The rise of synthetic media is transforming the cyber threat landscape, exposing businesses to new forms of fraud, regulatory scrutiny and brand sabotage. As the UK and EU ramp up enforcement, brokers and insurers must rethink how risk is assessed, managed and mitigated.
“AI is clearly shaping the cyber risk landscape," said Lindsey Maher (pictured left), head of cyber business development at CFC. "It's accelerating the speed and scale of attacks, and raising the real possibility of systemic events impacting multiple policyholders at once.”
Simon Højmark (pictured right), cyber product manager at QBE Europe, agreed that the proliferation of generative AI is materially reshaping cyber risk. “Generative AI allows criminals to scale social engineering operations and impersonations that previously required a certain skillset, so cyberattacks are now more frequent and sophisticated,” he said. “With lower barriers to entry for cybercriminals, even unskilled actors can generate convincing voice or video impersonations to commit fraud.”
Deepfakes are enabling more convincing impersonations that bypass technical controls and exploit human trust. For Maher, the top concern remains social engineering fraud.
"Deepfakes tend to supercharge social engineering attacks, which for us have historically always been the largest driver, by frequency, of UK cyber claims for our policyholders," she said.
Reputational damage is a close second, particularly for SMEs, which make up around 99.8% of UK businesses, according to government data. A single incident can have outsized consequences.
"Reputational harm is instantly disabling. It’s extremely hard to quantify as well," Maher said. "For a business's brand in its early days, or a startup in growth mode, that is incredibly impactful when they get hit and is often make-or-break for the business."
Højmark added that reputational and regulatory fallout often accompany financial losses. “This type of incident can also have devastating effects on a business’s reputation, as well as expensive regulatory costs, with potential fines for data breaches or security failures,” he said.
Most standalone cyber policies are already structured to respond to deepfake-related incidents, including fraud, business interruption and reputational fallout.
"Most standalone cyber policies will cover the core impacts that we would see from those attacks: social engineering fraud, business interruption, data breaches, and the reputational fallout that follows from them," Maher said.
She cautioned that overly specific policy wording can backfire. “Explicitly naming deepfakes or any other emerging threat can actually unintentionally narrow coverage, because it implies that by affirmatively naming this particular threat, anything that's not listed might fall outside the insurer's scope. Broad definitions really matter when it comes to cyber,” she said.
Højmark noted that while cyber, D&O, and media liability policies can respond to different aspects of a deepfake incident, there may still be gaps. “Many deepfake incidents involve hybrid techniques,” he said. “While existing lines cover parts of the exposure, coverage gaps may still occur. That’s why brokers have such an important role: they can guide businesses and help them identify what types of protection they need.”
With limited historical claims data, insurers are adopting a forward-looking approach, focusing on behaviours like social engineering and human error rather than past losses.
"Insurers are looking at the underlying behaviours that deepfakes tend to enable," Maher said, noting that human error has consistently driven a high volume of claims.
She cautioned against tightening underwriting requirements too far in response. "Policyholders are inherently better risks with cyber insurance, as they have a team of experts proactively detecting threats on their behalf. We want to make sure we're not using the next wave of threats or attacks as a reason to ask more underwriting questions up front."
According to Højmark, even without specific deepfake loss histories, insurers can still model risk. “They can examine wider trends like ransomware or phishing statistics, at the same time as evaluating a business’s situation, especially its IT security, governance and third-party dependence,” he said.
Education is essential, Maher said, as deepfakes are designed to deceive individuals rather than bypass systems.
"The most important step that brokers and clients can take is to recognize that deepfake attacks are designed to bypass technology and they target people and employees," she said.
She encouraged brokers to better understand the detection and response tools embedded in many cyber policies.
"They need to know what capabilities and risk-management tools are available for free with the policy at their client's disposal, including detection tools on behalf of their clients as they relate to deepfakes."
Højmark echoed the need for human awareness alongside technical tools. “Human intelligence is a crucial line of defence,” he said. “We can’t recommend enough organising training so staff can better recognise AI-generated impersonation.”
Regulators are beginning to set clearer expectations around AI misuse. Last month, the European Commission opened a formal probe into the Grok AI chatbot after it generated non-consensual synthetic images, including sexualised depictions involving minors. Meanwhile, the UK’s forthcoming Cyber Security and Resilience Bill will require minimum cyber standards across all sectors.
"I think it would be reasonable to expect that emerging regulation, like we've seen with previous regulations anywhere around the world, will influence insurance practices," Maher said.
"Those obligations are already becoming more defined, and I think they will inevitably shape how insurance coverage is assessed and how insurers underwrite the risk."
Højmark pointed to the EU Artificial Intelligence Act, which takes effect in August 2026, and will require deepfakes to be disclosed as AI-generated or manipulated content. “Insurers need to help businesses manage evolving technology and risks,” he said. “AI is no exception, and as the AI-related risk landscape shifts, we continue to tailor our approach and coverage to meet the needs of businesses.”
In a world where AI can fabricate sound and sight in real time, the ability to detect deception – and insure against its consequences – is fast becoming a strategic necessity.
"A strong security posture today doesn't really guarantee what resilience looks like tomorrow, with how that risk changes throughout weeks and months and years," Maher said. "Cyber risk is no longer static. It's fluid, and it's accelerating."
