

The new IIHS study found that owners often had more than one reason requiring repairs to these safety features. Most had received a vehicle recall or service bulletin about their feature, but that was rarely the sole reason they brought their vehicles in for service or repair.

“Other common reasons — which were not mutually exclusive — included windshield replacement, crash damage, a recommendation from the dealership or repair shop, and a warning light or error message from the vehicle itself,” according to the study.

Repair difficulties could motivate drivers to turn off crash avoidance features, potentially making collisions more likely.  But, despite the post-repair issues, the study found that slightly more than 5 percent of owners would opt not to purchase another vehicle with the repaired feature. As reckless driving and traffic fatalities continue to rise, advanced driver-assistance systems will only become more important for the roadway safety, necessitating reliable technology.  

Learn More:

Personal Auto Insurers’ Losses Keep Rising Due to Multiple Factors

IRC Releases State Auto Insurance Affordability Rankings

IRC Study: Public Perceives Impact of Litigation on Auto Insurance Claims

Why Personal Auto Insurance Rates Are Likely to Keep Rising

Acting to Curb Rising Auto Fatalities

Cyber Risk

Despite Warnings,
Weak Password Policies Still Invite Cybercrime

Leave a comment

By Max Dorfman, Research Writer, Triple-I

It’s Cyber Security 101: Multi-factor authentication and hard-to-crack passwords are table stakes for preventing incursions.

Nevertheless, “Password,” “12345”, and “Qwerty123” are among the most commonly found passwords leaked on the dark web by hackers, according to mobile security firm Lookout. And, despite the amount of attention the issue receives, the situation does not appear to be improving.

A survey by EY, a consulting firm based in the United Kingdom, found that only 48 percent of government and public sector respondents said they are “very confident in their ability to use strong passwords at work.” The problem is exemplified by a recent study by the U.S. Office of Inspector General – part of the Department of the Interior (DOI), the agency responsible for managing federal lands and natural resources.

Hacking DOI, it turns out, is relatively easy.

In fewer than two hours – and spending only $15,000 – the Inspector General’s Office was able to procure “clear-text” (non-encrypted) passwords for 16 percent of user accounts. In total, 18,174 of 85,944 – 21 percent of active user passwords – were hacked, including 288 accounts with elevated privileges and 362 accounts of senior U.S. government employees.

Much of this issue, according to the report, stems from a lack of multifactor authentication, as well as password complexity requirements that allowed unrelated staff to use the same weak passwords. The Inspector General’s Office found that:

  • DOI did not consistently implement multifactor authentication;
  • Password complexity requirements were outdated and ineffective; and
  • The department did not timely disable inactive accounts or enforce password age limits, which left more than 6,000 additional active accounts vulnerable to attack.

The most commonly reused password was used on 478 unique active accounts. Investigators found that five of the 10 most-reused passwords at DOI included a variation of “password” combined with “1234”.

Simple passwords make hacking easy

With the average person having over 100 different online accounts with passwords, reusing passwords is understandable – but simple passwords make it easy for hackers to access personal data and accounts.

“Compromised, weak and reused passwords still account for the majority of hacking-related data breaches and are one of the top risk issues for most enterprises” said Gaurav Banga, CEO and founder of cybersecurity firm Balbix. In 2020, Balbix found that 99 percent of enterprise users recycle passwords across work accounts or between work and personal accounts.

A growing peril

“The cost of ransomware attacks has increased as criminals have targeted larger companies, supply chains and critical infrastructure,” Allianz says in its Allianz’s 2023 Risk Barometer. “In April 2022, an attack impacted around 30 institutions of the government of Costa Rica, crippling the territory for two months.”

The global insurer goes on to say, “Double and triple extortion attacks are now the norm…. Sensitive data is increasingly stolen and used as a leverage for extortion demands to business partners, suppliers, or customers.”

