MCP Exposure Is Spreading Faster Than Insurers Can Price

MCP: The quiet AI risk building inside insurance portfolios

Model Context Protocol (MCP) is quickly becoming the connective plumbing that links generative AI to real business systems. It's great for productivity-AI can query tools, data, and applications in real time-but it also creates a new layer attackers can hit between systems.

As adoption spreads through vendors and digital supply chains, exposure often grows long before underwriting reviews catch it. The result: a moving target at the insured level and correlated risk at the portfolio level.

Why MCP matters for underwriting

AI is changing how companies operate and how we evaluate them. Underwriting can benefit-AI can scan claims histories, internal controls, and external signals faster than legacy approaches-but the same plumbing increases shared dependencies across vendors, clouds, and integrations.

One misconfiguration or over-permissive connector can impact multiple policyholders. That's the scenario that drives accumulation risk and unsettles pricing models.

How MCP attacks unfold (mapped to the kill chain)

• Recon: Adversary profiles MCP connectors, scopes, and permissions across tenants and vendors.
• Weaponization: Polymorphic malware or prompt-injection payloads shaped to the model, tool, and data context.
• Delivery: Queries that look helpful, app-to-app messages, or "automation" tasks routed through MCP.
• Exploitation: Overly broad roles, weak allow-lists, or default scopes grant access to sensitive data and actions.
• Installation: Persistent connector, long-lived tokens, or shadow automations embedded in workflows.
• C2 and Actions: Data siphoned, records altered, lateral movement via the same MCP pipes.

Insurers can use this model to score control maturity and stress claims severity along the chain.

Early-warning metrics you can request

• Count of MCP/LLM tool integrations by environment (prod, staging, dev), with data sensitivity tags.
• OAuth/token hygiene: max token lifetime, rotation cadence, enforced least-privilege scopes, and break-glass controls.
• Allow-listing: which tools, data stores, and actions are explicitly permitted vs. blocked.
• Audit coverage: percent of MCP events logged (prompts, tool calls, data reads/writes) and retention period.
• Anomaly detection: model for spotting unusual automated actions; mean time to revoke compromised connectors.
• Third-party concentration: top shared MCP vendors/connectors across the firm and critical suppliers.
• Change velocity: weekly volume of new connectors/permissions, with approval route and rollback plan.

Underwriting checks and questionnaire upgrades

• Identify all MCP gateways, LLM frameworks, and vendor-provided plugins in use; map data classifications they touch.
• Ask for a permissions matrix: which connectors can read, write, delete, or move data; who can approve scope changes.
• Confirm production guardrails: prompt-injection filters, output validation, and human-in-the-loop for destructive actions.
• Require evidence of red-teaming or tabletop exercises focused on AI/MCP abuse paths.
• Test dependent BI exposure: what happens if a shared MCP provider is unavailable for 72 hours?

Policy wording moves to consider

• Definitions: Clearly define "AI-enabled incident," "MCP connector," and "automated action" to avoid ambiguity.
• Sublimits/coinsurance: Apply where unvetted connectors or broad scopes are present; step up limits with evidence of control maturity.
• Conditions precedent: Logging of MCP events, rapid revocation capability, and approval workflows for permission changes.
• Dependent BI: Extend or clarify coverage for outages at shared MCP providers or widely used plugins.
• Data integrity: Explicit coverage for AI-initiated record alteration and the cost to validate/restore at scale.
• Notification: Shorter reporting windows for AI-driven exfiltration or manipulation incidents.

Portfolio defenses for carriers

• Continuous portfolio monitoring for shared MCP vendors, overlapping plugins, and concentration hotspots.
• Vendor dependency graphs that flag where one connector crosses multiple insureds or critical suppliers.
• Trigger-based oversight: re-rate or require controls when MCP permission creep or new high-risk connectors appear.
• Scenario analytics aligned to AI attack patterns; feed results into accumulation caps and facultative placements.

Two stress scenarios to model now

• Polymorphic exfiltration via over-scoped MCP: An AI tool with read/write to CRM and file storage is nudged by crafted prompts to stage and drip data to an attacker. Losses: privacy notification, regulatory fines, class action defense, and data restoration across multiple insureds using the same connector.
• Plugin supply-chain manipulation: A widely used MCP plugin update introduces malicious behavior that quietly alters financial or policy records. Losses: integrity verification at portfolio scale, business interruption across shared dependencies, and reputational harm.

Practical controls brokers can push to clients

• Enforce least-privilege scopes, short-lived tokens, and mandatory approval for any scope escalation.
• Allow-list tools and datasets; block destructive actions unless a human confirms with step-up authentication.
• Segregate sensitive workflows; run AI automations in constrained sandboxes with egress controls.
• Deploy prompt-injection and data-loss prevention filters; validate model outputs before they trigger actions.
• Harden the MCP gateway: patch cadence, MFA for admins, network isolation, and signed connector updates.
• Log every tool call, permission change, and data action; send to a SIEM with anomaly rules tuned for AI behaviors.
• Conduct AI-specific red team tests and purple-team drills; rehearse token revocation and connector rollback.

Helpful references and upskilling

For control baselines and testing ideas, see the OWASP Top 10 for LLM Applications. For threat modeling by phase, the Cyber Kill Chain remains a useful lens for AI-linked attacks.

• OWASP Top 10 for LLM Applications
• Cyber Kill Chain (overview)

If your team is building AI literacy for underwriting or portfolio management, you can explore role-based learning paths here:

• AI courses by job

Bottom line for insurers

MCP is spreading through everyday workflows, often quietly, and it expands the attack surface between systems. Treat it as a first-class exposure.

Tighten underwriting questions, add data-driven conditions, and build portfolio-level visibility for shared connectors. Early detection of dependencies and permission creep will decide who prices this risk well-and who gets blindsided.