AI is transforming business operations across critical functions and infrastructure. In doing so, it is amplifying existing cyber risks and creating entirely new categories of exposure. The cyber insurance market’s response remains fragmented, but the overall direction is clear: tighter underwriting requirements, AI-specific policy enhancements and exclusions, and the emergence of new insurance products designed to address AI-related risks.Â
The changing nature of cyber risk
Traditional cyber insurance was developed to address what are now a relatively predictable set of risks, including ransomware, phishing attacks, data breaches, and system outages. These events typically involve an external threat actor infiltrating business systems through technical compromise, credential theft, or social engineering.
The deployment of AI technologies is rapidly altering this risk landscape. Threat actors are increasingly leveraging AI to enhance their capabilities, enabling more sophisticated phishing campaigns, automated vulnerability discovery, and deepfake-driven social engineering attacks capable of bypassing controls that were previously effective.
At the same time, organisations deploying AI systems are creating new categories of operational and liability risk that do not fit neatly within traditional cyber insurance frameworks, particularly where no malicious third party is involved. These exposures include model failures, hallucinations, data poisoning, algorithmic bias, and the inadvertent disclosure of personal or confidential information through training data or model outputs.
As traditional cyber insurance policies respond to security incidents caused by external actors, coverage for losses arising from these new risks may be uncertain or excluded altogether.
Smarter and more demanding underwriting
Insurers are responding by strengthening underwriting requirements. Organisations seeking cyber insurance are increasingly required to provide evidence of their AI governance frameworks, monitoring and assurance processes, human oversight controls, and third-party AI vendor risk management practices.
A defendable AI governance policy and evidence of governance, once niche considerations, are becoming a prerequisite for meaningful coverage and favourable pricing.
Insurers are also deploying AI tools to enhance their own risk assessment capabilities. Real-time analysis of an applicant’s digital footprint, external attack surface, and historical incident data enables underwriters to assess risk more dynamically. This is driving a shift away from static annual questionnaires towards continuous monitoring models incorporated into policy terms.
Enhanced coverage and new products
The insurance market is beginning to address AI-related exposures through both policy endorsements and the development of new products. While there is no standard market approach, several common trends are emerging.
Some insurers are introducing endorsements that clarify the treatment of AI-related incidents under existing cyber and technology errors and omissions policies. These endorsements may expressly cover losses arising from AI related unauthorised disclosures, social engineering fraud, or third-party AI vendors. Other insurers are seeking to limit exposure through exclusions for losses arising from unapproved AI use, failure to implement AI governance controls, or liability resulting from algorithmic decision-making.
Many insurers are developing products aimed at AI-specific exposures, including regulatory investigations arising from AI governance failures, intellectual property claims relating to AI-generated content, and business interruption losses caused by model failures or corrupted training data. While these products remain relatively nascent, they reflect a broader shift in cyber insurance from responding solely to data breaches and network security incidents towards addressing a wider range of technology and AI-related liabilities.
Implications for organisations
For risk, legal, and compliance teams, AI risk and governance are no longer solely regulatory or ethical concerns but enterprise-wide governance and risk management imperatives. It has become a key determinant of insurability. Organisations that can demonstrate robust governance structures, effective vendor oversight, and documented incident response procedures for AI-related failures are likely to obtain broader coverage and more favourable terms. Those that cannot, may find themselves facing restrictive conditions or exclusions precisely when coverage is most needed.
Although the market is still adapting, one conclusion is already evident: traditional cybersecurity threats are evolving, and managing AI risk is a critical factor in determining an organisation’s cyber resilience and its ability to obtain meaningful insurance cover.
