Estimated reading time: 9 minutes
AI Risk Insurance: Can Cyber and Tech E&O Policies Keep Up with Autonomous Agents?
If you were a Replit customer and its AI agents mistakenly wiped your entire production database containing 1K+ companies and execs data, would you expect your cyber policy to cover the resulting lost revenue (BI & CBI) and costs to restore or recreate lost/damaged data, including forensic investigations? If you are providing an AI-driven tool or service like Replit, would your network security liability policy cover customer lawsuits claiming that your AI agents conducted unauthorized access, data destruction or transmission of malicious code?
Coverage Clarity Challenges in AI Risk Insurance
Would you expect your Cyber policy to indemnify you for the reputational repair and crisis response costs caused by your product’s autonomous decisions or algorithmic service delivery; or, will your bundled Tech E&O liability cover “expected” risks from autonomous agents (The Register, 2025)? Ask five carriers and brokers and you’ll likely get just as many different answers. This matters for companies selling and using AI because risk transfer is essential both for adopting AI innovation and for building societal resilience to high-impact events.
AI Risk Trajectory: Lessons from Ransomware’s Troubled History
The current trajectory in AI risk insurance reflects troubling echoes of the cyber insurance market’s encounter with ransomware over the last decade. As with the onset of ransomware, we are witnessing coverage clarity issues; inadequate measurement, modeling, and control of exposures; and price signals that are ungirded from the AI risks (Kenneally, 2025). If the demand to transfer AI risk is anything like the appetite for corresponding AI capabilities, the opportunities for insurance market expansion are immense but so are the potential pitfalls. The market for AI insurance risks stumbling into a crisis with misplaced confidence that it can be cycled out of if insurers, buyers, and policymakers resist the opportunities to learn and adapt.
AI Risk vs. Ransomware Risk: Key Similarities and Differences
The below ransomware-driven cyber insurance timeline exposes a past that might signal prologue with AI insurance. It’s early days and existing cyber insurance and Tech E&O policies are the first place to turn. These standard coverages undoubtedly price AI exposure inadequately due to limited visibility and understanding of the AI risk surface and how it will translate to loss. Key accelerants with AI risk include:
- Scale and Scope: AI risks are potentially more pervasive, spanning physical, financial, and legal categories of loss; whereas ransomware is a prominent peril within the cyber line of insurance, AI is likely broader than a cause of loss and could be a new type of insurance onto itself.
- Complexity: AI’s black-box and stochastic nature, novel failure modes (prompt injections, hallucinations), and our nascent understanding of causal dependencies and correlations in AI systems (harm can result from a series of failures between and among technical operations and users’ behaviors) make many conventional cyber risk management and actuarial techniques and understanding obsolete.
- Regulatory Activism: AI regulatory initiatives have been proactive by historical standards, but evolution of insurance wordings and evaluation frameworks lag.
- Risk Visibility, Modeling, & Management Gaps: The underwriting process is challenged by: lack of practical frameworks for evaluating AI risk and benchmarking risk control efficacy; reliance on static and generic cyber questionnaires not tailored to AI or fit for dynamic and emergent risk; limited collection of AI-specific exposure data and AI system dependencies & integrations; and technical AI underwriting expertise (Kenneally, 2025)(Swiss Re, 2024).
Market Evolution and Economics: The Story from the Data
A retrospective on the impact of ransomware risk on the cyber insurance market uncovers a cycle of surprise, overcorrection, and stabilization.
Cyber Insurance Premiums and Loss Ratios: A Troubling Trend
The statistical highlight reel shows that cyber insurance premiums doubled twice from 2017–22 (Swiss Re, 2024), but this growth masked trouble: loss ratios soared from 32% to 67%+, as ransomware attacks grew 250% (Statista, 2025), with payouts rising from $6,000 to $178,000 (NetDiligence, 2023). Insurers responded with 70%+ premium hikes, stricter terms, and coverage narrowing—especially for SMEs, where penetration remains under 15% (vs. 80% for enterprises) (Swiss Re, 2024). As attacks evolved from encryption to double extortion, claims grew more unpredictable (Gallagher Re, 2025). Despite $15.3B in global premiums, modeled catastrophic losses ($20–46B) could easily outstrip annual premium volume (Munich Re, 2025)—exposing persistent gaps in coverage wording, modeling, and reserving. The key takeaway is that by and large the industry was caught on its heels – coverage wording, exposure modeling, and reserving practices were deeply reactive to the risk innovation and mounting complexity. AI insurance may be on the very same path.
