Understanding the Evolving Landscape of AI Risks and Insurance
In recent years, the cyber insurance market has demonstrated remarkable adaptability in the face of emerging threats. As artificial intelligence (AI) and generative AI continue to evolve, insurers are now turning their attention to the unique risks these technologies present. The industry is beginning to craft policies that explicitly address AI-related risks, marking a significant shift in how these threats are managed.
Kelly Castriotta, a global executive underwriting officer for cyber at Markel, emphasizes the importance of distinguishing AI from traditional cybersecurity. “We have to be careful to say that AI is not the same as cybersecurity,” Castriotta explains. “Just because it’s another piece of advanced technology does not mean it’s the same.”
The cyber insurance market is known for its proactive approach, recognizing that risks are not static but constantly evolving. However, the specific ways in which AI might cause losses under a cyber insurance policy remain largely theoretical at this stage.
Standalone AI Insurance versus Cyber Insurance
As the landscape of AI risks becomes more defined, the need for standalone AI insurance products is becoming apparent. These products differ fundamentally from traditional cybersecurity coverage, which primarily focuses on operational losses resulting from cyberattacks and data breaches.
Castriotta highlights the role of standalone AI products, stating, “For those who are building their own AI models and expect a certain result from their AI models, and that does not happen, standalone AI products provide a level of warranty for the performance of that AI.”
One pressing question is whether insurers will eventually exclude AI-related risks from traditional cyber policies. Castriotta notes, “The issue with AI risk is that it can be very broad. You have data and privacy risk, you have model manipulation risk, you have the risk that there could be bias inherent in the model, there could be supply chain risk, there could be an overreliance on AI for cybersecurity risk, there could be regulatory risk.”
Given the wide-ranging exposure, some insurers may find AI risks too unpredictable to cover under existing policies. This could lead to the development of a separate category of insurance for AI risks, similar to how cybersecurity insurance evolved from traditional liability policies.
Despite these developments, Castriotta believes that cyber insurance will remain focused on its core purpose: mitigating operational losses caused by cyberattacks and data breaches. “The core of that product is not changing,” she asserts. “I don’t anticipate that AI massively changes the trajectory of some of how cyber attacks are perpetrated.”
The Value Proposition of Cyber Insurance is Clearer Than Ever
As businesses grapple with increasing AI-related risks, the necessity of cyber insurance has never been more apparent. Ransomware continues to be one of the most persistent and damaging threats facing organizations today. Ransomware remains a significant concern, with an uptick in activity observed in 2023 and 2024.
Castriotta notes, “We did see an uptick in ransomware activity in 2023 and 2024, so those cyber extortion events remain a major threat for organizations, especially in the US.”
Businesses hoping for a resolution to these issues are instead finding that attackers are becoming more sophisticated, relentless, and willing to exploit weaknesses wherever they find them. Alongside the continued threat of ransomware, data privacy liability is emerging as another major area of concern. Companies are facing growing scrutiny over how they protect data, as well as the legal consequences of breaches. Privacy laws are evolving, and so are the lawsuits targeting businesses that fail to comply.
“Legislation and litigation are still being developed in terms of how companies protect their data and what they do in response to when their data is compromised,” Castriotta explains. “We’ve seen some emerging privacy litigation coming into the marketplace, such as cases related to tracking pixels, state wiretapping laws, and the Video Privacy Protection Act.”
Increased uncertainty in the world, coupled with heightened cyber risk and data privacy risk, means companies large and small need the protection offered by insurance more than ever before. However, rising costs in other insurance lines might tempt companies to cut corners on cyber coverage. Castriotta warns that such a decision could prove disastrous.
“Unlike casualty and property insurance, cyber insurance is not compulsory, so customers still can forgo that kind of insurance,” she tells Insurance Business. “We need, more than ever, brokers to engage with customers of all sizes—large enterprises, middle market, and SME—to underscore the importance of cyber insurance.”
Do you agree with Castriotta’s views on AI risk and insurance? Please share a comment below.
Key Considerations for Brokers and Buyers
- Understand the distinction between AI risks and traditional cybersecurity threats.
- Consider the potential need for standalone AI insurance products.
- Stay informed about evolving privacy laws and litigation trends.
- Engage with insurance brokers to ensure comprehensive coverage.
Related Stories
As the insurance industry continues to adapt to the challenges posed by AI, it is crucial for brokers and buyers to stay informed and proactive. The landscape of AI risks is still unfolding, and the need for specialized insurance products is becoming increasingly apparent.
Originally Written by: Gia Snape