AI Ups the Cyber Stakes-Can Insurance Keep Up?

Insurance: Protecting Against AI's Dark Side

AI is helping and hurting the cyber market at the same time. It boosts threat detection, automates response, and speeds recovery. It also gives low-skill attackers high-end tools. As one industry leader put it, AI is a double-edged sword and a force multiplier for cyber risk.

How attackers are upgrading with AI

Malicious actors can weaponize and poison corporate AI models, undermining accuracy and outcomes. They're generating convincing phishing emails, fake sites, and deepfake videos that bypass legacy controls. This is pushing security teams-and insurers-to rethink controls, wording, and incident response.

Why boards are prioritizing cyber cover

Boards now view cyber as an operational risk on par with weather and political unrest. Demand has expanded as coverage adapts to AI-driven threats, data breaches, and IT outages tied to digital dependence.

Global cyber premiums jumped from $1.5 billion in 2013 to $15 billion in 2023. One major reinsurer projects $16.3 billion by 2025 and average annual growth of 10% through 2030.

Despite that growth, underinsurance is real. A 2024 survey showed less than 20% of respondents carry cyber coverage, versus 60% with property. Rates can shift fast as new loss trends emerge.

What's in the policy now

Today's forms are broader and more consistent than they were a decade ago. Carriers are adding clearer AI-related language, refining state-sponsored and war/hostile act exclusions, and updating how business interruption (BI) is measured after cyber events. Availability and limits have improved, but underwriters expect stronger controls and are clarifying ambiguous exposures.

• First-party: Forensics, data restoration, BI, ransomware payments, crisis PR.
• Third-party: Notification costs, regulatory defense, insurable fines, media liability, network security liability.

Sector exposure isn't equal

Critical infrastructure and energy face the highest stakes-service failures can threaten life and safety. Finance is a prime target because that's where the money is. Healthcare (patient data, critical services) and manufacturing (operational tech and industrial control systems) also carry elevated risk. Truth is, anything connected to the internet is in scope.

Capacity, pricing, and volatility

Capacity is healthy. After rates nearly tripled in 2021-2022, reductions of around 10% year-over-year slowed to roughly 5% this year. If claims stay steady, expect flat to slightly down pricing. But the market can turn quickly if loss patterns shift.

Reinsurers are absorbing roughly half of primary cyber premiums in many markets-far more than typical lines. They remain cautious about systemic risk and accidental single points of failure. The July 2024 CrowdStrike content update that crashed more than 8.5 million systems is a recent reminder, with an estimated $1.5 billion in insured losses across BI, cyber, and system failure covers. Clusters of incidents within a treaty period could also trigger reinsurance unexpectedly.

Alternative capacity: cyber ILS

Cyber catastrophe bonds and other insurance-linked securities can add capacity and spread risk to capital markets. Investor appetite is improving but tempered by uncertainty around large-scale events, policy language variation, and liquidity. Growth depends on attracting capital beyond traditional (re)insurance to absorb unexpected losses.

Playbook for insurance professionals

Carriers and MGAs

• Make AI explicit in forms: define model manipulation, data poisoning, prompt injection, and deepfake-triggered fraud. Clarify what is covered and what isn't.
• Tighten systemic language: vendor outage triggers, hours clauses, event definitions, and aggregation caps by cloud/identity/endpoint providers.
• Refine BI measurement: include partial degradation, degraded transaction rates, and cloud/SaaS dependency outages. Align waiting periods with real recovery times.
• State-sponsored and war wordings: clear tests and carve-backs where appropriate to reduce disputes.
• Underwriting controls: phishing-resistant MFA, EDR/XDR, immutable backups, segmentation, rapid patching, privileged access management, and vendor risk audits.
• AI governance questions: model inventory, training data controls, red teaming for prompt injection, content filtering, data loss prevention for LLMs, and rollback processes for vendor updates.
• Claims readiness: maintain digital forensics panels, incident comms playbooks, and preferred vendors with proven SLAs.

Brokers

• Map client dependencies: cloud, identity, endpoint, payment, OT/ICS, and critical SaaS. Stress-test single points of failure.
• Scenario test: ransomware with data theft, vendor outage, AI model compromise, and deepfake-enabled funds transfer fraud.
• Structure for volatility: layered towers, co-insurance on systemic perils, sublimits for high-frequency losses, and parametric extensions for third-party outages.
• Audit wording gaps across markets to compare apples-to-apples on AI, war, privacy, and BI terms.

Risk managers/insureds

• Prove control maturity: MFA everywhere, least privilege, tested restores, segmentation of crown jewels, and phishing-resistant authentication.
• AI-specific safeguards: restrict training data, monitor prompts, isolate high-risk use cases, and document change-control for model updates.
• Vendor governance: require transparent update processes and rollbacks; track shared dependencies to avoid hidden concentration risk.
• Right-size limits and retentions with quantified BI exposure and realistic outage durations; consider separate limits for vendor outages.
• Run tabletop exercises for ransomware, vendor outage, and AI model compromise. Capture lessons and update procedures.

Reinsurers

• Build accumulation views by vendor, geography, sector, and event type (ransomware, outage, data theft, model compromise).
• Standardize event definitions and hours clauses for cyber outages and correlated ransomware waves.
• Press for consistent primary wording on state-backed events; clarify triggers to reduce litigation risk.
• Pilot cyber ILS with transparent peril definitions and data-sharing to improve investor confidence.

Metrics to watch

• Rate change, limit deployment, and attachment point movement.
• Ransomware frequency/severity and data theft extortion trends.
• Vendor outage incidents and claim push-through to BI.
• Cession rates to reinsurance and any tightening in treaty terms.
• Capital market capacity for cyber ILS and investor pricing.
• Coverage disputes tied to war/nation-state exclusions.

Helpful resources

• Insurance Information Institute: Cyber insurance background
• Geneva Association: Cyber risk transfer to capital markets

Upskilling your team

If your underwriting, claims, or risk teams need a fast primer on AI risk and controls, explore focused courses by job role.

• Complete AI Training: Courses by job