Estimated reading time: 4 minutes
Most cyber policies carry no AI exclusion. New Willis claims data shows they still leave some of the likeliest AI losses uncovered. AI-related threats demand a deeper look at what is covered.
An attacker poisons your AI model. You spend millions rebuilding it. Then your cyber insurer declines the claim.
That gap sits at the heart of new analysis from Willis. The broker’s Cyber Claims in Focus 2026 report studies around 5,500 claims from more than 95 countries. It covers losses from 2013 to January 2026 and about $1 billion in insurer payments. It follows last year’s finding that executives underestimate cyberattack costs.
The report headline reassures. Insurance covers more than 95% of the average data breach loss and 90% of the average first-party loss. The detail on AI does not.
No AI Exclusion Does Not Mean AI Cover
Willis finds AI is not yet a stand-alone driver of cyber claims. Instead, it amplifies threats that already exist. The technology is scaling up ransomware, deepfake phishing, and social engineering. Attackers move faster and reach further than before.
The surprise is what comes next. Willis says current cyber policies rarely separate AI-enabled events from ordinary ones.
“Current cyber policies don’t tend to distinguish between AI-enabled and non-AI-enabled events and typically don’t feature AI exclusions.”
So the problem is not exclusion. The problem is fit. A cyber policy pays when an event meets the definition of a covered cyber incident. Several AI losses never clear that bar.
Where AI Cyber Insurance Coverage Gaps Appear
Willis names three. The first is the cost of retraining or restoring a machine learning model after sabotage or malfunction. The second is revenue lost to hallucination or data drift when no covered network outage occurs. Hallucination is when a system invents something. Data drift is when its performance decays on stale data. The third is regulatory action for breaching AI law.
None of these needs a hacker breaking in. That is exactly why they slip through. Your policy waits for a network event that may never come.
Look Beyond Your Cyber Policy
The fix is to stop treating cyber as the whole answer. Willis points buyers toward their wider insurance portfolio with regard to AI-related threats. Professional liability and technology errors and omissions can respond to performance failures. Directors’ and officers’ cover can answer governance or disclosure claims. Crime policies can catch fraud and impersonation.
The broker also urges quantification. Its instruction to buyers is blunt.
“Review your cyber and wider insurance policies for overlaps and gaps of the most damaging, malicious, and non-malicious AI-related loss scenarios.”
Map those scenarios against every relevant policy. Then close the gaps before a loss exposes them.
What This Means for Risk Managers
The wider claims picture sharpens the point. Ransomware remains the costliest category in the dataset. The average event runs 25 days and costs $5.3 million. The largest single loss now tops $500 million. Average ransom demands reached $3.8 million against actual payments of $1.5 million, according to the report’s launch announcement.
AI threads through all of it. It makes the phishing email sharper, and the fraud call more convincing. The losses still land inside familiar categories, so they mostly get paid. The danger is the new loss that has no category yet.
Peter Foster, chairman of global FINEX cyber at Willis, framed the buyer’s task plainly.
“Cyber insurance cover varies widely, which is why organizations must understand what they have.”
For risk managers, the takeaway is uncomfortable but useful. The absence of an AI exclusion is not the same as the presence of AI cover. Read the policy for what it pays, not for what it bans.
FAQ – AI Cyber Insurance Coverage Gaps
Sometimes. Willis says a cyber policy responds only when an AI event creates a covered cyber incident. Many AI losses never meet that test.
Usually not. Willis reports that current policies rarely distinguish AI-enabled events from other events and typically carry no AI exclusion. The gaps come from definitions, not exclusions.
Three stand out. Retraining a sabotaged or broken machine learning model. Revenue lost to hallucination or data drift with no network outage. Regulatory action under AI law.
Willis points to professional liability and technology errors and omissions, directors’ and officers’ cover, and crime policies for fraud and impersonation.
Related Cyber Insurance Posts
- From Boardroom to Battlefield: Nation-State Hackers Use the Same Tricks Against Bigger Targets – PODCAST
- Cyber Insurance Market Forecast: Powerful 2026 Trends In Ransomware, Vendors, Privacy, And AI(Opens in a new browser tab)
- AI Insurance Exclusions Increasingly Common – But Less So in Cyber Policies(Opens in a new browser tab)
- SecurityScorecard and Willis Partnership: A New Move in Cyber Risk Strategy(Opens in a new browser tab)
- Cyber Risk Strategy Shifts as Directors Face Increasing Cyber Threats: Willis Survey 2025(Opens in a new browser tab)