Risk managers should prepare for more probing questions from insurers on artificial intelligence (AI), but broad-brush exclusions are not yet on the cards, according to experts.
AI-exposures for most corporates are currently covered by standalone cyber insurance policies, brokers and insurers told Commercial Risk Europe. However, cover is currently “silent”, with only a few carriers offering explicit or affirmative AI coverage.
Key risks associated with AI include data privacy and infringement of intellectual property, as well as liability from hallucinations, where AI systems generate false information. AI also has implications for cybersecurity, with criminals potentially using technology to generate malware, more effective phishing emails and deep fakes.
For the most part, these risks would be covered by existing insurance products, according to Bob Wice, head of underwriting management for Beazley’s global cyber risks division.
“Whether its copyright and intellectual property, cybersecurity or the provision of an AI service… At this point I do not see why there wouldn’t be [cover], unless an underwriter does not like what they are seeing and puts in an AI exclusion. It hasn’t happened yet, and I don’t see it happening [at present]. That could change with use cases that go beyond what a cyber insurance policy should cover,” said Wice.
Aldo Borsani, head of cyber for Europe at A J Gallagher, agreed that exposures arising from AI-related security or systems failure, with subsequent liability or IP infringement, should be covered under standard cyber wordings.
“Despite not every insurer having the same appetite across the different segments or industries, due to the number of carriers offering cyber coverages today, a solution either on a standalone or through a package policy can be found for almost any client,” he said.
“However, not every aspect of risk from the use of AI is insurable under a traditional cyber policy. To mention a few: the financial losses due to AI performance degradation without an interruption in service, AI-based decision making or fines associated with regulatory compliance issues,” he added.
According to Borsani, most cyber policies available in the market provide “silent coverage” for AI. Insurers only offer a specific solution in a limited number of cases.
AXA XL provides affirmative coverage via a specific endorsement, while Munich Re and Armilla AI, a Lloyd’s-based AI specialist insurer, now offer standalone AI insurance solutions, he explained.
But insurers are preparing to ask more probing questions about artificial intelligence at future renewals as underwriters seek to better understand the risks and coverage implications, according to Chris Williams, partner at law firm Clyde & Co in London.
“Insurers will be more active in asking questions and engaging with insureds as to what AI they are using, what they are using it for, and what governance structures they have by way of risk mitigation,” Williams told CRE.
“Insurers are asking lots of questions – not to be difficult to the insureds, but to find out if they are already covered,” he said. Through this process, they can identify novel uses of AI where insureds may not be covered, which makes it easier to identify whether bespoke cover is needed, he said.
Insurers will be looking for buyers to proactively offer up information on AI and governance, continued Williams. “Insurers do not want to be chasing insureds for information and getting limited answers in response. Insurers really like open dialogue, which is good when you start talking premiums and renewals,” he said.
AXA XL is already engaging with its cyber clients about AI, said Carlos Rodríguez Sanz, the insurer’s regional cyber product leader for APAC and Europe.
“We are looking for information on how companies are using AI – just like any other tool in their systems – to assess specific risks associated with its use, and the security measures in place to mitigate these risks. We’re now also engaging with clients who are using generative AI, or Gen AI, to create their own large language models,” he said.
Williams does not expect the insurance market to introduce broad exclusions for AI in the foreseeable future, but the technology is evolving so rapidly he is keen to acknowledge that position may change.
Leading cyber insurer Beazley has no plans to exclude AI, according to Wice.
“We haven’t come out with anything to clarify that a definition in our policy needed to be expanded to include artificial intelligence, although a couple of insurers have done so… Overall, there has not been anything like an artificial intelligence exclusion at this point,” he said.
While Wice does not expect the market to widely exclude AI, he does anticipate growing interest from underwriters in AI activities and governance.
“It’s a work in progress. We are in the early stages of understanding how claims might come through, and we are in a position where we have to evaluate. This is a dialogue with brokers, insureds and the technology companies that we have close relationships with. What are the risks they are worried about? What are the risks they talk about to manage against, and how do they think their insurance coverage should work?” he said.
“We as the risk bearers need to think about how you price for that, how you set a deductible or retention that is adequate, and how you make sure you can underwrite against the management of those risks. It’s early days, and we haven’t seen books of business affected by this so much that there has been [the need for] an artificial intelligence exclusion deployed across the market,” said Wice.
Borsani also doesn’t expect the cyber insurance market to exclude AI for now, but would like to see clarity in cover.
“In my opinion, cyber insurers should take the long-term view that AI will become an integral part of their insured’s IT systems and compare this to how the adoption of cloud technology started over ten years ago, ensuring their policies include a definition of insured computer system that continues to remain broad enough to foresee the use of AI as part of their clients’ day-to-day activities,” he said.
“In a quick-paced and ever-changing market such as cyber, it will be difficult to predict even the short-term direction that insurers will take specifically on this topic. Any new regulation and claims experience will drive the need to further define and potentially exclude certain aspects of the use and development of the technology. For the time being, I would expect to see cyber insurers not exclude AI in their policies,” he added.
Rodríguez Sanz also believes cyber insurance should cover many of the risks associated with AI for corporate customers, but said there are specific risks where affirmative cover is needed.
“Our CyberRiskConnect policy, through our Gen AI endorsement, adds to that existing coverage by addressing new risks created by Gen AI, including data poisoning attacks and the use of third-party data. These risks are new and critical Gen AI-related risks,” he said.
“The endorsement also adds coverage for clients who have bought a cyber tech errors and omissions (E&O) combined policy. Some of the coverages available under this endorsement are not available under any of our other coverage or that of our competitors. For instance, the Gen AI endorsement provides poisoning coverage, which covers an attack on third-party data used to train large language models (LLM),” he said.
While there might be some overlap with other coverages, the affirmative coverage provided by AXA XL’s Gen AI endorsement should be “meaningful” to companies taking on additional risks associated with developing their own LLMs, explained Rodríguez Sanz.
“Many carriers cover violations of privacy regulations generically, but it is not clear whether AI regulations fit the definitions of ‘privacy regulations’ in coverage language. We affirmatively address the EU AI Act in the Gen AI endorsement for clients,” he said.
AXA XL’s Gen AI endorsement is designed for more sophisticated companies that are developing AI applications by training their own LLMs, explained Rodríguez Sanz.
“Currently, only the most sophisticated clients are actively training their own LLMs. Most businesses use AI products, such as ChatGPT, and securing it for employees’ use in a protected environment or sandbox. The need for this coverage is expected to grow over time as more businesses look to develop custom Gen AI solutions,” he said.
“We will continue to evolve our cyber product with technological advances that create enhanced risks for companies, as we did with the Gen AI endorsement last year,” he added.
Written by Stuart Collins
Originally published on Commercial Risk
