From Artemis, July 10:
Existing cyber cat bonds structured to withstand Claude Mythos turbulence: Man Group
As Anthropic’s advanced cybersecurity AI model, Claude Mythos, continues to generate significant noise across the cyber sector, investment manager Man Group notes that the per-occurrence structures and high attachment points of existing cyber catastrophe bonds should provide meaningful insulation from future turbulence, for when more advanced AI models eventually become widely available.
In early April, Anthropic announced the successor to its Claude Opus model: Mythos Preview. While a general-purpose language model, Mythos has demonstrated capabilities in computer security, including autonomously discovering and exploiting zero-day vulnerabilities, as well as reverse-engineering exploits on closed-source software.
“Of concern is not that Mythos is discovering vulnerabilities that could not be discovered by skilled researchers, rather, it allows the search for and application of vulnerabilities to be done at scale, and to potentially put such skills in the hands of less skilled, but malicious actors,” Man Group said.
In response, Anthropic launched Project Glasswing, an initiative bringing together users and authors of some of the most critical software, such as Apple, Google, Linux Foundation, and Cisco, in order to employ Mythos Preview for defensive security.
Man Group noted that Anthropic eventually intends to deploy Mythos-class models with built-in safeguards that detect and block nefarious use. The firm also noted that as part of Anthropic’s evaluation of Mythos, thousands of highly critical vulnerabilities were also identified.
“The concern though is that sooner or later, malicious actors will get their hands on Mythos Preview or a competitor of similar abilities and exploit these vulnerabilities at scale. So, what are the implications for cyber security, cyber insurance, and cyber catastrophe (cat) bonds,” Man Group said.
Adding: “So far, we have observed a benign insurance response, partly, we think, because there haven’t been any severe events yet, but it would be naïve to assume that these capabilities do not elevate the cyber threat level.”
Of the six outstanding 144A cyber catastrophe bond deals, Man Group highlighted that five are per occurrence deals.
“The decision of what constitutes a single occurrence is sometimes delegated to the sponsor rather than effected through a precise legal definition. The latter would be difficult to codify,” the firm said.
Adding: “The cyber linkage of events is potentially more difficult to define, given potentially multiple steps in an attack. In any case, per occurrence deals and high attachment points mean that we need to see a single event causing insured loss which is an order of magnitude greater than what we have seen to date. As an aside, we note that cat bond risk modellers may not necessarily aggregate losses in the same way that the insured does.”
Man Group went on to note that the re/insurance and ILS industry will still need to grapple with two fundamental questions.
“First, if an AI agent simultaneously attacks multiple institutions, insurers must determine if that constitutes a single event. Whether the 11 September 2001 attacks on the World Trade Center constituted one or two events was heavily litigated, and defining the cyber linkage of events is potentially more difficult. Second, as corporates integrate AI into their processes, the market must consider whether AI outages warrant sub-limits as is already the case for cloud service outages,” the firm explained....
....MUCH MORE
Previously from Artemis:
July 2015 - The Next Great Reinsurance Opportunity: Cyber Attacks!
And a whole bunch more between those two bookends. If interested use the 'search blog' box, upper left.