yber insurance can help organizations alleviate the financial impact of cyberattacks and the emerging liabilities related to AI-enabled software tools. But with AI-specific coverage still being developed, businesses should carefully consider cybersecurity and AI insurance options for the most appropriate protection.

Given the steady growth of cyberattacks—especially those powered by AI—cyber risk and AI insurance are becoming indispensable. Major data breaches have struck companies like Microsoft, Google, Apple, and even credit reporting bureau TransUnion. And due to Generative AI (GenAI), more sophisticated tools help hackers carry out more complex crimes. For example, GenAI-fueled fraud is increasing incidents of synthetic identity and deepfake schemes. Deepfake perpetrators are using AI-generated images, videos, and voices to impersonate executives, infiltrate their companies, and steal money.

Cybercrimes involving AI-enabled document forgery and financial statement manipulation are also on the rise. With these scams, bad actors create highly convincing forged documents or reports that may have replicated watermarks, letterheads, and even signatures to facilitate their efforts. Deloitte Center for Financial Services predicts that GenAI-related fraud losses in the United States could reach $40 billion by 2027, up from $12.3 billion in 2023.

Human error and the inherent weaknesses of GenAI—such as its tendency to create inaccurate, biased, and offensive content—can also put organizations at risk. That’s why any business that uses computers and AI should have both cyber and AI insurance, according to Tracey Parrish, principal of Anchorage-based APIA Insurance. “AI and cyber [insurance] should be one; you should have both of them,” she says.

Most organizations do not purchase cyber or AI insurance until they have a claim, but that’s too late, says Parrish. She estimates that only about 25 percent of small businesses and 75 percent of large enterprises carry cyber risk and AI insurance. Healthcare, financial services, and technology companies have an especially critical need for this coverage because they handle a significant amount of information, face stringent regulations, and are more susceptible to data breaches. “If something goes wrong, they have to be able to account for it,” Parrish says.

Cyber and AI insurance are very similar yet distinct types of coverage. Parrish recommends purchasing them together. “Generally, if you need one, you need the other, with everything that’s going on right now,” she says.

A basic cyber insurance policy typically covers data breach, business interruption, extortion, media liability, privacy liability, and regulatory investigation. But when companies use AI, Parrish says, this creates a different set of risks. Therefore, AI insurance often includes errors and omission (also called professional liability) coverage to protect against mistakes and failures associated with AI-related products/services; algorithmic bias coverage pertaining to errors that create unfair or discriminatory outcomes; and intellectual property infringement coverage for defense and damages in copyright, patent, and trademark claims.

Cyber is a broad term; therefore, cyber insurance encompasses multiple coverages and exposures, according to broker Chris Pobieglo, president of Anchorage-based Business Insurance Associates. When selling cyber insurance, he considers the client’s exposure, industry, and other pertinent factors. “We broker cyber policies depending on the needs of the client,” he says. “So not all cyber policies are the same.”

AI is a new element—and the landscape is constantly changing. Hence, companies should view their insurance requirements in different ways. Pobieglo explains, “Are you talking about AI that our clients are utilizing, or are we looking at more of what the hackers and criminals are also using?”

He notes that a lot of AI exposures, like when hackers use AI, are not unlike traditional insurance concerns. “For example, you might have a cyber policy that covers you for phishing schemes (which are involved in about 90 percent of claims). If you’re talking about our customers utilizing AI, some of that may be addressed in the cyber realm and some of it in professional liability coverage,” Pobieglo says.

Cyberattacks occur daily, and human error is to blame for about 90 percent of all cyber breaches, Pobieglo says. Now hackers are exploiting AI to gather vast amounts of information about organizations, often evading traditional methods of detection in the process. “There’s a new criminal out there, and he doesn’t leave his desk,” he says.

