Richik Sarkar
Publications

Insurance Strategies to Mitigate AI and Cyber Risks

December 9, 2024Articles
Business Law Today

In an era of increasing data breaches and cyberattacks, businesses face mounting risks that can lead to financial, reputational, and operational damage. The cost of a data breach reached an average of $4.88 million in 2024, a 10 percent increase from the previous year. And with companies increasingly relying on artificial intelligence (AI) for decision-making and operations, they must navigate additional risks and legal challenges as AI’s transformative power introduces opportunities and significant exposures.

In this context, cyber insurance is a comforting safety net, helping businesses manage and mitigate the impact of cybersecurity incidents, including those driven by AI technology. AI’s evolving landscape also creates new challenges, such as algorithmic biases, unpredictable outputs, and the potential for “black box errors”—AI errors with unclear causes—that may result in uninsured exposure if not properly accounted for in insurance policies. Knowing that such a safety net exists can provide a sense of reassurance in the face of these evolving risks.

Even with strong cybersecurity, systems can be breached. Cyber insurance can help cover costs from data breaches, ransomware, and AI risks, though AI-specific coverage is still developing. Many policies offer some AI protection, but specialized coverage for algorithmic bias, large language model (LLM) hallucinations, and regulatory issues is emerging, often with broader protection than traditional policies.

However, expect high premiums and low limits, much like early cyber insurance. Insurers may also exclude losses from intentional AI misuse, standard software failures, and breaches not covered in existing policies. Exclusions for noncompliance with data privacy laws may also appear as regulations evolve.

Given the increasingly sophisticated nature of cyber and AI-related threats, the importance of cyber insurance cannot be overstated. AI creates unique vulnerabilities, from algorithmic decision-making errors to data privacy violations. Without adequate cyber insurance, businesses risk financial devastation and legal exposure in the event of AI system malfunctions or cybersecurity breaches.

Types of Cyber Insurance Coverage

Insurance policies generally provide two categories of coverage: first-party and third-party. With AI becoming integral to business processes, understanding these coverage types and how they apply to AI-specific risks is essential for selecting the right policies.

First-Party Coverage

First-party coverage addresses direct financial losses from a cyberattack or AI-related incident. An AI-related incident includes malfunctions, errors, or unforeseen consequences from AI systems, such as algorithmic biases, black box errors, security breaches, or data mishandling. As AI becomes integral to operations, these risks increase, potentially falling outside traditional insurance policies. Critical areas of coverage, often focusing on intangible losses like data breaches and cyber extortion and offering specialized services such as breach response and reputation management, include:

  • Data recovery: Covers the cost of recovering lost or compromised data after a cyber or AI-related incident.

  • Business interruption: Provides compensation for income lost due to a cyber event, such as a malfunctioning AI system that disrupts business operations.

  • Cyber extortion: Covers payments made in response to ransomware or AI-related extortion schemes.

  • Reputational harm: Addresses costs related to damage to your company’s reputation following a cyber or AI-related incident.

  • Notification costs: Pays for notifying affected individuals, clients, and regulators about a data breach or AI system failure.

  • Regulatory fines: Provides coverage for penalties imposed by regulatory bodies for noncompliance with data protection and AI-related laws​.

Third-Party Coverage

Third-party coverage focuses on liabilities your business might face from external parties due to a cyber or AI-related incident. Areas it covers include:

  • Liability from data breaches: Protects against claims from customers or clients whose personal data was compromised by a security breach or AI malfunction that exposes data.

  • Network security failures: Provides coverage for claims arising from network security failures, including AI-related security failures, such as unauthorized access or data loss.

  • Privacy violations: Covers legal actions related to violations of privacy laws caused by mishandling sensitive data, including sensitive data mishandled in connection with AI systems.

The Cyber Insurance Procurement Process

Due to AI developments, securing the right cyber insurance policy has become more complex. Businesses must adopt a comprehensive approach that ensures their insurance policies cover both traditional cybersecurity threats and emerging AI-related liabilities.

