Traditional Cyber Insurance Isn’t Built For AI-Driven Attacks

When generative AI became mainstream, it unleashed not just a wave of innovation but also a faster, more formidable wave of threats.

In just a few years, artificial intelligence has transitioned from an experimental tool to an integral part of industries. It’s now driving content creation, decision-making, software development, marketing, customer service, and more. Yet for every tool that helps businesses accelerate and innovate, there’s another being exploited by malicious actors.

As AI evolves, so too does cybercrime - often outpacing the ability of businesses or insurers to respond effectively.

In fact, just last year, the FBI raised alarms about the increasing threat of cybercriminals leveraging generative AI. "As technology continues to evolve, so do cybercriminals' tactics," said FBI Special Agent in Charge Robert Tripp. "Attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike. These sophisticated tactics can result in devastating financial losses, reputational damage, and compromise of sensitive data."

This rapid evolution has created a growing gap between the cyber risks companies face and the coverage they depend on. Traditional cyber insurance, still built around the risks of stolen laptops, network intrusions, and phishing scams, is increasingly ill-equipped to address the emerging complexities of AI-driven threats.

The Policy That Wasn’t Written for AI

The challenge with generative AI isn’t just that it creates new types of risk. It blurs the boundaries of existing ones.
Deepfake videos and voice cloning are being used to impersonate executives, trick employees, and drain company funds. AI-written phishing emails are more convincing than ever. Chatbots and large language models can be manipulated to give out confidential information or perform unintended actions. None of these fit neatly into the definitions of “hacks” or “data breaches” that traditional cyber insurance is built around.

In fact, many of the most high-profile AI-driven attacks wouldn’t be covered under a typical cyber policy. 

  • Social engineering attacks, for example, are often only partially covered, with sub limits that don’t reflect the financial severity of modern fraud campaigns.
  • Deepfakes and synthetic media fall into gray areas that blur cybercrime and impersonation—and are increasingly excluded as insurers update policy language.
  • Third-party tool failures, a growing concern in AI implementation, are frequently excluded under the theory that clients must rely on their vendor’s insurance, even if their own brand takes the reputational or financial hit.
  • Content-related liabilities, including defamation, intellectual property infringement or regulatory action tied to AI-generated content, often fall outside the scope of traditional cyber coverage.

This isn’t necessarily an oversight. It’s a reflection of a market built around known quantities: breaches, malware, ransomware, and denial-of-service attacks. But AI introduces new kinds of ambiguity—and underwriters don’t like ambiguity. It’s difficult to model, harder to price, and impossible to predict with confidence.

The Speed Of Innovation, The Slowness of Coverage

Traditional insurance carriers are structured to respond to historical loss data. They model risk based on past claims. But what happens when the most dangerous risks haven’t happened yet?

Generative AI is constantly evolving. New applications emerge daily, and with them, new vulnerabilities. Businesses are being urged to “move fast and innovate,” but insurance, by its nature, moves slow and underwrites conservatively. That leaves a widening gap between the threats companies face and the policies that are supposed to protect them.

Some carriers are responding by pulling back. Many are introducing new exclusions tied to AI. Others are raising premiums, adding cybercrime sublimits, or limiting coverage for social engineering altogether. The trend is clear: as uncertainty rises, coverage narrows.

The impact? Businesses are left holding the bag when AI-enabled attacks succeed - and many don’t realize the gaps until it’s too late.

Case In Point: A Deepfake-Fueled Heist

One recent high-profile example of AI-driven fraud involved Ubisoft, the French video game giant. Hong Kong police reported that a finance employee was tricked into transferring over $25 million to fraudsters using deepfake technology. The criminals impersonated Ubisoft’s CFO in a video conference call, with deepfake recreations of several staff members who appeared entirely real.

Initially, the employee was suspicious after receiving an email that seemed to come from the CFO, requesting a confidential transaction. However, after joining the video call and seeing individuals he believed were colleagues, his doubts faded. The deepfake recreations were convincing, leading the employee to authorize the $25.6 million transfer. It wasn’t until later, after checking with the company’s head office, that he realized the fraud.

This incident, reported by CNN, underscores the growing threat of AI-powered cybercrime. As deepfake technology becomes more advanced, fraudsters can exploit AI to impersonate trusted figures within organizations, bypassing traditional security measures and causing significant financial harm. The Ubisoft case demonstrates the urgent need for businesses to adapt to the evolving cyber risk landscape, as traditional insurance frameworks struggle to cover these new threats.

Coverage Gaps That Hurt

Beyond direct losses, generative AI introduces secondary risks that traditional cyber insurance largely ignores.

These include:

  • Reputational fallout from misinformation or fake content attributed to a company.
  • Regulatory scrutiny related to biased or noncompliant AI outputs.
  • Contractual liability when AI errors violate terms with clients or partners.
  • Legal claims stemming from AI-generated content that causes real-world harm or spreads false information.
  • Errors and omissions when business decisions based on AI advice result in financial losses.

