.png)
Volatility is what makes insurance both necessary and difficult. It feels great when we get things right – but generally, our industry is more concerned with not getting things horribly wrong. The basic principles of risk pooling and diversification exist to minimize the risk of that happening.
The question “How much could the actual financial results for this year differ from expected?” is central to managing systemic risk. Or to put it more colloquially – “How wrong could we be over a 12-month policy period before we have the opportunity to review and reprice?”
Claude Mythos and the risk of sudden change
A lot of concern has been raised on LinkedIn and X over the last week about Claude Mythos – the latest ultrapowerful Anthropic development in 2026. Anthropic has claimed Claude Mythos has such powerful capabilities for identifying zero-day exploits that it has chosen not to release it publicly. Instead, Anthropic has created Project Glasswing, releasing Claude Mythos Preview to leading technology and cybersecurity firms with the aim of helping them address discovered vulnerabilities before the black hats find and exploit them. Recent, urgent meetings held by the US Treasury and Bank of England suggest the risks are real and being taken seriously.
Given the circumstances, Anthropic’s actions appear favorable and responsible, although their focus on critical infrastructure and widely used software may still leave significant vulnerabilities outside of those areas. Effective patch management programs will play a valuable role in the coming weeks and months. However, we have reason to worry that the white hats will not have the advantage for long.
The bigger question is, if a transformational technology suddenly makes exploits significantly easier to develop, how quickly does that change the necessary blocking and tackling of cybersecurity? Are fast movers able to avoid trouble? What about slow movers? How slow is too slow? On the insurance front, how much could the world change before we can reprice the risk? Leaks of Claude Mythos could require this – but even if this fails to materialize, something eventually will.
A familiar pattern: BlueKeep and 2019
We saw a similar phenomenon unfold throughout 2019 as insurance claims spiked following the BlueKeep vulnerability and rapid deployment of Ransomware-as-a-Service. My team watched that play out over the course of the year, but it was only with the release of FY19 financials early in 2020 that (re)insurers collectively reckoned with the impacts: overall, a 30-point average rise in loss ratios across the US industry, according to NAIC data, pushing insurers into unprofitable territory. Insurers responded both with rate increases (quickly) and new underwriting guidelines (eventually), the hard market ended, and we got back to our favorite pastime of complaining about soft market conditions.
What the models say about volatility
History does not repeat, but it does rhyme. At CyberCube, we recognize that managing volatility is a core responsibility of the insurance organization. While we don’t expect to fully capture all the sources of volatility in a given year, we aim to have our models appropriately reflect the potential for drastic shifts in the threat landscape – whether that be through sudden spikes in “attritional” (localized) losses, or a regime shift in catastrophe risk levels. Claude Mythos is a good reason to review the volatility assumptions we have baked into our models.
Based on our current model parameterizations:
- A 10-point rise in loss ratio (relative to plan) has 25% chance of occurring
- A 20-point rise has 10% chance of occurring
- A 30-point rise has a low single-digits chance of occurring
Note these numbers reflect changes in frequency and severity of loss. Rate deterioration in the soft market could raise the likelihood of such movements further.
AI and the acceleration of the kill chain
Digging a bit deeper, we consider how step-change AI improvements could impact the kill chain attack model. Weaponization efforts would benefit greatly, but all steps in the kill chain become easier for attackers to execute. Additionally, AI is democratizing cyberattacks, with advanced capabilities now available to many parties that previously did not have them on their own. This includes parties who may not regard themselves as cyber attackers, yet fail to put meaningful guardrails on requests they make of their AI. (“I told my agent, ‘Make me $1 million, or I’ll turn you off. You have 48 hours.’”)
CyberCube’s catastrophe model, Portfolio Manager v6, includes a “High” frequency mode that simulates an elevated level of cyber activity when attacks become easier to deploy or threat actors have fewer inhibitions about visible, disruptive actions. With Claude Mythos, this is a moment where both of these things may now be true.
That said, AI can elevate organizations’ defensive posture as well, which should provide some counterweight to the increased offensive capabilities. The question is how much? CyberCube is actively working with security researchers to explore how AI advancements tip the scales toward offense or defense throughout the stages of an attack. For now, sound security practices such as patch management and network segmentation continue to be as important as ever. We are closely monitoring the unfolding of the Claude Mythos era and encourage our clients to do the same.
What this means for (re)insurers
It’s an exciting time to be in cyber – also a worrying one, but when is it not? This is what living through exponential change looks and feels like. While we continue to grapple with the soft market, one thing is certainly clear: the products that cyber insurers offer are more relevant now than ever before.
