Paul Carroll
To start us off, what is your overall outlook for the cyber insurance industry?
Liz Kim
If only we could predict where it's going to go, right? I've been in the cyber insurance industry for many years and I've worked across a lot of different roles. I've been in it as a lawyer, as head of claims for a major insurer, in underwriting, in product development, and as a broker. We’re in a soft market now, but, as with all insurance, the cyber market is cyclical.
I think cyber is more cyclical than other lines, for a couple of reasons. First, although there are plenty of disaster scenarios that people talk about in the industry — things like a worldwide AWS outage — we haven't yet really had a true disaster, which would tighten capacity and increase prices. Second, we have new entrants coming into cyber all the time. Because of that constant influx, a lot of their value proposition comes down to nothing more than having the lowest prices. That dynamic drives pricing down more than you'd typically see in other lines of business.
That said, companies that maintain underwriting discipline and pair their insurance with meaningful services or technology solutions to reduce digital risks are better positioned to hold pricing than those that are purely insurance plays.
My overall outlook? It's always positive — because if it wasn't, I wouldn't still be in cyber after all these years. With the kinds of innovations we're seeing across the industry, it's always going to be an area that drives the market forward.
Paul Carroll
How has the cyber threat landscape evolved over the past year or so, particularly with the rise of AI capabilities being leveraged by bad actors?
Liz Kim
The biggest concern I'm hearing right now with respect to AI, in particular, is deepfakes. It's not necessarily a claims-oriented concern in the way ransomware or even extortion is — it's more of an existential threat, which is how most people seem to view it. But deepfakes do connect to insurance, in that some cyber insurers have AI-related exclusions that could potentially leave a deepfake-related claim uncovered. I don't think we've landed on a perfect solution there yet.
We're also seeing a rise in invoice fraud, especially through business email compromise and invoice manipulation. Deepfakes and other trickier social engineering techniques that are leveraging AI certainly make those types of scams even easier to pull off.
Paul Carroll
Tell me a bit more about invoice manipulation, if you would. It’s been around for a while, but I find it interesting that it’s picking up.
Liz Kim
What you see is threat actors creating a fake invoice from a vendor that the insured already does business with. They'll know somehow that you work with that vendor — maybe through social engineering, or maybe they've actually gained access to your systems. From there, they'll send you a fraudulent invoice using one of two main methods.
The first is domain spoofing, where the email domain looks very, very similar to the legitimate one — maybe just a misspelling, or .com versus .ca or .co. They're counting on the recipient not noticing.
The second is BEC, or business email compromise, where the hacker has actually compromised the email account of the other party and is sending invoices directly from it to legitimate contacts.
Either way, there's generally a payment redirection involved — like, "Oh, I've changed my banking information." That's a key red flag. There's no tech hack to prevent this; it's really a process issue. Accounting teams need to have protocols around anything involving a change to payment details. Verify it through a phone call to a known contact using confirmed contact information. And you need to be the one calling them, not the other way around.
You can even see cases where someone on the accounts payable team receives a fake email thread or a WhatsApp message from their CEO or CFO saying, "Pay this invoice."
What makes it convincing is that the thieves have done their homework: they know the CEO is connected to that person professionally on LinkedIn, or they've worked together, or they're tagged in a post. The thieves replicate real, believable scenarios to trick employees.
Junior employees often don't want to question something that looks like it's coming from the CEO. But that's exactly the point: You cannot bypass your internal validation protocols at any level, no matter how legitimate something looks. Because threat actors are trying to trick you.
Paul Carroll
I gather AI is also increasing the volume of cyber threats like phishing. What is the industry doing to counter that?
Liz Kim
Yes, the volume is going up. AI is an enhancement to all of the tactics that bad actors are already using.
A phishing email from three, four, or five years ago is not the same as a phishing email today. Before, there were very obvious markers — the spelling mistakes, the type of email. Nowadays, with advanced social engineering, they can make an email seem so much more legitimate. It's hyper-personalized.
At the same time, the prevention aspects are improving, too. The market is providing more education around building digital resilience and awareness of how phishing scams work: Don't click on things from someone you don't know, and don't click on something you weren't expecting — even from someone you do business with every day.
As an industry, we're not seeing the increase in claims volume that you would expect given the sophistication of AI, and that's because there's much more emphasis on education and prevention.
Paul Carroll
I've been tracking hackers since probably the late 1980s, back when friendly Nigerian princes used to offer me a lot of money. Now I'm at the point where I may report emails as phishing scams that turn out to be legitimate — I'm suspicious of everything these days.
Beyond education, what are you and others in the industry doing to prevent cyber threats from succeeding?