Part of this growth is due to the rise of “ransomware as a service” – a subscription-based business model that enables affiliates to use existing ransomware tools to execute attacks. Based on the “software as a service” model, it helps bad actors attack their targets without having to know how to code or hire unscrupulous programmers.

Shifting targets

Michael Menapace, an insurance attorney with Wiggin and Dana LLP and a Triple-I Non-resident Scholar, told attendees at Triple-I’s 2022 Joint Industry Forum that “ransomware as a business model remains alive and well.”

What has changed in recent years, he said, is that “where bad actors would encrypt your systems and extract a ransom to give you back your data, now they will exfiltrate your data and threaten to go public with it.”

The types of targets also have changed, Menapace said, with an increased focus on “softer targets—in particular, municipalities” that often don’t have the personnel or finances to maintain the same cyber hygiene as large corporate entities.

Organizations and individuals must take the threat of cyberattacks seriously and do as much as possible to reduce their risk. Improved cyber hygiene policies and practices are a necessary first step.

Cyber Risk, Industry Awards & Events, Insurance Industry

JIF 2022: Cyber Criminals Shift to Softer Targets And Reputation Threats

Leave a comment
Photo credit: Don Pollard

Cyber criminals continued to shift their tactics and adapt their techniques in 2022, according to experts speaking at the Triple-I Joint Industry Forum (JIF) last week.

Ransomware as a business model” remains alive and well, said Michael Menapace, an insurance attorney with the law firm Wiggin and Dana LLP and a Triple-I Non-resident Scholar. What has changed in recent years is that “where the bad actors would encrypt your systems and extract a ransom to give you back your data, now they will exfiltrate your data and threaten to go public with it.”

The types of targets also have changed, Menapace said, with an increased focus on “softer targets – in particular, municipalities” that often don’t have the personnel or finances to maintain the same cyber hygiene as large corporate entities.

Theresa Le, Chief Claims Officer for Cowbell Cyber, concurred with Menapace’s assessment, noting an increased tendency of cyber criminals to contact organizations’ customers or leaders as “a pressure point” for the organization to pay the ransom in order to avoid reputational harm.  

“Threat actors are focusing on the quality of the data that they can extract while they’re ‘in the house’,” Le said, “so it’s not just stealing Social Security numbers or other information they can sell on the Dark Web, as it was a few years ago. It’s really much more thoughtful and focused.”

Scott Shackelford, professor of Business Law and Ethics at Indiana University’s Kelley School of Business, reinforced Menapace’s and Le’s observations about the increased sophistication and adaptability of cyber criminals by talking about state-sponsored incursions.

“It’s not just the North Koreas of the world,” he said, adding that “a growing cadre of nation-states” are launching attacks “not just on large corporations but increasingly small and medium-sized businesses, even local governments.”

“We founded a cyber security clinic two years ago,” Schackelford said, “and the number one request we get from local government and small utilities has to do with insurance coverage. There’s a lot of need out there for better information.”

Shackelford emphasized the continuing evolution of the Internet of Things (IoT) as an “attack surface.” In the new pandemic-driven work-from-home environment, he said, “What counts as a covered computer device for some of these policies has led to litigation and remains a big vulnerability that we’ve only just begun to wrap our minds around.”

The conversation, moderated by Frank Tomasello, executive director for The Institutes Griffith Insurance Education Foundation, ranged across topics that included:

  • Deep-fake technology;
  • The importance aligning insurance pricing with the risk – and educating policyholders on how to get a better price by becoming a better risk;
  • How threats differ for different-sized organizations and for individuals; and
  • The need for better data and information sharing around cyberattacks and trends.

Learn More:

Triple-I “State of Cyber Risk” Issues Brief

Auto Insurance, Highway Safety, Technology

“A.I. Take the Wheel!” Drivers Put Too Much Faith in Assist Features, IIHS Survey Suggests

Leave a comment

Too many car owners are too comfortable leaving their vehicles’ driver-assist features in charge, potentially putting themselves and others at risk, according to the Insurance Institute for Highway Safety (IIHS).

