By John P. Desmond, AI Trends Editor
Companies are interested in buying insurance to mitigate the risk of adoption and deployment of new AI applications with no history of use.
“When it comes to the commercial use of AI, businesses can’t rely on government regulation to protect them against potential losses in the event it fails to live up to its promise,” stated Saar Yoskovitch, CEO and cofounder of Augury, in a recent account in Open Access Government.
As deployed AI systems mature, they will increasingly make high risk decisions. “But AI models are often brittle, do not deal well with edge cases and may have been trained on a dataset with inherent biases,” stated Yoskovitch. This is especially prevalent with AI systems that use human behavior as an input, such as auto insurance applications that capture an individual customer’s driving behavior. The margin of error on these decisions can be very slim, and errors can have consequences, such as unfairly high insurance rates.
“But It’s not always clear who is responsible when AI systems fail,” he stated, such as when an algorithm makes an inaccurate clinical representation to a doctor. The potential responsible parties include the doctor, the hospital that bought the software, the software supplier or the provider of the training dataset.
It’s not clear that AI software suppliers guarantee the accuracy of their algorithms, or that insurance companies cover the risks associated with AI products.
Having insurance against AI risk could smooth the path to AI adoption. Among manufacturers trying out AI, many are stuck in “pilot purgatory”–not yet successfully scaling digital transformation. “Greater support for businesses looking to implement new solutions could help to improve the adoption rate,” Yoskovitch stated.
Insurers could help enterprises at these three stages of AI adoption, Yoskovitch suggests:
Choosing an AI solution. The insurance company could identify which solutions are a fit for particular use cases, perform due diligence on them, then back the validated solutions with insurance products. In this way, the insurance company becomes a trusted advisor.
Deploying an AI solution. Once deployed, the AI system needs to be tracked to know whether it delivered on the promised outcomes. If the system makes a mistake that results in losses, it needs to be identified. “Insurers have the skills to validate that a particular solution delivers results,” Yoskovitch stated.
Scaling AI solutions. As AI becomes more widely used within enterprises, AI systems will make more high-risk decisions, potential]y with less human oversight. “This increases AI risks and makes insurance for AI even more crucial to support scaling up adoption,” he stated.
How to Prepare for AI Insurance
Companies are able to prepare for the introduction of AI insurance, suggested an account in the Harvard Business Review last year. This is called AI/Machine Learning-specific insurance.
“Organizations are woefully under-prepared,” for risk related to data corruption, model theft, and adversarial examples, suggested authors Ram Shankar Siva Kumar, who works at Microsoft as part of the Azure Security Data Science team, and Frank Nagle, an assistant professor at the Harvard Business School.
The authors informally interviewed 28 organizations spanning Fortune 500 small and medium-sized businesses, nonprofits, and government organizations. Some 25 had no plan in place to mitigate adversarial attacks on their machine learning models. The reasons included: not enough experience.
AI failure models are an evolving area of research. “It is not possible to provide prescriptive technological mitigations,” the authors stated. Cyber insurance comes the closest, but is not a perfect fit. If bodily harm occurs because of an AI failure, such as if the image recognition system on an autonomous car fails to perform in snow or frost conditions, cyber insurance is not likely to cover the damage, although it may cover the losses from the interruption of business that results, the authors suggest.
This is a challenging insurance greenfield project area. As one security manager at a big four consulting group said to the researchers, “Traditional software attacks are a known unknown. Attacks on our ML models are unknown unknowns.”
Cyber insurance is a fast-growing market. The authors suggest companies begin to prepare. “Businesses can expect stringent requirements when AI insurance is introduced to limit the insurance provider’s liability,” the authors stated.
To get started, they recommend:
- Talk to your insurance provider about what cyber and AI risks are covered and which are not;
- Assess the potential impact of AI failure;
- Assign human oversight over business-critical decisions;
- Evaluate your organization against existing frameworks such as the European Commission’s Trustworthy AI Guidelines;
- Longer term, assign a safety officer to assess risk and security of AI systems, and have that person collaborate with the Chief Information Security Officer and the Chief Data Officer’s personnel;
- Revamp security practices to take adversarial machine learning attacks into account, and consider hiring a red team to stress test your ML systems.
Startup Cowbell Cyber Focused on Cyber Security for Small Businesses
One cyber security insurance innovator, Cowbell Cyber, providing cyber insurance to small and medium-sized businesses, raised $20 million in March to grow its business. The company last fall launched its Prime 250 program, empowering insurance agents to issue personalized cyber policies. The program has since expanded to 38 states; Cowbell Cyber has a network of more than 4,500 agents and brokers, according to a recent account in Security Boulevard.
“Cybersecurity is now a risk management issue that is critical to the future of the insurance industry and is evolving at a pace that insurers have rarely seen,” stated Jack Kudale, company founder and CEO. “Cowbell Cyber has capitalized on businesses’ accelerated digitization and an ever-changing threat landscape. Cowbell embraces AI and machine learning to gain efficiency and accuracy when assessing and underwriting cyber risk while focusing on the fundamental needs of our policyholders: keeping their businesses protected from evolving cyber threats.”
According to a recent post on the Cowbell Cyber blog, its agents no longer have to make the case for standalone cyber insurance. “Everybody now understands that a standalone cyber policy comes with a dedicated aggregate limit and clarity in the policy of what is exactly covered or not,” stated the post, written by Isabelle Dumont, VP of Market Engagement at Cowbell.
Read the source articles and information in Open Access Government, in the Harvard Business Review, in Security Boulevard and on the Cowbell Cyber blog.