The cyber insurance market is already reassessing how much exposure it is willing to carry to artificial intelligence, even as the risk remains difficult to quantify.
That shift is coming into focus following concerns around Anthropic’s “Mythos” model and its ability to identify software vulnerabilities at speed. The initial fear has centred on aggregation, as faster vulnerability discovery could increase both the frequency and severity of cyber claims across multiple insureds.
However, the more immediate impact may sit elsewhere, in how policies are written and what they are prepared to respond to.
George Grimshaw, divisional head of technology and cyber insurance at Clear Group, pointed to the potential impact if the technology were misused.
“If it falls into the hands of those that have more nefarious intentions, such as cyber threat actors, then the frequency and severity of the claims can just shoot up massively,” he said.
He added that the model’s ability to identify vulnerabilities “in absolutely no time” could influence how insurers approach underwriting, particularly in a market where competition has driven softer conditions.
“We're moving into a space now where I think that underwriting really needs to have a deeper insight into what a client's risk profile is,” he said.
The clearest near-term response is emerging at the level of policy design. Grimshaw said the market is reassessing how AI is treated within cyber wordings and whether existing structures can absorb the exposure.
“As AI evolves and grows, we're going to start seeing some tweaks to policy wordings, to endorsements, to exclusions, and we're going to perhaps see AI enabled attacks being excluded,” he said.
“There’s definitely conversations going on back of house as to whether they want to automatically include it anymore or not.”
That direction of travel is already visible beyond cyber. Parts of the market are beginning to clarify, and in some cases restrict, their exposure to AI-related risks. This includes introducing, or seeking approval for, exclusions in liability policies where loss triggers remain unclear.
The pattern is familiar. Where risk is difficult to model, insurers often move first to define, or limit, what is covered. Grimshaw said that process could extend further if AI-driven losses begin to take on more systemic characteristics.
“We could see not only just an exclusion, but we could also see Lloyds getting involved and looking at doing what they've done with war exclusions on cyber policies and deeming it a systemic risk and asking for it to be excluded across the market,” he said.
Any such move would raise broader questions about how businesses access protection for AI-related risk, including whether alternative structures, similar to terrorism or flood schemes, may be required.
Not all market participants see AI as a step change in attack sophistication. Tom Dryden, head of cyber, Europe at McGill and Partners, cautioned against overstating its immediate impact.
“I think we as a broader cyber and technology market can get caught up by a lot of this, the noise and hype around AI,” he said. “I think yes, it will change the frontier, but maybe not as extremely as people think.”
Instead, Dryden said the more immediate effect is likely to be an increase in the number of credible attackers.
“Probably what it's going to really impact is those very ordinary hackers or people who couldn't even hack before and actually turn them into credible hackers,” he said.
That shift has implications for insurers. A broader distribution of attacks, particularly among less mature organisations, increases the likelihood of claims falling into areas where coverage may be less clear.
For now, there is little evidence that AI alone will shift the market cycle. Asked whether AI could accelerate systemic losses, Sam Cheshire, head of cyber (UK retail) at Gallagher, struck a more measured tone.
“I don't think it's quite as doom and gloom as the question implies,” he said. “Both sides of the coin are using AI.”
He added that while developments such as Mythos raise questions, they are unlikely to drive an immediate hardening. Grimshaw echoed that view, saying current conditions are likely to persist unless losses begin to materialise at scale.
The direction of travel is clearer at a structural level. If AI-driven losses become harder to define and contain, the question may not be pricing, but coverage. The next phase of the cyber cycle may be defined not only by how much insurers pay, but by how policy wordings respond to those losses.