IIHS said a survey of about 600 regular users of General Motors Super Cruise, Nissan/Infiniti ProPILOT Assist, and Tesla Autopilot found they were “more likely to perform non-driving-related activities like eating or texting while using their partial automation systems than while driving unassisted.”

“The big-picture message here is that the early adopters of these systems still have a poor understanding of the technology’s limits,” said IIHS President David Harkey.

The study reports that 53 percent of Super Cruise users, 42 percent of Tesla Autopilot users, and 12 percent of Nissan’s ProPilot Assist users were comfortable letting the system drive without watching what was happening on the road. Some even described being comfortable letting the vehicle drive during inclement weather.

These systems combine adaptive cruise control and lane-keeping systems, primarily to keep a car in a lane and following traffic on the highway. All require an attentive human driver to monitor the road and take full control when called for.

“None of the current systems is designed to replace a human driver or to make it safe for a driver to perform other activities that take their focus away from the road,” IIHS said in announcing the results of its survey.

While all three automakers caution drivers about the systems’ limits, confusion remains. Tesla’s driver-assist system, which it calls “full self-driving” has received much scrutiny over the years as auto safety experts say the name is misleading and risks worsening road safety.

The U.S.government has set no standards for these features, which are some of the newest technologies on vehicles today. A patchwork of state laws and voluntary federal guidelines is attempting to cover the testing and eventual deployment of autonomous vehicles in the United States. 

Learn More:

Background on: Self-driving cars and insurance

Insurance Fraud, Insurers and the Economy, Technology

Tech Gains Traction
in Fight Against Insurance Fraud

Leave a comment

By Max Dorfman, Research Writer, Triple-I

Insurance fraud costs the U.S. $308.6 billion a year, according to recent research by the Coalition Against Insurance Fraud (CAIF).  And, while staffing within insurers’ Special Investigation Units (SIU) is a pain point, CAIF found that use of anti-fraud technology is on the rise.

CAIF notes that hardest-hit insurance lines are:

  • Life insurance, at $74.7 billion annually;
  • Medicare and Medicaid, at $68.7 billion; and
  • Property and casualty, $45 billion.

“There is a huge and monumental impact that insurance fraud causes to American citizens, American families, and to our economy every single year,” said Matthew Smith, the coalition’s executive director.

Another recent CAIF study looked at SIUs and insurers’ response to fraud. The study found that SIU staff grew at 1.4 percent from 2021 to 2022, slower than the 2.5 percent growth rates from two previous studies addressing this issue. Staffing and talent are among the top concerns of anti-fraud leaders CAIF surveyed.

However, an additional CAIF study found that anti-fraud technology is increasingly being used—a positive sign in the fight against these crimes. Among the key findings of that report is that 80 percent of respondents use predictive modeling to detect fraud, up from 55 percent in 2018.

Insurance fraud is not a victimless crime. According to the FBI, the average American family spends an extra $400 to $700 on premiums every year because of fraud. Most of these costs are derived from common frauds, including inflating actual claims; misrepresenting facts on an insurance application; submitting claims for injuries or damage that never occurred; and staging accidents.

To further combat insurance fraud, there are ways to file complaints, including contacting your state’s fraud bureau; contacting your insurer to see if a fraud system is in place; using the National Insurance Crime Bureau (NICB) “Report Fraud” button; and reporting it to a local FBI branch.

“Insurance fraud is the crime we all pay for,” CAIF’s Smith added. “Ultimately, it’s American policyholders and consumers that pay the high cost of insurance fraud.”

Learn More:

Fraud, Litigation Push Florida Insurance Market to Brink of Collapse

Study: Insurers Suspect Rise in Fraudulent Claims Since Start of Pandemic

The Battle Against Deepfake Threats

Business Insurance, Business Risk, Cyber Risk

Piracy Incidents Decline, But Horizon Isn’t Clear

Leave a comment

Maritime piracy in the first half of 2022 is at its lowest level since 1994, the International Maritime Bureau (IMB) says, with 58 incidents, down from 68 for the same period last year. Nevertheless, the organization cautions against complacency.