Liz Kim
We have our in-house technology experts — the BOXX Hackbusters team — who are on call 24/7. In addition, each commercial policy is bundled with Cyberboxx Assist, a suite of tools and services designed to help individuals and businesses predict, prevent, and respond to cyber threats. We also offer a virtual CISO [chief information security officer]. These services are focused on the SME space, because many of our insureds don't have any in-house technology expertise, and we can help them bridge that gap.
By offering services like our virtual CISO, it does two things. One, it raises awareness among the management team that cyber risk is a real issue that can impact their organization. Two, it allows our insureds to get expert-level cybersecurity advice. Our vCISO will work with them on a plan — and offer them advice and resources on how to execute it.
In terms of insurance offerings, BOXX introduced a tech E&O policy earlier this year. It has a really strong cyber focus and offers something very specific for technology companies: breach of contract coverage. To get a little lawyerly, the liability that tech companies face isn't a breach of industry standard, which is what you normally have for more traditional professionals like accountants, lawyers, doctors, and so on. Breach of industry standard is the coverage traditional professional errors and omissions insurance provides. But in the technology space, liability is driven by what companies put into their contracts. So the importance of having affirmative coverage for contracts really cannot be overstated when it comes to Tech E&O.
Paul Carroll
There seems to be growing emphasis not just on an organization's own cybersecurity, but on the security of all the vendors and business partners they interact with, because those relationships can serve as entry points for attackers. How is that third-party risk being addressed in the insurance market?
Liz Kim
We can't physically address the security of our insureds' vendors or business partners. So we have to essentially push our insureds to address the security of their own vendors and business partners through education and awareness.
That's critical, because as an industry, we're seeing more claims come in through those third-party relationships than through direct attacks on the insureds themselves.
Paul Carroll
Looking ahead two or three years, where do you think the cyber landscape is headed — and does it ever really change, or is it always going to be that back-and-forth battle between attackers and defenders?
Liz Kim
Even though cyber is an area that changes a lot, it also stays the same in a lot of ways. The role of cyber insurers — especially technology-focused ones like BOXX — is to stay ahead of what the bad guys are doing. That's why things like monitoring the dark web, which is still a relatively new practice for the industry, are so important.
The focus will shift, sure. We've seen it move from ransomware to extortion to business email compromise and invoice manipulation. But ultimately what we're doing remains the same: predicting, preventing, and insuring against negative cyber and technology-related events.
Paul Carroll
Are you seeing much change in the geographic origin of cyber threats? For a while, North Korea, China, and Eastern Europe were significant sources — has that landscape shifted?
Liz Kim
The industry is seeing what appears to be a decrease in volume from Russia and Ukraine, simply because their energies are focused on each other rather than on the rest of the world.
That said, I don't think we're seeing any decrease from the other traditional sources, such as China and North Korea.
Paul Carroll
This has been very helpful. I hope people get the message, especially about the vigilance needed to head off invoice manipulation.
Any final message?
Liz Kim
I’ll just note that I’m excited to have joined BOXX. Just in the few weeks I’ve been here, I’ve found the people to be amazing. The other thing that really drew me to BOXX — and that I've come to appreciate even more since joining — is that we have all the excitement and focus of a startup and we’re channeling that energy into growth after officially becoming a part of Zurich Insurance, a 150-year-old, well-established, and well-respected insurance company.
Paul Carroll
Thanks, Liz.
About Liz Kim
Elizabeth (“Liz”) Kim is the President, US at BOXX Insurance, where she leads the company’s U.S. strategy, operations and market expansion. With nearly 30 years of experience in the insurance industry, she brings deep expertise across underwriting, claims, product development, reinsurance and legal analysis.
Before joining BOXX, Liz served as a Cyber Reinsurance Broker at Gallagher Re, structuring reinsurance solutions for cyber insurers, InsurTechs, and MGAs. She also held senior leadership roles at Hiscox in underwriting and product development after spending more than a decade as a litigator and claims leader managing complex technology, media, cyber, and professional liability matters. Her broad background gives her a practical, well rounded perspective on emerging risks and the operational needs of insurers and insureds.
Liz holds a J.D. magna cum laude from Seattle University School of Law, an M.S.W. with honors from California State University Sacramento, and a B.A. in Sociology with a Minor in Women’s Studies from the University of California Davis. She is also committed to mentorship and community service and has volunteered with San Francisco’s Volunteer Legal Services Program, the Asian American Bar Association/Asian Pacific Islander Legal Outreach Pro Bono Clinic, and the ACLU of Washington. Liz also served on the Board of Directors of the Korean American Bar Association of Northern California and continues to serve on the Board of its affiliated Foundation, where she has chaired the Scholarship Committee and mentors law students.[