The rapid evolution of artificial intelligence (AI) technology has introduced a range of sophisticated cyber threats that challenge the adequacy of existing cyber insurance policies. This article aims to summarize the types of new AI-related cyber exposures, provide examples of each, highlight what is not currently included in existing cyber coverages or where coverage is silent and suggest explicit coverages that should be considered. By doing so, we aim to shed light on the need for comprehensive and adaptive cyber insurance solutions tailored to the unique risks posed by AI-driven systems.
Notable AI-powered events since 2022
To illustrate the growing need for specialized AI cybersecurity insurance, consider the following significant events that have occurred since 2022, which highlight the vulnerabilities and risks associated with AI-driven technologies:
- In 2022, a major financial institution experienced a data breach due to an AI-powered phishing attack, resulting in significant financial losses and reputational damage.
- A well-known social media platform faced a massive misinformation campaign in 2023, orchestrated through AI-generated deepfake videos and automated bots, which manipulated public opinion and caused widespread concern.
- In early 2024, a healthcare provider's AI system was compromised by a sophisticated adversarial attack, leading to incorrect medical diagnoses and treatment plans, ultimately affecting patient safety and trust.
- In 2023, a leading e-commerce company suffered a data poisoning incident where malicious actors injected false data into their recommendation system, leading to incorrect product suggestions and loss of customer confidence.
- A prominent cloud service provider encountered unauthorized surveillance activities in 2022, where their AIaaS platform was exploited to conduct extensive and illicit monitoring of users, raising severe privacy concerns.
Looking to the future, some predict quantum computing technology could undermine encryption protocols that governments and corporations have relied on for decades and the fear exists that coupling quantum computing with AI could supercharge a new wave of cyberattacks.
By examining these AI-related cyber events and explicitly addressing the gaps in current coverage, insurers can contemplate comprehensive policies that protect against emerging AI risks. As AI continues to advance, ongoing collaboration between insurers, AI experts and policymakers will be essential to ensure robust and adaptive cyber insurance solutions. Below, we provide a preliminary view on the way we might categorize the nature of new AI-related cyber exposures.
The nature of new AI-related cyber incidents
As AI technology integrates into various sectors, it spurs a range of unique cyber exposures. Among these, AI-powered phishing attacks are on the rise. Imagine a scenario where AI analyzes vast amounts of data to craft highly personalized phishing messages. These sophisticated attacks are nearly indistinguishable from genuine communications, making them difficult to detect and leading to significant business interruption and data breaches.
In another instance, autonomous systems like self-driving cars and drones become targets for cyberattacks. Picture multiple autonomous vehicles suddenly malfunctioning due to a hack, causing collisions and raising alarms over the safety of AI-driven technologies. These events highlight the vulnerabilities within the algorithms that control these systems, resulting in physical harm, data theft and operational disruptions.
Adversarial attacks on AI models present yet another threat. Visualize a scenario where attackers manipulate input data to deceive AI models, causing them to make incorrect decisions. This could compromise the integrity of critical applications, such as fraud detection systems and medical diagnosis tools, leading to dire consequences.
Consider also the case of data poisoning, where malicious actors inject harmful data into AI training datasets. This corrupts the models, leading to erroneous predictions or decisions. The reliability of AI systems becomes jeopardized, causing widespread concern and mistrust.
Furthermore, the rise of AI-as-a-Service (AIaaS) platforms introduces new avenues for exploitation. Envision attackers misusing these services to automate cyber-attacks, spread misinformation or conduct unauthorized surveillance. To say the misuse of AI technologies presents a daunting cybersecurity challenge would be an understatement.
Existing cyber insurance coverage considerations
Current cyber insurance policies offer coverage for a wide array of cyber risks and given that an abundance of problematic exclusions for losses arising out of AI have not yet been observed in the marketplace, cyber policies could respond if a privacy breach or security failure arises through use of AI. However, these same policies could fall short when it comes to the full spectrum of losses that may result from ineffective use of AI models or non-compliance with AI regulations. Coverage for phishing attacks under cyber policies, for example, typically includes losses that result in data breaches or business interruption. At the same time, given the potential power of AI and quantum computing supported cyberattacks, a re-evaluation of the adequacy of cyber limits should be considered.
When it comes to losses arising from system failures, cyber policies may cover losses arising from any unintentional or unplanned outage or an administrative error committed by an insured. However, this trigger may not be sufficient for losses that arise from failure of an AI model to perform as intended or expected. In addition, off the shelf cyber policies usually do not cover certain ensuing losses such as property damage or bodily injury that arise from cyber incidents. Compounding the problem, expansive cyber exclusions have been added to other proprietary and casualty policies. Therefore, the unique risks associated with AI-driven systems may necessitate specialized endorsements or standalone policies to provide more affirmative coverage for ensuing property damage and bodily injury losses that arise from cyber, technology and AI incidents. Even if these policies don’t include AI exclusions, Willis will be closely monitoring how property and casualty policies respond to these future losses.
Adversarial attacks on AI models create an additional grey area for coverage. Off the shelf policies do not cover the costs of model retraining, data validation, incident response or potential litigation stemming from compromised AI integrity that doesn’t necessarily relate security failure or privacy breach. Negotiating extensions for betterment coverage where possible is therefore recommended. Data poisoning incidents, often not explicitly covered, require provisions for identifying and removing malicious data, retraining AI models and compensating affected parties. Lastly, the misuse of AIaaS platforms could cause other types of losses not contemplated by an off the shelf cyber policy. Coverage for such events should encompass losses from automated cyberattacks, misinformation campaigns leveraging AI and unauthorized surveillance breaches.
In all cases, companies should engage their broker or insurance experts to conduct a robust gap analysis on all of these potential exposures.
Proposed new coverages for AI-related events
Gaps or grey areas with coverage represent opportunities to further protect our clients. To address these issues in existing cyber insurance policies, consideration should be given to the development of new coverages that cater specifically to AI-related cyber events. These may include:
