A deepfake is a sophisticated forgery of an image, video or audio recording. With the aid of artificial intelligence (AI) technology, deepfakes are made to look and sound so authentic that the average human is unlikely to detect any manipulation. Deepfakes first started to emerge in 2018, and, so far, have been primarily the product of amateur hobbyists. However, with the goal of misleading and deceiving people, deepfakes can be a dangerous tool if used maliciously.
What are the risks for businesses?
Imagine this scenario. It’s financial results season and your insurance company has had a stellar quarter and a strong year. You’re excited to announce that net income attributable to shareholders has increased and that your firm is well poised for further growth. The CEO shares his delight over the results in a video, which is posted online. What follows is a surprise backlash from shareholders and a sudden drop in stock value. Why? A cybercriminal has decided to manipulate that video and upload an edited version in which the CEO seems to be sharing a load of bad news, including an operating loss, a terrible combined ratio, and a number of financial penalties.
Hackers are so good at deepfakes these days that people who are just glancing at a video or scrolling through a social media platform won’t think twice about whether a video or audio clip is legitimate or not. John Farley, managing director and cyber practice group leader at Gallagher, described the phenomenon as “really frightening”. He said: “They could have a world leader appear to say things that could potentially start a war. They could have a CEO appear to say things about earnings that could drive a stock up or down. It’s pretty wild when you think about the kind of harm that could cause and how a hacker could financially gain from some of that.”
In a recent Marsh report, named ‘Digital Deception: Is Your Business Ready for Deepfakes?’ the brokerage giant explained: “Deepfakes can have a severe impact on a company’s reputation. A deepfake posted on social media could easily go viral and spread worldwide within minutes. Though a company might ultimately prove it was the victim of a deepfake, the damage to its reputation will already have been done, potentially resulting in lost revenues.”
How does insurance respond to the deepfake exposure?
This is where things get a little tricky. Some policies, such as cyber insurance or crime insurance, may provide some relief for financial loss as a result of a deepfake incident, but it depends on how and if those policies are triggered. Cyber insurance policies do seem to be growing broader (in terms of coverage) by the day. Many have now expanded to include coverage for financial loss resulting from reputational harm resulting from a cyber incident or privacy breach, but that’s not exactly the same as the company results deepfake scenario above, for example.
“Cyber insurance policies require certain triggers before coverage kicks in,” said Farley. “A policy might require a network penetration or a cyberattack before it provides coverage, but, in this case, all that’s happened is a manipulation of an existing video that’s already out in the public. It’s not like the client was attacked, so the cyber insurance policy might not cover that harm or that damage.”
If another cyber event happens as a result of a deepfake video, for example, a hacker attaches a ransom demand to a forged video, then a cyber policy might be more likely to respond. But once again, this really depends on individual policy terms and conditions, making it vital for risk managers to carefully review policies with their brokers and insuring partners.
Crime insurance policies could also play a part in the deepfake reaction, especially if companies need to recover funds that were transferred to fraudulent entities under false pretenses. For example, an employee might receive a deepfake voicemail from their boss asking them to go ahead with a financial transaction but to send the money to a different account. While you would hope the organisation has a dual sign-off process in place to prevent any fraudulent transactions, these types of mistake still sometimes fall through the cracks.
How can companies mitigate the risk of deepfakes?
Like all cyber-related risks, it starts with awareness and education. It’s time to read up on deepfake videos, how they happen, and who is commonly targeted, so that a business can run through and analyse potential scenarios. If businesses do fall victim to a deepfake, it’s important to act as quickly as possible, and get all fraudulent video, audio or imagery offline as quickly as possible.