Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because AI-enabled personalized phishing is actively displacing bulk campaigns at scale, the attack vector requires no vulnerability or patch cycle, and enterprise email controls broadly remain calibrated to volume-and-pattern detection that this technique structurally bypasses; impact is high because the attack surface is specifically weighted toward individuals with payment authorization, data transfer authority, and access provisioning rights — the exact population whose compromise produces direct financial loss, regulatory exposure, and operational disruption.
Treatment rationale: Transfer is insufficient as a primary treatment because the frequency and severity of business-email-compromise outcomes exceed typical cyber-insurance sublimits, and the control gap is addressable through updated email security architecture and targeted human-risk programs — making mitigation the appropriate primary posture before residual risk transfer is evaluated.
Third-Party / Supply-Chain Risk
Email security platforms, secure email gateways, and managed detection services are third-party dependencies whose threat models and detection logic are predicated on volume-anomaly and signature-matching baselines; organizations relying on these vendors without validating whether controls have been updated to address LLM-generated, low-volume, personalized lures carry inherited exposure from vendor capability lag (NIST SP 800-161 Tier 3 dependency risk). Shared email infrastructure and SaaS collaboration platforms (e.g., Microsoft 365, Google Workspace) surface additional risk because attacker reconnaissance increasingly draws from publicly available organizational data accessible through those platforms.
Loss Exposure (illustrative)
Magnitude: High — illustrative $500K–$5M per material incident, reflecting business-email-compromise wire-transfer fraud, incident response costs, and regulatory exposure for organizations with payment-authorization or regulated-data access in scope
Frequency: Illustrative 1–3 material phishing-enabled incidents per year for a mid-to-large enterprise operating email security controls that have not been updated to address AI-personalized lures, given the structural bypass of existing detection baselines
Annualized: Illustrative ALE range of $500K–$15M annually across the frequency and magnitude bands above; wide range reflects variance in target profile, data sensitivity, and whether a social-engineering event results in funds transfer, data exfiltration, or both
Basis: Loss magnitude anchored to the specific threat consequence chain in this item: personalized lures targeting payment-authorization and data-access roles, producing BEC wire-transfer fraud and/or regulated-data exfiltration as primary loss events; incident response, forensics, and notification costs as secondary. Frequency derived from the item's characterization of AI-phishing as the primary email threat vector, active at scale, with no exploitation barrier (no CVE, no patch cycle, no network access required). No third-party loss reports cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Successful spear-phishing leading to funds transfer or PII exfiltration may invoke cyber-insurance social-engineering or business-email-compromise sublimit provisions — verify with broker whether current policy language and sublimits reflect this threat profile.
• PII or regulated data exfiltration resulting from a phishing compromise may invoke state and federal breach-notification obligations — verify with counsel which jurisdictions and timelines apply.
• Wire-transfer fraud or invoice-manipulation outcomes may engage commercial-crime or financial-institution bond provisions separately from the cyber policy — verify with broker and counsel.
