Organizations should be wary of emerging cyber threats, including the difficulty of managing artificial intelligence, as the volume and sophistication of attacks increase, chief information security officers say.

Developments in deep learning and quantum computing, the internet of things and new bot spy devices are also causing concerns, said Patricia Titus, chief privacy and information security officer at Markel Corp. in Richmond, Virginia.

She spoke during a session with other chief information security officers during the Minneapolis-based Professional Liability Underwriting Society’s 2021 cyber symposium, which was held virtually last week.

“We had quite a year in 2020, and it’s not going quite as well in 2021 as we had hoped,” said Ms. Titus, who moderated the session.

Criminals are more persistent and sophisticated, and activists, nation states and disgruntled insiders continue to cause cyber security concerns, said Phil Venables, New York-based chief information security officer for Google Cloud, a Google LLC unit.

Threats appear to be directed toward the software supply chain, as bad actors look for weaknesses, and there will likely be more events in the sector as companies reorganize themselves.

Ransomware attacks have evolved from criminals demanding payment in return for allowing companies to access their captured data to criminals threatening to release exfiltrated data. 

Opportunistic criminals continue to look for weaknesses they can harvest for later attacks, Mr. Venables said. But while the number of incidents is growing, there are companies that are addressing the issue, he said.

Mike Convertino, chief security officer for cyber program manager Resilience in Seattle, discussed “package confusion” attacks. According to reports, these attacks, which have also been called “dependency confusion attacks,” involve software containing malicious code that is uploaded to public code repositories and given a name identical to one used by legitimate developers, which are then downloaded by unsuspecting developers. 

This is similar to what happened with the SolarWinds attack, Mr. Convertino said.

“Some companies police that better than others, but many do not,” he said.

The insurance industry and underwriters should “ask more questions about the dependence of the business on this type of programming,” Mr. Convertino said.

Discussing AI, machine learning and quantum computing, Ms. Titus said there is a responsibility for organizations to use AI without “going off the guard rail” in the same way that the fictional computer HAL did when it took over the spaceship in the 1968 movie “2001: A Space Odyssey.”

In reality, AI can potentially give governments the ability to identify anyone on the street, Mr. Convertino said. On the other hand, AI can expedite getting through airport security. “Like a lot of things that are constructed by engineers and intended for a certain person, they can also be abused,” he said. 

During a session on cyber control measures, Joe Mann, CEO of Washington consulting firm Arete Advisors LLC, said there are about 30 ransomware variants circulating with more criminals threatening to release exfiltrated data. “It just ratchets up the chaos and the crisis scenario that happens,” he said.  

Ransomware exposure can affect multiple policyholders at the same time, said John Menefee, Cleveland-based cyber risk product manager at Travelers Bond and Specialty Insurance, a unit of Travelers Cos. Inc.

“There’s not a great way to write that type of risk, though I think a lot of carriers up until this point have addressed the exposure mostly with limits management,” he said.

Most claims are from organizations “that have very poor controls,” Mr. Menefee said.

Jon Rose, Washington-based vice president, channel and strategic alliances, with Bishop Fox Inc., a computer security company, said best practices can mitigate the risk, which include knowing the location of a company’s “crown jewels.” 

The session was moderated by Jennifer Coughlin, a partner with Devon, Pennsylvania-based Mullen Coughlin LLC, which specializes in data privacy issues.