AI is transforming business operations across critical functions and infrastructure. By doing so, it is exacerbating existing cyber risks and creating entirely new categories of risk. The cyber insurance market response remains fragmented, but the overall direction is clear: stricter underwriting requirements, AI-specific policy enhancements and exclusions, and the emergence of new insurance products designed to address AI-related risks.

The changing nature of cyber risk

Traditional cyber insurance was developed to address a relatively predictable set of risks, including ransomware, phishing attacks, data breaches, and system outages. These incidents typically involve an external threat infiltrating business systems through technical compromise, credential theft, or social engineering.

The deployment of AI technologies is rapidly changing this risk landscape. Threat actors are increasingly leveraging AI to enhance their capabilities, enabling more sophisticated phishing campaigns, automated vulnerability discovery, and deepfake-powered social engineering attacks that are capable of bypassing previously effective controls.

At the same time, organizations deploying AI systems are creating new categories of operational and liability risks that do not fit well into traditional cyber insurance frameworks, especially where no malicious third parties are involved. These exposures include model failures, hallucinations, data poisoning, algorithm bias, and unintentional disclosure of personal or confidential information through training data or model output.

Because traditional cyber insurance policies respond to security incidents caused by external actors, coverage for losses arising from these new risks may be uncertain or excluded altogether.

Woman scanning fingerprint with futuristic interface smart technology. Fabulous

Smarter and more demanding underwriting

Insurers are responding by strengthening underwriting requirements. Organizations seeking cyber insurance are increasingly required to provide evidence of their AI governance framework, monitoring and assurance processes, human oversight controls, and third-party AI vendor risk management practices.

A defensible AI governance policy and evidence of governance, once a distinctive consideration, are becoming a prerequisite for meaningful coverage and favorable pricing.

Insurers are also deploying AI tools to enhance their risk assessment capabilities. Real-time analysis of the applicant's digital footprint, external attack surface and historical event data enables underwriters to assess risk more dynamically. This is leading to a shift away from static annual questionnaires to a continuous monitoring model embedded in policy terms.

Enhanced coverage and new products

The insurance market is beginning to address AI-related exposures, both through policy endorsements and the development of new products. Although there is no standard market outlook, several common trends are emerging.

Some insurers are introducing endorsements that clarify the treatment of AI-related incidents under existing cyber and technology errors and omissions policies. These supports can explicitly cover AI-related losses arising from unauthorized disclosures, social engineering fraud, or third-party AI vendors. Other insurers are seeking to limit risk through exclusions for losses arising from unapproved AI use, failure to implement AI governance controls, or liability resulting from algorithmic decision making.

Many insurers are developing products aimed at AI-specific risks, including regulatory scrutiny arising from AI governance failures, intellectual property claims related to AI-generated content, and business interruption losses due to model failures or corrupted training data. While these products remain relatively new, they reflect a broader shift in cyber insurance from simply responding to data breaches and network security incidents to addressing a broader range of technology and AI-related liabilities.

Implications for organizations

For risk, legal and compliance teams, AI risk and governance are no longer just regulatory or ethical concerns, but enterprise-wide governance and risk management imperatives. This has become a major determinant of insurability. Organizations that can demonstrate strong governance structures, effective vendor oversight, and documented incident response processes for AI-related failures are likely to receive broader coverage and more favorable terms. Those who cannot do so may face restrictive conditions or exclusions exactly when coverage is needed most.

Although the market is still adapting, one conclusion is already clear: traditional cybersecurity threats are evolving, and managing AI risk is a key factor in determining an organization's cyber resilience and ability to obtain meaningful insurance cover.

  • Claudia Jackson, Partner, and Shanae Derman, Senior Associate, Bowmans

Categorized in: