Brokers must 'ask hard questions' about AI coverage

As AI risks become more defined, insurers are sitting up and taking notice

Brokers must 'ask hard questions' about AI coverage

Cyber

By Gia Snape

Historically, the cyber insurance market has been adept at adjusting to new threats over time, and the expectation is that it will do the same with risks related to artificial intelligence (AI) and generative AI.

However, as AI risks become more defined, insurers are starting to craft policies that explicitly address them.

One cyber insurance expert has pointed out the crucial distinction, noting brokers and buyers must start asking hard questions about AI coverage.

"We have to be careful to say that AI is not the same as cybersecurity,” said Kelly Castriotta (pictured), global executive underwriting officer – cyber at Markel. “Just because it's another piece of advanced technology does not mean it's the same.

"The cyber insurance market is proactive and cognizant of the fact that this is not a stagnant type of risk and that it's always evolving. It's not clear exactly how AI will cause loss under a cyber insurance policy. It’s still largely theoretical now.”

Standalone AI insurance versus cyber insurance

Standalone AI insurance products will be fundamentally different from cybersecurity coverage, which focuses on operational losses stemming from cyber attacks and data breaches.

"For those who are building their own AI models and expect a certain result from their AI models, and that does not happen, standalone AI products provide a level of warranty for the performance of that AI,” Castriotta said.

One pressing question is whether insurers will eventually start excluding AI-related risks from traditional cyber policies. "The issue with AI risk is that it can be very broad," she said. "You have data and privacy risk, you have model manipulation risk, you have the risk that there could be bias inherent in the model, there could be supply chain risk, there could be an overreliance on AI for cybersecurity risk, there could be regulatory risk."

Given this wide-ranging exposure, some insurers may determine that AI risks are too unpredictable to cover under existing policies. AI risk may eventually spawn its own category of insurance, much like how cybersecurity insurance developed separately from traditional liability policies.

However, Castriotta believes cyber insurance will remain focused on its core purpose: mitigating operational losses caused by cyberattacks and data breaches. "The core of that product is not changing," she said. "I don't anticipate that AI massively changes the trajectory of some of how cyber attacks are perpetrated."

‘The value proposition of cyber insurance is clearer than ever’

As businesses grapple with increasing AI-related risks, one thing is certain: the need for cyber insurance has never been clearer. Ransomware remains one of the most persistent and damaging threats facing organizations today.

"We did see an uptick in ransomware activity in 2023 and 2024, so those cyber extortion events remain a major threat for organizations, especially in the US," said Castriotta.

Businesses hoping the issue would resolve itself are instead finding that attackers are more sophisticated, more relentless, and more willing to exploit weaknesses wherever they find them.

Alongside the continued threat of ransomware, data privacy liability is emerging as another major area of concern. Companies are facing growing scrutiny over how they protect data, as well as the legal consequences of breaches. Privacy laws are evolving, and so are the lawsuits targeting businesses that fail to comply.

"Legislation and litigation are still being developed in terms of how companies protect their data and what they do in response to when their data is compromised," Castriotta said. "We've seen some emerging privacy litigation coming into the marketplace, such as cases related to tracking pixels, state wiretapping laws, and the Video Privacy Protection Act.”

Increased uncertainty in the world, coupled with heightened cyber risk and data privacy risk, means companies large and small need the protection offered by insurance more than ever before.

However, rising costs in other insurance lines might tempt companies to cut corners on cyber coverage. But Castriotta warned that decision could prove disastrous.

"Unlike casualty and property insurance, cyber insurance is not compulsory, so customers still can forgo that kind of insurance," she told Insurance Business. "We need, more than ever, brokers to engage with customers of all sizes—large enterprises, middle market, and SME—to underscore the importance of cyber insurance.”

Do you agree with Castriotta’s views on AI risk and insurance? Please share a comment below.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!