Will today's insurance policies cover tomorrow's AI risk?

We are in the early stages of a technological revolution driven by advances in artificial intelligence. Over the next few years, AI systems are expected to take over activities currently performed by humans in fields such as computer coding, content creation, medical diagnosis, accounting and more. As this technology becomes pervasive, it will inevitably give rise to claims for losses caused by faulty output, algorithmic bias, technical breakdowns or other AI failures.

The insurance industry is watching these developments closely. It faces the critical question of whether losses caused by artificial intelligence will be covered under existing insurance policies or whether new forms of insurance will be needed. There are two schools of thought. Some industry analysts believe that AI technology, given its transformative nature, will create entirely new categories of risk that will require new forms of insurance. Since most existing policies do not mention AI risks, this group expects insurers to take the position that such risks were not intended to be covered. 

Other commentators view AI as a technological advance that will enable companies to perform, with greater efficiency, essentially the same functions they perform today. This group argues that existing insurance policies cover companies for losses arising from their business operations, and in the absence of an exclusion, coverage should remain available where the operations incorporate AI technology.

A wait-and-see approach

At present, the insurance industry appears to be taking a wait-and-see approach. Some efforts are underway to develop new policy forms to address AI-related risks, although these policies have not yet gained market traction. With respect to cyber insurance policies, a handful of insurers have added terms to specifically cover claims arising from AI-generated content, while a few others have added exclusions to bar coverage for such claims. But most insurers have not yet modified their policies to account for AI risk.

How can we assess whether existing cyber policies will be adequate to cover risks created by artificial intelligence?  Insurance policies are contracts that are interpreted in accordance with their express terms, so the starting point for any discussion should be the language of the policies themselves.

Assessing policy terms

As a general matter, cyber policies cover defined types of losses caused by certain specified trigger events. There are two overarching requirements for coverage: The event must occur during the policy period and must involve the computer network of the policyholder or its service provider. The trigger events -- which are described in detailed definitions -- typically include (i) a data breach or ransomware attack, (ii) a network shutdown and (iii) civil or regulatory claims for unauthorized disclosure of data or violation of data privacy laws. Notably, these key definitions make no distinction between a trigger event caused by humans and one caused by autonomous agents or systems.

Many cyber policies also offer a form of professional liability coverage, which will be particularly important for developers of AI technology. This coverage applies to claims against the policyholder for the failure of its products, services or software. Again, there is no policy language limiting this coverage to claims based on human conduct. And, with very limited exceptions, cyber policies do not contain exclusions barring coverage for claims arising from AI technology.

All this suggests that current cyber policies should be adequate to cover many emerging AI risks. Examples can illustrate the point. Many threat detection systems incorporate AI features to identify attacks and launch defensive measures. If an AI system fails to detect an attack, allowing a data breach to occur, the resulting breach response costs should be covered under the language of current cyber policies. Similarly, if a vendor is sued for errors in installing AI-based software, the claim should be insured under a cyber policy's professional liability coverage. There is no reason why coverage would be lost simply because the claim concerns AI technology.

If one searches hard enough, you can find certain cyber policy provisions that may preclude coverage for specific AI risks. One example can be found in System Failure coverage, which insures losses incurred during a network shutdown due to non-malicious causes. Some policies limit this coverage to shutdowns caused by "human error," which could preclude coverage for shutdowns caused by malfunctioning AI. But this exception helps prove the rule, because it is the rare provision that makes coverage dependent on action by humans as opposed to machines.

An uncertain future

To be sure, there are categories of claims arising from AI technology that fall outside the scope of today's cyber policies, including many regulatory and copyright claims. But under most cyber policies, if a claim or loss is otherwise covered, there is nothing in the policy language that would eliminate coverage where the cause or consequence of the loss involves artificial intelligence.

It remains to be seen how cyber insurers will respond to AI-related losses. To date, there have been very few reported insurance claims involving AI risks.

But lessons can be drawn from the recent past. Roughly 20 years ago, as expanding use of the internet was transforming global commerce, there was an explosion of insurance claims involving the theft or loss of electronic data. Most companies at the time did not have cyber insurance and therefore sought coverage under provisions in traditional insurance policies that appeared to cover the losses. The strong pushback from insurers provides a cautionary tale for how AI-related claims are likely to be handled. We will explore this history and its lessons in our next column.