It is rare for any insurance conference this year to avoid talk about AI, and this is especially true within the cyber market.
NetDiligence’s recent cyber summit in San Diego featured two panels devoted to AI, underlining the level of interest in the topic.
During one of these sessions, John Farley, leader of the cyber liability practice at Gallagher, noted that numerous different policies could be exposed to potential AI-related losses.
As an example, he said that a company using AI for recruitment could unwittingly discriminate against certain demographics, leading to potential employment practices liability (EPL) payouts. Or a healthcare provider using AI to provide medical advice to a patient could have medical malpractice exposure.
“I'm starting to think about all the policies that are out there today, and whether or not they would respond to something like that. We may have what's called our next silent cyber. That's the way I describe it. It's not excluded but that underwriter for that EPL policy wasn't really anticipating the mass exposure they have now with AI,” he said.
Could a standalone AI product emerge?
On the same panel, Nick Graf, vice president of cyber risk control at CNA Insurance, said that AI is the “new hot topic”.
“I think there's no doubt that multiple policies are going to be impacted. You’ve got to understand that cyber attack [exposure] from AI. But like John had mentioned, EPL, product liability, med mal, all that is likely going to be pulled into this as well,” Graf said.
“I'm sure as of today, there likely is silent cyber coverage in these policies. Of course our underwriters take that into account, but maybe to varying degrees,” he added.
The panellists noted that claims have not come in yet related to generative AI. Gallagher’s Farley said that until there are losses there is unlikely to be a lot of changes around underwriting specific to AI.
But when losses do emerge, carriers will have to decide whether or not they want to underwrite the risk.
“Once [the claims] hit these traditional lines of coverage, they're going to have to decide whether or not they want to underwrite to it. Are they confident? Then they're going to make decisions on whether or not they are going to cover that kind of loss or exclude it and put it somewhere else,” Farley said.
He added: “Maybe it's going to be the standalone AI type policy that is all encompassing. You will have to pay a lot of money for that but, who knows, that’s maybe where this market may go.”
Graf at CNA said that it will be important in potential claims to determine when the human gets involved in the decision-making process. He noted that numerous examples of AI providing false information have already surfaced.
He said that underwriters are probably not “weaving AI questions into applications” now.
“I’ve heard rumblings that a lot of carriers are looking at and working on supplements,” he said. “But I think we need to distinguish between the companies that are developing this technology versus the companies that are deploying this technology into their business processes.”
Regulatory risk already here
In an interview with Cyber Risk Insurer on the sidelines of the NetDiligence event, Farley elaborated on his views on AI.
“We really haven't seen a massive amount of claims yet, and yet is the key word,” he said.
“What's really interesting about exposure to AI is that you have a regulatory risk that's sort of already here in the sense that there are 17 states that have introduced legislation around AI usage, and that will apply to both the AI providers and the users with AI,” he continued.
Farley noted that an AI act has also already been passed by the EU, and at the federal level in the US the Federal Trade Commission has been discussing the issue.
He said the overarching theme of the regulation so far is around transparency and accountability.
“It's interesting that the regulation is almost here before the claims are,” he said. “And that's not what we've seen in the past, where we've had the claims and then they were followed by the regulation maybe two or three years later. Here, it's the opposite.
“I almost feel that regulatory risk has risen before the claims have manifested, which is a very interesting scenario. So we're advising our clients to pay close attention to state, federal and international regulations around AI as they adopt AI.”
On a different panel discussion at the NetDiligence event, Jennifer Beckage, managing partner at data security and privacy law firm The Beckage Firm, said that a lot of her clients are asking how their use of third parties that have AI will be covered under their policies.
“Well, it might fall under your cyber insurance, it might fall under the tech E&O, it might be under D&O, it could be under your malpractice,” she said. “So depending on how the technology is used I think a lot of different policies could potentially be triggered.”
Beckage noted that there are multiple jurisdictions and no alignment on terms.
“And by the way, this is all happening when in the last couple of years we have all of these new privacy laws. So we have organisations that have data security terms and now we have data privacy terms. Some of those don't fully align.
“Now we have artificial intelligence terms, so coming up with a nomenclature and a language that we could all agree to would be a dream, and people would have much lower legal costs as well,” she said.
Cyber exposures amplified by AI
Talking to Cyber Risk Insurer at the RIMS RISKWORLD event in early May, Meredith Schnur, US and Canada cyber practice leader at Marsh, said that AI presents both challenges and opportunities for the cyber market.
“It's not new. I think when people start to think about what are new exposures because of AI is when they get bogged down with, ‘I don't know’ or ‘I can't figure that out’. I don't think of it that way. I think about AI as just an amplifier of current loss that we have,” she said.
Schnur continued: “It’s enacted in a different way, but the exposure is already there. Just think of deepfakes – the exposure is there today but now it's just amplified because it's on a different level, AI makes it much more sophisticated.”
At the same time, however, AI can be used for more sophisticated defences against attacks, she said. This means that companies will not just be on the negative end of AI.
“So I view it as amplifying current exposures that exist across the board, including in cybersecurity, and then just being able to react to those in a resilient manner,” she said.
Schnur commented that AI heightens the need for more cyber insurance capacity even further.
“We're going to need more capacity in the market for those amplified risks,” she said. “It is correlated in my mind to the increase in interest in the ILS market.”
For continued access to market leading content click here to enquire about a subscription to The Insurer - your company may already have a corporate subscription in place…
Scan here to download the app