Each of these exposures can be financially damaging—and none are reliably covered under standard cyber policies.

The most frustrating part? Many companies believe they’re protected. Cyber insurance is often seen as a catch-all solution for anything digital. But in the AI era, that’s a dangerous assumption.

Why Risk Strategies Must Evolve

None of this means cyber insurance is obsolete. It’s still a critical piece of any company’s risk management program. But it’s increasingly clear that it’s not the only piece needed—and for businesses relying heavily on AI, it may not even be the right foundation.

That’s why many risk managers are rethinking how they approach coverage. Some are pushing for manuscript policies that reflect the realities of today’s threat landscape. Others are layering coverage - purchasing excess or difference-in-conditions (DIC) policies to fill in known exclusions. And a growing number are turning to alternative risk financing tools, like captive insurance, to gain more control and flexibility.

Captives allow organizations to underwrite risk on their own terms. That means covering exposures that are uninsurable in the traditional market, like AI-specific liability, third-party tool failure, or reputation-related loss. It also means collecting more granular data on threats, tailoring loss prevention strategies and recapturing underwriting profit over time.

Importantly, this isn’t about replacing traditional insurance - it’s about augmenting it. AI isn’t just another category of cybercrime. It’s a new paradigm. And it demands a new way of thinking about risk.

A Call for Smarter Risk Conversations

Business leaders can’t afford to treat insurance as a checkbox. In a landscape where cybercriminals are armed with increasingly sophisticated tools, and insurers are backing away from ambiguity, risk strategy must be as dynamic as the threats themselves.

That starts with asking better questions:

  • Does your cyber policy explicitly cover AI-related incidents?
  • Are there exclusions for synthetic media, impersonation or social engineering?
  • How are third-party tools and automation vendors factored into your coverage?
  • What’s your exposure to content liability stemming from AI-generated outputs?
  • And perhaps most critically: what happens when your insurance doesn’t respond?

Answering these questions won’t solve the problem—but it will expose the gaps. And in today’s risk climate, knowing where you’re vulnerable is the first step to building something stronger.

Because when the next attack comes - and it will - it may not look like anything you’ve seen before. And if your insurance program is still designed to respond to yesterday’s threats, you’ll be paying tomorrow’s damages out of pocket.

Randy Sadler is Principa at CIC Services

Image: Mininyx Doodle

You Might Also Read: 

Fraud Is Dominating Cyber Insurance Claims:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« M&S Chaos: Leading British Retail Chain Attacked
Chinese Hackers Exploiting Ivanti Connect Secure Vulnerability  »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Pluralsight

Pluralsight

Pluralsight helps enterprises build technology skills at scale with expert-authored courses on today’s most important technologies including information and cyber security.

EC-Council

EC-Council

EC-Council is a member-based organization that certifies individuals in various e-business and information security skills.

GuardKnox

GuardKnox

GuardKnox protects the users of connected vehicles against threats that can endanger their physical safety and the safety of their personal information.

VerifyMe

VerifyMe

VerifyMe is a global technology solutions company delivering brand protection offerings to mitigate counterfeiting, product diversion, and illicit trade.

Uppsala Security

Uppsala Security

Uppsala Security built the first crowdsourced Threat Intelligence platform known as the Sentinel Protocol, which is powered by blockchain technology.

Kingsley Napley

Kingsley Napley

Cyber crime is an area of growing legal complexity. Our team of cyber crime lawyers have vast experience of the law in this area.

NinjaJobs

NinjaJobs

NinjaJobs is a community-run job platform developed by information security professionals. We focusing strictly on cybersecurity positions.

HackControl

HackControl

HackControl services include penetration tests, security audits, block chain audits and brand and anti-phishing protection.

BOXX Insurance

BOXX Insurance

BOXX Insurance Inc. is a new type of insurance company for a new type of risk. Cyberboxx is the first fully-integrated cybersecurity and insurance solution for small-to-medium-sized businesses.

Data#3 Limited (DTL)

Data#3 Limited (DTL)

Data#3 Limited (DTL) is a leading Australian IT services and solutions provider.

Flexxon

Flexxon

Flexxon is the industry leader to develop NAND flash storage devices. Our key focus is to innovate memory devices ensuring data security and reliability.

Chainguard

Chainguard

Founded by the industry's leading experts on open source software, security and cloud native development, Chainguard are on a mission to make the software supply chain secure by default.

Techmentum

Techmentum

At Techmentum, our mission is to utilize technology to help companies succeed. Our expertise includes fully managed IT services, cybersecurity, cloud, and custom technology solutions.

QFunction

QFunction

QFunction works within your existing security stack to detect anomalies and threats within your data.

CyberKinetics

CyberKinetics

CyberKinetics specializes in cloud-based services and solutions for federal agencies and commercial clients with compliance mandates.

Vivid Computing Solutions

Vivid Computing Solutions

At Vivid Computing Solutions we provide comprehensive solutions that keep your business running efficiently and securely.