Skip To Main Content

As cyberattacks rise, so do new ways of evaluating risk

Cybersecurity is more critical than ever.

One of today’s most dramatic developments in business is the broad range of devices and mechanisms that are computerized and connected to networks on the Web. Everything from watches to appliances to jet engines and factory equipment, the proliferation of the Internet of Things (IoT) has made companies – and the people who run them – smarter and more efficient. 

However, the risks to businesses integrating IoT and other technologies are evolving, and therefore, not yet fully understood. As organizations consider accelerating investments into digital tools, Lex Baugh, AIG’s Global Chief Underwriting Officer for its Casualty and Financial Lines within General Insurance, says he expects that insurers will increasingly rely more on new and innovative ways to evaluate and manage cyber risk.

This comes as cybersecurity awareness is more critical than ever given the prevalence of ransomware attacks. In June, the White House issued new warnings about the marked rise of ransomware incidents, urging U.S. business leaders to take urgent security measures as hackers step up efforts to infiltrate and disrupt companies’ core operations. 

“We have made meaningful advances in cyber risk awareness, but many companies are still catching up,” Lex said recently on a virtual panel at the 2021 International Insurance Society Global Insurance Forum. 

“Digital assets are frequently being neglected until something happens. We’re seeing more disruptive and expensive business interruptions as clients’ activities become more integrated and more connected.”

To illustrate his point, Lex considered a hypothetical scenario at an ammonium nitrate plant. Imagine a team of engineers spending the bulk of their workday adjusting the temperatures and pressures at the plant to maximize output, but then senior leaders adopt an integrated system across dozens of plants globally because it performs the job far more efficiently. Doing so requires less manual maintenance and system-wide downtime. Plus, the system reduces human error, and therefore, generally enhances safety.

While these are indeed benefits, Lex added, interconnected systems and devices can leave companies vulnerable to hackers trying to gain control of networks. As a result, this changes the risk profile.

“Whenever you hear about a process or a technology being a smart technology, think about how it’s connecting in a way without human intervention. So, the firebreaks that we have historically seen are no longer there.”

A new and emerging risk landscape

A few other factors are complicating how insurers evaluate and underwrite cyber risks.

First, Lex explains, the impacts of COVID-19 on consumers and households have led many companies to reassess their business models and rush investments into intellectual property and new technologies without the traditional security checks and balances that the insurance industry has historically seen. 

Second, the value of today’s biggest companies listed on the S&P500 are increasingly influenced by intangible assets, including data, intellectual property, copyrights and software. From a cyber risk perspective, this trend is worth watching since hackers are likely to target such intangibles.

Third, cyber risks will increasingly impact virtually every industry. This means underwriters specializing across a broad range of areas will need more accessible ways to assess a company’s cyber exposure.

“There’s no aspect of insurable risk where cyber isn’t playing a factor,” Lex said. “Whether we’re talking about a marine underwriter or healthcare underwriter or general liability underwriter, they’ll need more sophisticated methods to assess the risks because they’re likely not going to be cyber experts fast enough.”

Demand grows for innovative risk solutions

Looking ahead, Lex expects that AIG and underwriters will rely more on externally acquired data that provide insights into cybersecurity practices and potential vulnerabilities to help expedite understanding of an organization’s security program.

As it stands, AIG uses a priority method for measuring and analyzing cyber risk. AIG extracts knowledge and insights from numerous datasets and client-specific answers. Clients receive detailed scoring, analysis, and benchmarking to help them better understand their cyber maturity.

In addition, AIG has developed a ransomware supplemental questionnaire to help underwriters determine if a company has proper controls in place to help detect and thwart ransomware attacks. AIG will also work with companies to improve their risk profile.

To be sure, solutions will likely vary depending where a client or customer is based or otherwise subject to geographical privacy and data protection legislation. This is because the public’s attitudes around privacy, data protection and legislation protecting the same varies widely by country. For example, while 66% of countries have data protection and privacy legislation, 19% of countries have no legislation, according to the United Nations Conference on Trade and Development.

“So, it’s not necessarily a one-size-fits all solution for how we solve these issues,” Lex said. “Clients will need to have strong knowledge of existing privacy, data protection and cybersecurity legislations at the industry-specific levels and at the national and international levels to manage cyber risks.”

Bottom line

The unintentional actions or lack of actions taken by organizations to address these agile cyber risks can create inadvertent consequences. Evaluating and managing these risks calls for new tools and approaches that aim to keep step with cyber criminals and that underwriters specializing across different lines of insurance can use to assess cyber risks at play. 

This article may contain third party content or links to third party websites. These content and links are provided solely for your convenience and information. AIG has no control over, does not assume any liability or responsibility for and does not make any warranties or representations as to, any third party content or websites, including but not limited to, the accuracy, subject matter, quality or timeliness.


American International Group, Inc. (AIG) is a leading global insurance organization. AIG member companies provide a wide range of property casualty insurance, life insurance, retirement solutions and other financial services to customers in approximately 70 countries and jurisdictions. These diverse offerings include products and services that help businesses and individuals protect their assets, manage risks and provide for retirement security. AIG common stock is listed on the New York Stock Exchange.

Additional information about AIG can be found at | YouTube: | Twitter: @AIGinsurance | LinkedIn: These references with additional information about AIG have been provided as a convenience, and the information contained on such websites is not incorporated by reference herein.

AIG is the marketing name for the worldwide property-casualty, life and retirement and general insurance operations of American International Group, Inc. For additional information, please visit our website at All products and services are written or provided by subsidiaries or affiliates of American International Group, Inc. Products or services may not be available in all countries and jurisdictions, and coverage is subject to underwriting requirements and actual policy language. Non-insurance products and services may be provided by independent third parties. Certain property-casualty coverages may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds, and insureds are therefore not protected by such funds.