New Threats, New Tech: How Innovation Is Redefining Cyber Risk

At-Bay’s Chief Technology Officer Ayelet Kutner sat down with Allan Vogel, Cyber Security Consulting Leader at Aon, at ITC Vegas 2025, for a fireside chat exploring how cutting-edge technologies and strategies are reshaping cyber insurance. The conversation offered insights on emerging threat trends, strategic takeaways on the technologies creating opportunities for insurance, and also data-backed findings on the security tools that may be doing more harm than good.

 

The key takeaway: As digital dependency accelerates and it becomes increasingly difficult for businesses to secure their technology stack against cybercriminals, insurers must continuously innovate to stay ahead. For small and mid-market businesses, where we see claims frequency increasing for the third year straight, the challenge is particularly acute.

 

Below is a play-by-play of what was discussed.

From your seat as a CTO, what’s the biggest shift you’ve seen in the cyber risk landscape over the past 12 months? How is that informing your product or platform strategy?

Two main cyber risks have dominated: vulnerabilities in remote access tools and social engineering over email. At-Bay’s 2025 InsurSec Rankings Report shows that these categories account for about 60% of all At-Bay insured claims in 2024.

1. Remote access has been our most significant risk vector for five years, but the speed of attacks has accelerated dramatically. In 2024, 80% of ransomware attacks involved remote access tools, with 83% of those specifically involving VPN devices. Many breaches now happen through zero-day vulnerabilities. From a product development perspective, this tells us that assessing risk cannot be done once, nor can it be done by asking questions or running a vulnerability scan. We need big data techniques combined with machine learning algorithms to assess many seemingly unrelated data points in order to better understand and price a customer’s true risk. 
2. Email fraud is now twice as common as ransomware, with costs exceeding typical coverage amounts. Traditional email security tools aren’t stopping these attacks. Without a clear market solution for email fraud, At-Bay built our own specialized solution. The results speak for themselves: On a monthly basis, we’re identifying fraud attempts against 30% of our insureds that email security tools aren’t catching. 

As cyber risk becomes more systemic and complex, what role do you think insurers need to play beyond traditional risk transfer?

We believe the best security company is an insurance company. Cyber risk is so complex, and businesses need help. This help cannot come from an advisor who doesn’t have skin in the game. Insurance companies are in a unique position to drive real change for four key reasons:

• We see enough companies and have enough data to know what indicators correlate to loss. 
• We can incentivize businesses to get better security where it matters.
• We connect the dots between the CFO who buys insurance and the IT manager who buys IT tools. In most companies, the CFO and the IT manager live in different worlds, yet they’re often trying to solve the exact same problem: risk. We stop companies from having a “right hand doesn’t know what the left hand is doing” problem. By connecting the person who manages the risk (CFO) with the person who manages the technology (IT), we ensure your business is actually protected, not just on paper but in practice too. 
• We can develop better security products because we have insight into real-world incidents that are impacting our insureds, which means we can solve for them.

In every domain of risk, insurance has been the de facto regulator of safety standards. Take fire safety standards in buildings or multi-factor authentication in cyber. What’s crucial is that insurers who also invest in security get even more technical by understanding the cybersecurity landscape, tracking it regularly with scans and dark web monitoring that go beyond questionnaires, and finding controls that can have an impact.

What’s one bet you’ve made on a technology or strategy that others in the market weren’t ready to make, but is now paying off?

There’s a saying I like: In God we trust. All others must bring data.

 

Since day one, our approach has been to collect as much technical cyber data as possible. This requires technical cyber research and new methods to collect, normalize, and analyze data. Today, we have tools that make this data usable for our Cyber Research and Data Science teams to do “what if” analyses and make data-based decisions.

 

The second bet was moving into security. We realized it’s not enough to insure — we need to provide customers with tools and help them do better, not just assess where they are. As someone incentivized to lower losses, we have the credibility needed.

 

Today, thousands of our insureds regularly engage with our security products provided with every policy. This helps them reduce and manage critical risks year-round through constant scanning, alerting, and email environment integration to flag potential fraud. The number of insureds who are adopting our advanced security offering is growing rapidly, and those who do are benefiting from huge reductions in loss.

How is your organization using emerging technologies, like AI and analytics, to underwrite smarter and faster?

Emerging technologies like AI have always been part of how we build our insurance operating system. We’ve been using AI in three ways to improve our business and customer service:

• Fully automated workflows. For smaller businesses, we’re able to use AI to automate risk decisions and quoting with extremely minimal human touch. For example, our proprietary Mailbot receives emails and quotes automatically for small accounts, freeing our underwriters for more sophisticated work. Our brokers love the speed and simplicity of the service. 
• Assisted underwriting. Internally, we’ve developed tools to help underwriters get information at their fingertips rather than manually researching companies, allowing them to respond to brokers faster and more effectively. 
• Analytics and data. We built Oly, a Generative AI-based Slack bot that allows anyone in the company to ask data questions and learn from past quotes and decisions. This helps our team leverage a vast and complex data house to unearth insights easily so they can make better and more informed decisions. 

Are there new tools or approaches you’re using to reduce claim frequency or severity that the industry isn’t talking about yet?

Our approach relies on a very granular understanding of the cyber landscape and real-world attacks. Our risk and actuary teams work with cyber researchers to understand threats and attackers’ behavior for better pricing segmentation. This isn’t common practice across the industry. 

 

For example, over the last three years, we’ve been assessing email providers. If you’re a customer of Microsoft 365, you are twice as likely to experience a claim than if you’re using Google Workspace. In email security solutions, there’s a 100% difference between the best and worst, while costs are similar.

 

We have also been doing research on VPNs. Very popular vendors like Citrix and Cisco make users almost 7X times more likely to experience ransomware than if they don’t use them. We publish these insights in our annual InsurSec Reports to help SMBs make informed purchasing decisions.

How can carriers and brokers work together to bring a more proactive, continuous risk management mindset to the market, especially for small and mid-market clients?

We created InsurSec about two years ago as a combination of security and insurance to help customers become more secure both technologically and financially. 

 

We see visionary brokers who are bought into this concept and are willing to work with customers beyond just purchasing an insurance policy. They recognize the impact of a cyberattack is far-reaching, and losses often outsize policies. So being proactive about security through an insurance lens is super powerful. It can help them to unlock better terms and pricing for their customers, and improve the risk outcome — fewer and less costly claims and out-of-pocket losses. 

 

On the carrier side, carriers must think beyond risk transfer. The combination of insurance and security is really important to solving cyber risk, especially for small to mid-sized clients who lack resources or expertise to secure their business. Businesses need help and guidance, and both brokers and carriers, as people who have skin in the game, can guide them into a better, more secure world.

What’s a paradigm shift you think the cyber insurance market will go through in the next 2-3 years, and what’s driving it?

Cyber risk management requires a more holistic approach. It’s not enough to tell customers they are a bad risk; you need to help them get better and stay better. Beyond making the connection, be a true advisor and be in the trenches. Provide security that’s better than they can get on the market, because no one is keeping security vendors accountable.

 

The paradigm shift is that insurers are moving beyond traditional risk transfer to become active participants in the cybersecurity ecosystem itself. This is driven by the increasing complexity of cyber risk, the inadequacy of traditional security solutions for small and mid-market businesses, and the unique position insurers hold to drive meaningful change through data, incentives, and continuous engagement.