AI, Cyber, and Regulatory Whiplash Redefine D&O Coverage-Raising Boardroom Exposure

AI and cyber risk are reshaping executive coverage strategies

AI adoption and persistent cyber threats are forcing a reset in executive coverage. Boards are facing higher exposure as regulators and plaintiffs scrutinize how leadership governs technology, data, and disclosure.

Since March 2020, there have been 53 AI-related securities class actions. Data breaches have triggered 35 such actions since January 2017. With two-thirds of Fortune 500 companies referencing AI in their 2024 10-K filings, disclosure risk is moving from abstract to immediate.

Why this matters for D&O: governance now drives the risk

"Executive liability underwriting is no longer just about underwriting financial statements," said Bryant Baloloy, CEO of Diamond Head Specialty Underwriting. "It's about how the board and management handle technology and cybersecurity, resilience and AI accountability as well."

The shift is clear: D&O underwriting is becoming governance-based. Underwriters are probing how leadership sets policy, oversees vendors, and verifies what gets disclosed to the market. Overpromising on AI or security is now a securities claim waiting to happen.

What underwriters are looking for

• Board oversight: clear AI and cyber expertise at the board or advisory level; reporting cadence; documented accountability.
• Policies and controls: acceptable-use rules, model testing, data rights, red-teaming, incident response, and crisis communications.
• Third-party risk: vendor diligence, contractual indemnities, and monitoring of AI/ cloud providers.
• Disclosure discipline: risk-factor language, safe harbor use, and "under-promise, over-deliver" practices tied to AI claims.

Drawing the line: cyber vs. D&O

More carriers are carving out cyber events from D&O and steering those losses to standalone cyber. The breach itself belongs on the cyber policy. But oversight and decision-making by management-strategy choices, disclosure, supervision-remain squarely in D&O.

The overlap is where claims will test programs: was the loss caused by a security failure (cyber) or by misstatements and governance breakdowns (D&O)? Coverage mapping and wording precision matter more than rate alone.

Do you need AI-specific insurance?

Baloloy sees a standalone AI product as premature. The current market can absorb these risks through D&O and cyber-until exclusions change. Spinning up a new class now invites adverse selection and confusion over what gets ceded from existing lines.

Practical move: fortify governance and wording. If exclusions arrive later, reassess. Until then, avoid fragmenting your program without a clear gap to fill.

Regulatory volatility is raising EPL and D&O pressure

Policy shifts are accelerating, with frequent executive actions and reversals on sensitive employment topics. Changes tied to gender-based bathroom rules and affirmative action raise the odds of Title VII disputes; see the EEOC's guidance on Title VII.

On the D&O side, the SEC's rollback of NASDAQ board diversity rules in December 2024 underscores the swing in expectations. Insurers winning in this climate are not just transferring risk-they are helping clients work through policy updates, audits, and communications.

Market dynamics: compete smarter, not cheaper

Post-hard market, new entrants have flooded D&O. Competing on price alone is a dead end. The edge comes from speed, clarity, and valuable services.

• Operational speed: API-driven submissions, instant triage, and underwriter tooling for faster decisions.
• Client services: legal hotlines, disclosure reviews, incident tabletop exercises, and board education on AI/cyber governance.
• Data-led underwriting: automated controls assessments and vendor-risk signals tied to pricing and terms.

Action list for boards, CFOs, CROs, and brokers

• Tighten disclosure: scrub AI claims in earnings and filings; align marketing with risk-factor language; avoid hype.
• Clarify governance: assign AI accountability; set model risk standards; record board briefings and decisions.
• Map coverage: review D&O vs. cyber boundaries, severability, conduct exclusions, and any cyber carve-outs.
• Pressure test incidents: run a breach + disclosure scenario; pre-draft market communications; define counsel roles.
• Vendor discipline: upgrade contracts for data rights, indemnities, audit rights, and AI model provenance.
• EPL posture: refresh policies and training tied to Title VII; document rationale for decisions that affect protected classes.
• Submission strength: include AI policy summaries, board oversight memos, tabletop outputs, and third-party audit results.

Key takeaway

Governance is the new loss control. The companies that set sober disclosures, enforce AI policies, and prove board oversight will win on claims and terms. The carriers that build faster workflows and real risk services will win on retention.

If your leadership team needs structured upskilling on AI governance and risk, review these executive-focused options: AI courses by job role.