Step 1: Assess Cybersecurity and AI Risks

Before pursuing a cyber insurance policy, it’s not just important to conduct a thorough risk assessment, particularly concerning AI usage; it’s essential. This assessment helps identify vulnerabilities in your information and AI systems and data protection strategies, ensuring your business is prepared for AI-related and traditional cyber threats. Being prepared with a thorough risk assessment can provide a sense of readiness in the face of these risks.

Step 2: Gather Information

Underwriters require detailed information about your business’s cybersecurity and AI protocols. Be prepared to provide details on the following:

  • existing cybersecurity and AI governance policies

  • security measures, such as multi-factor authentication and data encryption, as well as monitoring of AI systems

  • incident response plans that account for AI-related failures

  • records of employee training on both cybersecurity and AI risk management​

Step 3: Compare Policies

When comparing policies, consider both traditional and AI-related risks. Key factors include:

  • Coverage limits: Ensure the policies provide adequate coverage for AI-related incidents, including algorithmic errors and business interruptions caused by AI​.

  • Exclusions: Be mindful of exclusions related to AI, such as liability for black box errors, biased algorithms, or failures caused by poorly trained AI models.

Step 4: Negotiate Terms

Negotiating AI-specific terms is crucial to ensure your policy provides the necessary protection. Areas to negotiate include:

  • extending coverage to include AI-driven business interruption losses

  • ensuring the inclusion of legal costs related to AI-generated data breaches and privacy violations

  • clarifying what constitutes an “AI-related event” in the policy

Step 5: Understand Policy Exclusions and Limitations

With the rapid adoption of AI, businesses should pay particular attention to policy exclusions related to AI use. Standard exclusions might include:

  • Black box errors: Many policies exclude coverage for AI decisions that cannot be explained or justified​.

  • Acts of war or terrorism: Some policies exclude cyberattacks involving AI systems attributed to state actors or terrorist organizations​.

  • Preexisting conditions: Coverage may be denied for vulnerabilities or issues that existed before the policy’s inception​.

Step 6: Regularly Review and Update Your Policy

Regularly reviewing and updating your business insurance policies as cyber risks and AI technology evolve ensures that your coverage remains adequate to address new AI-related dangers and vulnerabilities. AI systems are continuously improving; your insurance must keep pace with these changes.

Best Practices for Managing AI-Related Cybersecurity Risks

AI introduces significant new risks, from algorithmic biases to unforeseen system failures. However, strong governance and cybersecurity measures can minimize the likelihood of AI-related incidents. Here are several best practices to mitigate AI risks and improve cybersecurity posture:

  • Develop and implement a written information security program (WISP): Ensure your business has a comprehensive security program in place, as required by various regulatory frameworks, including the Gramm-Leach-Bliley Act and the Federal Trade Commission Red Flags Rule.

  • Implement strong governance and oversight policies for AI: Ensure your organization generally has a comprehensive AI risk management policy that includes regular risk assessments and mitigation strategies; in some instances AI policies specific to cybersecurity issues may be appropriate.

  • Implement strong access controls for data: Restrict access to sensitive data and ensure multifactor authentication is used to mitigate unauthorized access.

  • Monitor systems continuously: Continuous monitoring is essential to ensure cyber and AI systems function as designed and meet performance expectations.

  • Conduct regular cybersecurity audits: Regular audits of your systems and third-party vendors will help identify vulnerabilities before they are exploited.

  • Train employees on risk: Regularly educate employees on cybersecurity and AI-related risks, ensuring they have a sufficient understanding of how AI works and the potential vulnerabilities it introduces.

  • Test incident response plans: AI-driven incidents can be more complex than traditional cyberattacks. Regularly test your WISP and incident response plans to address traditional cyber threats and AI-specific failures.

Cyber insurance is crucial for managing cyberattack fallout, but with AI’s rise, all businesses must understand their insurance coverage and how they mitigate cyber and AI-specific risks. Businesses should consider AI-specific coverage, regularly review regulatory and risk management guidelines for their industry, especially those issued by regulators, and prepare for policy renewals by outlining their AI strategies, uses, and compliance measures. Understanding AI technology and articulating risk management is crucial in insurance negotiations. Thorough risk assessments, strong AI governance, and regular policy updates will mitigate cyber and AI risks in our complex digital world.