Organizations should understand the distinction between first-party and third-party coverage in the context of cyber and AI insurance. Essentially, first-party insurance provides compensation directly to the insured individual or business; third-party insurance compensates another party when the insured person or business is liable for damages. “These are different exposures and determining how those align with an ever-changing insurance coverage will depend on the policy language and the losses,” Pobieglo says. “Both first- and third-party situations can be covered under the cyber, but not necessarily every circumstance.”

Using third-party AI solutions also impacts liability. While some companies opt to develop their own AI tools, many use third-party AI-as-a-service (AIaaS) solutions such as Google Cloud AI and Microsoft Azure AI to build machine learning models and add intelligence to applications. Each of these approaches has its own liabilities and may require different types of insurance coverage. Businesses that create their own AI will likely require cyber and professional liability coverage, and those relying on a third-party AI solution will need a policy that includes broad coverage, Pobieglo says.

“A basic concept in managing risk is to transfer that risk to the party with the best ability to control it,” he explains. “So review the contract and see where the responsibility for the quality of that information lies. Ideally, as an organization, if you are using a third party, you would like them to be responsible for their content, but that’s not always the case, so it may be ‘use this AI at your own risk.’”

Because cyber and AI insurance are relatively new, carriers are not using standard Insurance Services Office forms for these options, according to Pobieglo. Instead, they are “manuscripting” their own forms for policies. This means cyber coverage varies widely from carrier to carrier, so businesses need to scrutinize policy language to ensure coverage meets their needs. One positive aspect of manuscript forms, though, is they give carriers greater flexibility to tailor coverage for clients.

Another important consideration is the broad “act of war” or “state-sponsored attack” exclusions that are part of many traditional cyber insurance policies. With AI blurring the lines of who or what might be behind an attack, businesses must understand how these exclusions apply to cyber incidents. This issue is currently under debate, with some carriers offering specific coverage to address these risks. “The exclusions are often complex because you can’t always attribute a cyberattack to a state,” Pobieglo says. “Some carriers are currently refining their exclusion language to make that clear because there is a lot of muddy water in that area. That’s a very fluid situation.”

The biggest misconception about cyber and AI insurance, according to Pobieglo, is that business owners often believe they have cyber coverage, but they really don’t. Or if they have it, they have a very limited knowledge of what it covers.

Organizations need to fully comprehend their risks and insurance policies. Medium and large businesses should have a cybersecurity expert identify exposures for them. Then they can consult their broker for an explanation of what exposures their insurance covers and review the policy language to enhance their understanding. For instance, “In some cases, the carrier may only cover privacy breach,” Pobieglo says. “It doesn’t cover financial crime, regulatory defense, or anything else… Passive retention risk is not a good situation.”

Many business owners mistakenly assume that cyber insurance covers everything, including AI-related risks, Parrish says. But a cyber policy is not all-inclusive. “It’s not general liability coverage,” she emphasizes. “It’s not property coverage, and it doesn’t cover employees for workers’ compensation.”

Contrary to popular belief, AI coverage is not automatically built into a cyber policy. That’s why Parrish encourages businesses to secure separate AI insurance—even if their only exposure to computerized calamity is posting information on social media platforms. “Even if they just have a Facebook, if there’s anything that has to do with their business on there and someone wants to sue them for whatever reason, that’s an option.”

Parrish says AI-powered cyberattacks are having a noticeable effect on underwriting and pricing for cyber and AI insurance. These incidents have driven up cyber fraud, insurance losses, and premiums. The accelerated use of AI for cybercrime is also challenging underwriters to keep pace. “AI is still new, so underwriters are still learning the tricks of the trade,” Parrish says. “They’re trying to keep up with the criminals, and the criminals are keeping up with them. Both sides are very intelligent.”

The rise of AI-powered cyberattacks has heightened awareness of the potential for more frequent and severe attacks. This has led insurers to increase underwriting scrutiny and to re-evaluate the types of clients that may be most vulnerable, according to James Hajjar, chief product and risk officer for the Portfolio Risk Solutions division of the Hartford Steam Boiler Inspection and Insurance Company. “These circumstances have also elevated the need for insurance buyers to take advantage of cyber-related services like employee training to help prevent an attack before it happens,” says Hajjar, whose firm provides cyber insurance in Alaska through Umialik Insurance Company.