For the full year 2020, IMB listed 195 actual and attempted attacks, up from 162 in 2019. The COVID-19 pandemic may have played a role in that rise in pirate activity – as it is tied to underlying social, political, and economic problems – and 2022 may represent the start of a return of a downward trend.

Source: International Chamber of Commerce/International Maritime Bureau (IMB)

Many people outside the maritime and insurance industries don’t realize that piracy remains a costly peril in the 21st century. Global insurer Zurich estimates the annual cost of piracy to the global economy at $12 billion a year.  In its 2022 Safety and Shipping Review, global insurer Allianz reports that piracy comes behind machinery damage or failure, collision, and contact, in terms of number of loss-causing incidents globally – and that total losses have fallen 57 percent over the past decade.

However, the shipping industry is vulnerable to disruptions and, as Allianz points out, has been affected on multiple fronts by Russia’s invasion of Ukraine: from loss of life and vessels in the Black Sea and disrupted trade to challenges to day-to-day operations that affect crews, cost and availability of fuel, and the growing for cyber risk.

“To date, the biggest impact has been on vessels operating in the Black Sea and/or trading with Russia,” Allianz says. “At the start of the conflict, approximately 2,000 seafarers were stranded aboard vessels in Ukranian ports. Trapped crews faced the constant threat of attacks, with little access to food or medical supplies, and a number have been killed.”

According to a recent industry survey, Allianz says, 44 percent of maritime professionals reported that their organization has been the subject of a cyber-attack in the last three years. Accumulations of cargo exposures at mega ports have been rising – and, with ports increasingly reliant on technology, an outage or cyber-attack could effectively close a port.

In February 2022, India’s busiest container port was hit by a ransomware attack, following incidents at U.S. and South African ports in recent years.

A third of organizations surveyed by Allianz said they don’t conduct regular cyber security training or have a cyber-response plan.

Auto Insurance, Highway Safety, Technology

Cellphone Bans Cut Crashes; Telematics
Can Help Reduce
Distracted Driving

Leave a comment

Max Dorfman, Research Writer, Triple-I

State prohibitions on cellphone use while driving correlate with reduced crash rates, according to recent research by the Insurance Institute for High Safety (IIHS). However, overall results were mixed among the states studied, with different legal language, degrees of enforcement, and penalty severity, providing possible explanations for the differing outcomes.

The study observed crash rate changes in California, Oregon, and Washington after legislation to prevent cellphone calls and texting while driving was enacted in 2017, with the research looking at overall numbers from 2015 to 2019. These numbers were compared to control states Idaho and Colorado.

Notably, the study found:

  • A 7.6 percent reduction in the rate of monthly rear-end crashes of all severities relative to the rates in the control states;
  • Law changes in Oregon and Washington were associated with significant reductions of 8.8 percent and 10.9 percent, respectively;
  • California did not experience changes in rear-end crash rates of all severities or with injuries associated with the strengthened law.

Still, state governments face several hurdles in their efforts to prevent crashes caused by cellphone use.

“Technology is moving much faster than the laws,” said Ian Reagan, a senior research scientist at IIHS. “Our findings suggest that other states could benefit from adopting broader laws against cellphone use while driving, but more research is needed to determine the combination of wording and penalties that is most effective.”

Distracted driving remains a major issue

Distracted driving remains a significant problem on roads nationwide. Indeed, distracted driving increased more than 30 percent from February 2020 to February 2022, due largely to changes in driving patterns spurred by the coronavirus pandemic, according to research by telematics service provider Cambridge Mobile Telematics.

