Understanding the new landscape of cyber risks
The rapid evolution of artificial intelligence (AI) technology has introduced a range of sophisticated cyber threats that challenge the adequacy of existing cyber insurance policies. This article aims to summarize the types of new AI-related cyber exposures, provide examples of each, highlight what is not currently included in existing cyber coverages or where coverage is silent and suggest explicit coverages that should be considered. By doing so, we aim to shed light on the need for comprehensive and adaptive cyber insurance solutions tailored to the unique risks posed by AI-driven systems.
To illustrate the growing need for specialized AI cybersecurity insurance, consider the following significant events that have occurred since 2022, which highlight the vulnerabilities and risks associated with AI-driven technologies:
Looking to the future, some predict quantum computing technology could undermine encryption protocols that governments and corporations have relied on for decades and the fear exists that coupling quantum computing with AI could supercharge a new wave of cyberattacks.
By examining these AI-related cyber events and explicitly addressing the gaps in current coverage, insurers can contemplate comprehensive policies that protect against emerging AI risks. As AI continues to advance, ongoing collaboration between insurers, AI experts and policymakers will be essential to ensure robust and adaptive cyber insurance solutions. Below, we provide a preliminary view on the way we might categorize the nature of new AI-related cyber exposures.
As AI technology integrates into various sectors, it spurs a range of unique cyber exposures. Among these, AI-powered phishing attacks are on the rise. Imagine a scenario where AI analyzes vast amounts of data to craft highly personalized phishing messages. These sophisticated attacks are nearly indistinguishable from genuine communications, making them difficult to detect and leading to significant business interruption and data breaches.
In another instance, autonomous systems like self-driving cars and drones become targets for cyberattacks. Picture multiple autonomous vehicles suddenly malfunctioning due to a hack, causing collisions and raising alarms over the safety of AI-driven technologies. These events highlight the vulnerabilities within the algorithms that control these systems, resulting in physical harm, data theft and operational disruptions.
Adversarial attacks on AI models present yet another threat. Visualize a scenario where attackers manipulate input data to deceive AI models, causing them to make incorrect decisions. This could compromise the integrity of critical applications, such as fraud detection systems and medical diagnosis tools, leading to dire consequences.
Consider also the case of data poisoning, where malicious actors inject harmful data into AI training datasets. This corrupts the models, leading to erroneous predictions or decisions. The reliability of AI systems becomes jeopardized, causing widespread concern and mistrust.
Furthermore, the rise of AI-as-a-Service (AIaaS) platforms introduces new avenues for exploitation. Envision attackers misusing these services to automate cyber-attacks, spread misinformation or conduct unauthorized surveillance. To say the misuse of AI technologies presents a daunting cybersecurity challenge would be an understatement.
Current cyber insurance policies offer coverage for a wide array of cyber risks and given that an abundance of problematic exclusions for losses arising out of AI have not yet been observed in the marketplace, cyber policies could respond if a privacy breach or security failure arises through use of AI. However, these same policies could fall short when it comes to the full spectrum of losses that may result from ineffective use of AI models or non-compliance with AI regulations. Coverage for phishing attacks under cyber policies, for example, typically includes losses that result in data breaches or business interruption. At the same time, given the potential power of AI and quantum computing supported cyberattacks, a re-evaluation of the adequacy of cyber limits should be considered.
When it comes to losses arising from system failures, cyber policies may cover losses arising from any unintentional or unplanned outage or an administrative error committed by an insured. However, this trigger may not be sufficient for losses that arise from failure of an AI model to perform as intended or expected. In addition, off the shelf cyber policies usually do not cover certain ensuing losses such as property damage or bodily injury that arise from cyber incidents. Compounding the problem, expansive cyber exclusions have been added to other proprietary and casualty policies. Therefore, the unique risks associated with AI-driven systems may necessitate specialized endorsements or standalone policies to provide more affirmative coverage for ensuing property damage and bodily injury losses that arise from cyber, technology and AI incidents. Even if these policies don’t include AI exclusions, Willis will be closely monitoring how property and casualty policies respond to these future losses.
Adversarial attacks on AI models create an additional grey area for coverage. Off the shelf policies do not cover the costs of model retraining, data validation, incident response or potential litigation stemming from compromised AI integrity that doesn’t necessarily relate security failure or privacy breach. Negotiating extensions for betterment coverage where possible is therefore recommended. Data poisoning incidents, often not explicitly covered, require provisions for identifying and removing malicious data, retraining AI models and compensating affected parties. Lastly, the misuse of AIaaS platforms could cause other types of losses not contemplated by an off the shelf cyber policy. Coverage for such events should encompass losses from automated cyberattacks, misinformation campaigns leveraging AI and unauthorized surveillance breaches.
In all cases, companies should engage their broker or insurance experts to conduct a robust gap analysis on all of these potential exposures.
Gaps or grey areas with coverage represent opportunities to further protect our clients. To address these issues in existing cyber insurance policies, consideration should be given to the development of new coverages that cater specifically to AI-related cyber events. These may include:
Policies should offer higher limits and tailored coverage for AI-powered phishing attacks, including costs associated with advanced threat detection, response and employee training.
Cyber policies can be modified to extend to non-compliance with laws which govern breaches of privacy. Policies should further be modified to extend to non-compliance with AI laws and regulations, such as the EU AI Act.
Given that cyber, technology and AI exposures can overlap, it’s important to negotiate extensions to the cyber policy where possible. The cyber policy may further need to be customized by the extent to which an insured will be using a third party’s AI model or producing its own models. Where an organization provides a professional service for third parties, evaluating E&O coverage extensions could also be important. Alternatively, some insurers have rolled out standalone AI policies and others are in the process of developing their own AI insurance products. However, the majority of insurers continue to monitor AI exposures. They prefer to wait to study fact-based loss scenarios as a precursor to determining their appetite to offer more robust coverage for AI risks. In the meantime, Willis is proactively evaluating all currently available AI coverage extensions and is bringing AI coverage enhancements forward for organizations where they exist.
The landscape of cyber threats is rapidly evolving with the advancement of AI technology. An off the shelf cyber insurance policy is often inadequate in light of the unique risks posed by AI-driven systems. By understanding the nature of these AI-related cyber events and explicitly addressing the gaps in current coverage, insurers can develop comprehensive policies that protect against emerging risks.
As AI continues to advance, ongoing collaboration between insurers, AI experts and policymakers will be essential to ensure robust and adaptive cyber insurance solutions. In the meantime, the role for cyber insurance brokers to bring clarity and value to organizations on AI risks is instrumental.
WTW hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