According to Hajjar, most small businesses are aware of the risks of cyberattack, but they do not think those risks pertain to them. Big mistake, Hajjar says. “We know through our claims experience that small businesses are often more susceptible to threats given their lack of relative resources and sophistication compared to larger businesses,” he notes.

Perhaps the most significant benefit of cyber insurance is knowing who to call if a cyberattack occurs, Hajjar says. Most small businesses do not have internal IT staff or someone dedicated to technology. Cyber insurers become that point of contact and quarterback the steps necessary to get clients back on their feet as quickly as possible. “Depending on the circumstances of the attack, a cyber insurance policy might respond by providing coverage for financial losses, reputational damage, and legal fees,” he says. “The policy might also offer support for crisis management, public relations, and forensic investigations to determine the cause of the failure.”

Hajjar points out that insurance carriers have crafted robust cyber endorsement policies that provide significant coverage to small businesses. These policies cover all major cyber risks including cyberattack, data breach, cyber extortion, and fraud. “Adding these endorsements at the point of sale is relatively frictionless and coverage is sufficient for most small businesses, providing limits up to $1 million,” he says.

Larger businesses seeking higher limits and perhaps bespoke coverages should ask their broker about the types of additional threats covered, the policy’s limits and deductibles, and the claims process, Hajjar says. They should also inquire about the broker’s experience with similar businesses and the level of support provided in the event of a claim.

“The digital world continues to evolve, and businesses and individuals become increasingly more reliant on technology,” Hajjar says. “We do not see these trends changing. Cyber insurance and the services that come with it are essential tools to help businesses and individuals stay one step ahead of cyber criminals. As AI-powered threats continue to evolve, it’s crucial for businesses to prioritize cybersecurity, AI governance, and incident response planning to help ensure their businesses can operate safely in this new environment.”

Parrish encourages organizations of all sizes to purchase cybersecurity and AI insurance—regardless of the cost. “If you’re a smaller business, the cost is not going to be as much as it is when you’re a larger business,” she says. “The way I look at it is if you’re a larger business and it’s costing you more, good. That means you’re doing better in business to where you should be able to afford to make some accommodations for it.”

From her perspective, cyber and AI insurance coverage is simply part of overhead and a necessary cost to keep a business running after a loss. “Just pay for it,” Parrish says. “Take care of your business first so that you can continue your lifestyle and your employees can continue having their jobs. Don’t sleep on cyber or AI.”

Cyber insurance: Also called cyber liability insurance, this policy protects businesses from the financial fallout of a cyberattack. It helps businesses manage costs associated with internet-based threats. Any organization that stores sensitive data online or relies on digital operations should consider this insurance, especially small businesses that are frequently targeted due to typically weaker security measures.

Errors and omissions insurance: Protection against financial losses resulting from mistakes, oversights, or negligence when providing AI-based products or services. It covers financial losses clients suffer when its product or service does not perform as it should. Failing to meet contractual obligations or performance standards can lead to lawsuits for negligence or breach of contract.

Bias and discrimination coverage: AI decisions that result in discriminatory outcomes—whether intentional or not—can result in costly lawsuits and reputational damage. This coverage helps protect against financial losses and maintain the trust of their clients and other stakeholders. Areas like lending, healthcare, and hiring are particularly susceptible, especially when algorithms are trained on incomplete or unrepresentative data.

Intellectual property claims coverage: AI technologies might, depending on design, sweep up copyrighted, trademarked, or patented material. Accusations of IP theft can lead to court orders that halt product distribution or even large monetary damages. IP disputes are common in industries like healthcare, financial technology, and autonomous vehicles, where innovation and competition are intense.

Regulatory investigation coverage: This coverage provides financial and legal support during investigations by regulatory bodies concerning non-compliance with data protection or AI transparency laws. It also covers the costs of legal counsel and preparing for audits.