The Governors Highway Safety Association (GHSA) reported that more than 3,100 people died in distraction-related accidents in 2020, with an estimated 400,000 people injured each year in such crashes. The true numbers, according to the study, are likely higher due to underreporting. The report also found that cell dial, cell text, and cell-browse were among the most prevalent and highest-risk behaviors.

Telematics can help

Telematics, which uses mobile technology to track driver behavior and provide financial incentives to drive less and often and more carefully, can help reduce dangerous driving. The more consumers positively react to the incentive, the less they pay for their insurance.

Research from the Insurance Research Council – like Triple-I, a nonprofit affiliate of The Institutes, focused on this exact issue, studying public perception and use of telematics. The study found that 45 percent of drivers surveyed said they made significant safety-related changes in the way they drove after participating in a telematics program. Another 35 percent said they made small changes in the way they drive.

During the pandemic, insurance consumers’ comfort with the idea of letting their driving be monitored in exchange for a better premium appeared to improve. In May 2019, mobility data and analytics firm Arity surveyed 875 licensed drivers over the age of 18 to find out how comfortable they would be having their premiums adjusted based on telematics variables. Between 30 and 40 percent said they would be either very or extremely comfortable sharing this data. In May 2020, they ran the survey again with more than 1,000 licensed drivers.

“This time,” Arity said, “about 50 percent of drivers were comfortable with having their insurance priced based on the number of miles they drive, where they drive, and what time of day they drive, as well as distracted driving and speeding.”

Cyber Risk, Disaster Resilience, Emerging Risks, Insurers and the Economy, Terrorism Risk

Complex Risks in a Complicated World:
Are Federal Government “Backstops” The Answer?

Leave a comment

Two U.S. agencies have agreed to explore the potential need for a federal mechanism – analogous to the one put into place for terrorism insurance after the 9/11 attacks – to address the growing cybersecurity threat to critical infrastructure. The perceived need to do so speaks to the growing complexity and interrelatedness of this and other risks facing governments, businesses, and communities today.

The Government Accountability Office (GAO), in a recently published report, recommended that Treasury’s Federal Insurance Office (FIO) and Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) take this action.  It acknowledges that FIO and CISA have “taken steps to understand the financial implications of growing cybersecurity risks” – but those actions have not included the possible need for a federal insurance mechanism.

“Cyber insurance and the Terrorism Risk Insurance Program (TRIP)—the government backstop for losses from terrorism—are both limited in their ability to cover potentially catastrophic losses from systemic cyberattacks,” the GAO report says. “Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware. However, private insurers have been taking steps to limit their potential losses from systemic cyber events.”

Insurers are excluding coverage for losses from cyber warfare and infrastructure outages, the report notes, and cyberattacks may not meet TRIP’s criteria to be certified as terrorism.

As we’ve previously reported, some in the national security world have compared U.S. cybersecurity preparedness today to its readiness for terrorist acts prior to the 9/11. Before Sept. 11, 2001, terrorism coverage was included in most commercial property policies as a “silent” peril – not specifically excluded and, therefore, covered. Afterward, insurers began excluding terrorist acts from policies, and the U.S. government established the Terrorism Risk Insurance Act (TRIA) to stabilize the market.  TRIA created TRIP as a temporary system of shared public and private compensation for certain insured losses resulting from a certified act of terrorism.

Treasury administers the program, which has to be periodically reauthorized. TRIP has been renewed four times – in 2005, 2007, 2015, and 2019 – and the backstop has never yet been triggered.

The GAO recommendation that a similar solution be considered for cyber risk highlights the potential insufficiency of traditional risk-transfer products to address increasingly complex and costly threats. Alongside terrorism and cyber, we’ve experienced – and continue to experience – the myriad perils of pandemic, with its assorted impacts on the global supply chain, driving behavior, business interruption and remote work practices, and the economy. Even if those challenges moderate, we will continue to face what is perhaps the most entangled set of risks on the planet: those associated with climate and extreme weather.

