Skip to main content
main content, press tab to continue
Article | WTW Research Network Newsletter

Artificial intelligence in the role of assessing cyber risk

By Omar Samhan | March 22, 2023

AI helps to develop a holistic and robust model, efficient at detecting and preventing cyber-attacks in real-time, resisting novel cybercrime and increasing the competence of cyber security teams.
Risk and Analytics|Corporate Risk Tools and Technology|Insurance Consulting and Technology|Willis Research Network
Beyond Data|InsurTech

Since the onset of the COVID-19 pandemic, industries across the globe have witnessed a sharp rise in the number and types of cyberattacks they face. Understandably, cyber risk management systems have been unable to keep up with these sophisticated security attacks. With businesses trying to cut down their labor costs and adopt a cheaper and more efficient digital model, it is evident that cybercrime is also on the rise.

In recent years, insurance companies have become a target of ransomware attacks as they play a crucial role in protecting high-value assets, people, and commodities. This is where artificial intelligence (AI), if employed effectively, could help combat these threats. Integrating cyber security with AI helps one develop a more holistic and robust model, efficient at performing various tasks such as detecting and preventing cyber-attacks in real-time, resisting novel cybercrime and increasing the competence of cyber security teams.

In a special report, The University of Warwick produced this systematic literature review that presents an overview of the barriers and opportunities of using artificial intelligence to help reduce cyber risk and threat exposure in the insurance sector. Outputs include:

  1. 01

    Systematic literature review

    A systematic literature review of the state-of-the-art and emerging AI techniques with applications in risk and threat assessment.

  2. 02

    Examine barriers and opportunities

    Examine the barriers and opportunities of utilizing AI techniques for decision-making in the insurance industry.

  3. 03

    Review efficacy

    Review the efficacy of emerging AI techniques in identifying unknown adversarial scenarios and feared events – and how these affect traditional risk assessment processes.

  4. 04

    Provide recommendations

    Provide a set of recommendations that can act as a guideline/roadmap for different stakeholders in that industry.

Systematic review of emerging AI techniques with applications in risk and threat assessment

With an increase in the use of AI throughout multiple industries, the insurance industry today stands on the edge of large-scale adoption of the technology. This work with the University of Warwick provides an approach to understanding how emerging and state-of-the-art AI technologies can be used to reduce risks and better the security posture of an organization.

The employment of AI in insurance innovation is now used for a variety of back-end functions such as fraud detection, algorithmic trading, blockchain analytics, and financial search engines. Robotics, computer vision, and Natural Language Processing (NLP) are some fields that are being serviced by machine learning (ML). These applications have increased interest in machine learning within the insurance sector, which is rich in data. Examples of ML techniques include:

  • Support Vector Machines – an ML algorithm that learns from examples it is given. When many fraudulent and non-fraudulent activity reports are examined, it can identify credit card fraud.
  • Artificial Neural Network – the primary focus is the use of an improved neural network for assessing information risk. The purpose of neural networks is to resemble the human brain.
  • Decision Tree – a tool that forecasts potential outcomes, such as resource costs and utility, using a tree-like model of possibilities.
  • Naïve Bayes – a straightforward "probabilistic classifier," the Naïve Bayes classifier is based on the Bayes theorem and robust (naive) independence assumptions.
  • Random Trees – this learning method is made to handle issues like regression and other difficulties that need the training of many decision trees.

The main advantage of using AI in the insurance sector is that it makes data management simpler. Datasets that are semi-structured and unstructured can be organized using machine learning. Datasets from various insurance companies are available for scholars and data analysts to utilize. Machine learning may be used in the insurance industry to identify risk, claims, and consumer behavior with greater prediction accuracy.

AI could also be used in various ways in the insurance industry, from responsive underwriting and premium leakage to expenditure control, arbitration, litigation, and fraud detection. This issue is being addressed in great detail by incorporating potent artificial intelligence methods into insurance data. Many scientists are looking at cutting-edge machine-learning techniques for responsibilities, such as premium leakage to expenditure management, debt recovery, proceedings, and fraud detection, motivated by industrial production for management solutions and the academic ability to develop highly relevant machine-learning techniques.

Opportunities and barriers: utilizing AI techniques for the insurance industry

The insurance industry is made up of several key components, including fraud detection, claim prediction, risk prediction, and underwriting. A number of industries, including medicine, car production, banking, manufacturing, agriculture, and marketing, use AI at a fast rate. This growth is a result of three key technical advancements in recent times: the emergence of big data, the normalization of interactions between humans and machines, and advances in machine learning.

The insurance sector has also been impacted by these advances in terms of newly created business models and capital expenditures employing cutting- edge technology such as artificial intelligence in risk and threat assessment. This frequently covers the dangers connected to the adoption and application of AI itself.

As an alternative, several insurers make investments in game-changing AI technology to improve their operations and risk control. AI will increase the effectiveness of preventative insurance procedures. Insurers may help clients collect, analyze, and interpret their data to prevent illnesses and accidents using AI. The business structure of the insurance sector can change. Thanks to health sensor data, face mapping technology, genetic predictors powered by AI, and AI personal assistants, customers are now better informed about their insurance needs. All of these might result in a reduction in the insurance gap.


  1. Claims Predictions – by employing AI to forecast insurance claims, a client may ask for an explanation as to why their claim was denied. According to reviewed literature, academics used artificial neural networks to deal with health insurance claims.
  2. Use of NLP against Phishing – the insurance industry's principal application of NLP in cyber security will be to encourage interactions between people and machines. In order to identify the risk of a phishing attack, insurance firms may use NLP to scan vast amounts of datasets for email conversations. By keeping track of all emails that enter the organization's network, NLP can be used to identify patterns of malicious behavior.
  3. Use of AI and ML against DDoS – artificial intelligence and big data help defend firms against DDoS attacks. By comparing network traffic with real-time data streams collected from threat-intelligence sources, correlation engines can spot attack trends. As a kind of cyber extortion, hackers are increasingly using DDoS attacks to force financial institutions to pay hefty sums of money to cease the attacks.


  1. Cyber Risks – procedures, such as damage assessment, IT, human resources, and legislative change, all depend on AI. AI systems are extraordinarily quick to learn about petitions, policies, and changes made as a result of those policies. They can also make decisions swiftly. This tactic prompts worries about decision-making accountability, social, economic, and political risks, as well as security.
  2. Data Privacy Issues – the enormous potential of technological platforms to obtain and analyze data from a variety of sources – including internet searches, social media accounts, shopping and purchase information obtained from credit card companies – is a threat to customer privacy. The lack of a time restriction on the use of a person's information obtained from a social media account or another source when determining risk is one of the most concerning issues when utilizing AI for data sifting.
  3. Discrimination Based on Characteristics – statistics that severely disparage protected attributes that pose a serious threat of bias are not permitted under anti-discrimination rules. Certain legislation, such as the Equality Act of 2010, prevents insurers from using algorithms that can lead to discrimination based on physical characteristics. The potential for indirect discrimination may be negatively impacted by real results of the individualization process created by algorithms.

Emerging AI techniques: Impacting traditional risk assessment processes

The primary factor accelerating automation across all industries are machine learning algorithms. However, it has been shown in numerous instances that the use of these algorithms has begun to appear in a variety of cyber-attacks, has improved the effectiveness of those assaults, and has allowed malicious actors to avoid manually addressing statistical analysis issues. The need for strengthening an organization's security posture has increased due to the weaponization of AI and machine learning.

Emerging and state-of-the-art cyber-attack AI techniques

The advancement of cyberattack technology and contemporary techniques is shaping and expanding the field of cyberattacks, exposing cyberspace to a broad range of cutting-edge cyberweaponry with numerous negative effects. Next-generation malware may covertly enter vulnerable and sensitive computer systems while learning from its environment and evolving with new variations thanks to malicious actors utilizing fuzzy models.

Malicious actors can better learn how computer infrastructures, devices, and cyber defense systems normally work with the use of AI techniques. For example, a malicious actor can identify a key link to targets by gathering architectural, logistical, and topological data about the user's equipment, network flows, and architecture. Massive data collections might provide information about the patterns of targeted attacks that would-be criminals could find using AI. AI's ability to comprehend, unearth, and recognize patterns in massive amounts of facts allows it to be utilized to offer in-depth research and create targeted exploration processes while overcoming human limitations.

Figure 1 shows different types of machine learning algorithms which can be used to undertake various kinds of cyber-attacks
Figure 1: ML algorithms used in different types of attacks

As shown above in Figure 1, different types of algorithms can be used to undertake various kinds of cyber-attacks. The figure helps in mapping out the types of algorithms a malicious actor can use to perform a particular attack. It also assists in describing the purpose of the attack, which may be for data analysis, data production, behavior diversion or behavior deduction.

Impact of weaponized AI on insurance industries

Worldwide insurance companies are a target due to their storing copious amounts of sensitive data. Attacks using ransomware and DDoS powered by AI have grown commonplace. Defending organizations from harmful actors has become very difficult due to the rise in the complexity of cyberattacks made possible by AI.

The interruption of services and other similarly detrimental effects are some of the most worrying effects of a successful cyberattack. A cyberattack may result in reputational damage to a company since consumers may stop doing business with them for fear of a potential breach. If companies are negligent in their duties they may face legal repercussions from governmental authorities. Cybercriminals are continually modifying and enhancing the effectiveness of their attacks, placing a strong emphasis on the use of AI-driven approaches.

Lessons for businesses: next stages in corporate cyber resilience

To understand and emphasize where and when disruption may occur – and what it means for certain industry sectors – companies should undertake hypothesis-driven simulations. Pilots and proof-of-concept initiatives should be planned to evaluate not only performance but also to monitor how successfully an organization may perform a certain function within an ecosystem based on data or network intrusions. This work laid out the following recommendations to build organizational resilience within a company:

  • Educating stakeholders on AI and its multiple uses, including threats
  • Implementation of a rational strategic plan based on employing technology utilizing analytics from AI investigations
  • Creating and executing a comprehensive data strategy
  • Training and hiring competent employees who possess technological proficiency, creativity, and a willingness to work in constantly evolving threat environments

The key takeaways for insurers are to recognize that cybersecurity is not an IT problem but a business concern. Enhancing cybersecurity capabilities by effectively implementing AI and ML algorithms to defend networks against sophisticated attacks is necessary. However, insurers will also want to evaluate their present "pockets" of excellence in cybersecurity and ensure that these best practices are disseminated throughout the organization.

CEOs must collaborate with business executives to best address cyber threats to identify the proper ratio of centralized and decentralized services. Fielding an appropriate response requires the proper framework for robust and consistent cybersecurity. Insurance leaders must carefully evaluate how to ensure their businesses stay prepared, from "red teaming" exercises that mimic the behavior of attackers to increased staff training and regular drills. To manage their risk consistently, insurers must pay particular attention to strengthening their understanding of the ecosystem of third-party players, including independent agents, outsourced service providers, and other non-employees with access to data.


Technology and People Risks Analyst
email Email

Contact us