One only has to look as far as Florida, where the insurance market is on the brink of failure as writers of homeowners coverage begin to go into receivership and global reinsurers reassess their appetite for providing capacity in that hurricane-prone, fraud- and litigation-plagued state. Or, one could follow the wildfire activity in recent years; or flood loss trends, increasingly creating problems inland, where flood insurance purchase rates tend to be lower than in coastal areas; or insured losses due to severe convective storms, which have been rising in parallel with losses from hurricanes.

Fortunately, many states are taking steps – often with partners, including the insurance industry – to anticipate and mitigate such risks. Much is being done, but much work remains to change behaviors, best practices, and public policies in ways that will reduce risks and improve availability and affordability of coverage.

Cyber Risk, Emerging Risks, Insurance Fraud, Technology

The Battle Against Deepfake Threats

Leave a comment

By Max Dorfman, Research Writer, Triple-I

Some good news on the deepfake front: Computer scientists at the University of California have been able to detect manipulated facial expressions in deepfake videos with higher accuracy than current state-of-the-art methods.

Deepfakes are intricate forgeries of an image, video, or audio recording. They’ve existed for several years, and versions exist in social media apps, like Snapchat, which has face-changing filters. However, cybercriminals have begun to use them to impersonate celebrities and executives that create the potential for more damage from fraudulent claims and other forms of manipulation.

Deepfakes also have the dangerous potential to be used to in phishing attempts to manipulate employees to allow access to sensitive documents or passwords. As we previously reported, deepfakes present a real challenge for businesses, including insurers.

Are we prepared?

A recent study by Attestiv, which uses artificial intelligence and blockchain technology to detect and prevent fraud, surveyed U.S.-based business professionals concerning the risks to their businesses connected to synthetic or manipulated digital media. More than 80 percent of respondents recognized that deepfakes presented a threat to their organization, with the top three concerns being reputational threats, IT threats, and fraud threats.

Another study, conducted by a CyberCube, a cybersecurity and technology which specializes in insurance, found that the melding of domestic and business IT systems created by the pandemic, combined with the increasing use of online platforms, is making social engineering easier for criminals.

“As the availability of personal information increases online, criminals are investing in technology to exploit this trend,” said Darren Thomson, CyberCube’s head of cyber security strategy. “New and emerging social engineering techniques like deepfake video and audio will fundamentally change the cyber threat landscape and are becoming both technically feasible and economically viable for criminal organizations of all sizes.”

What insurers are doing

Deepfakes could facilitate the filing fraudulent claims, creation of counterfeit inspection reports, and possibly faking assets or the condition of assets that are not real. For example, a deepfake could conjure images of damage from a nearby hurricane or tornado or create a non-existent luxury watch that was insured and then lost. For an industry that already suffers from $80 billion in fraudulent claims, the threat looms large.

Insurers could use automated deepfake protection as a potential solution to protect against this novel mechanism for fraud. Yet, questions remain about how it can be applied into existing procedures for filing claims. Self-service driven insurance is particularly vulnerable to manipulated or fake media. Insurers also need to deliberate the possibility of deep fake technology to create large losses if these technologies were used to destabilize political systems or financial markets.

AI and rules-based models to identify deepfakes in all digital media remains a potential solution, as does digital authentication of photos or videos at the time of capture to “tamper-proof” the media at the point of capture, preventing the insured from uploading their own photos. Using a blockchain or unalterable ledger also might help.

As Michael Lewis, CEO at Claim Technology, states, “Running anti-virus on incoming attachments is non-negotiable. Shouldn’t the same apply to running counter-fraud checks on every image and document?”

The research results at UC Riverside may offer the beginnings of a solution, but as one Amit Roy-Chowdhury, one of the co-authors put it: “What makes the deepfake research area more challenging is the competition between the creation and detection and prevention of deepfakes which will become increasingly fierce in the future. With more advances in generative models, deepfakes will be easier to synthesize and harder to distinguish from real.”