Ransomware Coverage Evolution: Is Pain a Prerequisite for AI?
The narrative arc from encryption ransomware to today’s double & hybrid extortion should be read as a warning to AI risk insurers who will undoubtedly face more complex and rapid mutations with AI risk. It’s not science fiction to imagine, for example, autonomous agentic AI risks that evolve from isolated errors in single systems to emergent, self-coordinating swarm behaviors that cause widespread, unpredictable incidents and highly correlated systemic failures.
If ransomware coverage reveals a pattern for insuring novel technical perils, it warns of volatile pricing and coverage gaps that look something like the following: cyclical phases of initially broad & shallow coverage (soft market); undisciplined underwriting that is disconnected from technical evaluation and solution; underpriced risk; systemic increases in claims frequency & severity; underwriting loss crisis; and subsequent market correction (market hardening). This latter phase is signaled by premium rises, peril sublimits and exclusions, lowered overall limits, co-insurance additions, narrowed coverage, loss control requirements, and uptick in non-renewals. Finally, the stabilization phase is signaled by plateauing of rates, standardized risk controls, more sophisticated risk models.
Progressive minds should be asking: can we avert or temper this disruptive and costly cycle with AI risk in a manner that adequately backstops organizations selling and using AI while rewarding re/insurers for shouldering its associated loss costs? The path forward is paved by loss scenario-based exposure modeling; threat-informed and continually updated policy drafting; and more collaborative risk benchmarking, claims classification, and data sharing (Gallagher Re, Munich Re). Also necessary are native coordination between insurers & brokers and AI risk solution providers & standards efforts; and a risk telemetry-for-insurance-incentives quid pro quo between policyholders/seekers and insurers. It stands to reason that as buyers develop more sophisticated knowledge of their AI risks their expectations will shift toward scenario-based, modular coverage and on-demand risk assessment, away from not static cyber-questionnaires and firmographic-dominant underwriting.
The AI Risk Insurance Parallel: Where the Lessons Lie
- Coverage Clarity
The contours of what AI risk is covered – and excludes- under Cyber/Tech E&O policies are blurry at best (Kenneally, 2025). Most offerings remain ambiguous and continue to borrow language and assert intent from traditional cyber, without real AI-specific event triggers – e.g., “AI operational failure,” regulatory exposures, or autonomous decisions gone wrong (Munich Re, 2025), liability outlines, or policyholder obligations. This gap is more consequential as regulatory mandates begin to require active risk monitoring, transparency, and accountability (Whitecase, 2025) - Exposure Measurement and Modeling
Gallagher Re and Swiss Re indicate that the biggest modeling failures stem from assuming static, single-event losses—when instead, claims evolve, bleed across coverage categories, and are shaped by new regulatory and supply-chain-realities. Conventional cyber risk modeling techniques are ill-suited for AI risk, frequency and severity data on AI risk is nascent, and plausible tail scenarios are untested. - Pricing, Reserving, and the Protection Gap
Insurers learned belatedly from ransomware: it was only after aggregate losses, claims inflation, and litigation that coverage/pricing tightened and loss ratios stabilized. Despite record cyber premium growth, penetration among SMEs remains extremely low: <15% by recent estimates, and AI-dependence threatens to deepen this protection gap (Swiss Re, 2024). The conventional “wait for losses, then rapidly reprice and restrict” playbook is not sustainable for AI, as systemic events could far outstrip both collected premium and reserving capacity.
AI Risk- What a Proactive Ransomware Redux-Avoidance Strategy Looks Like
Forward-looking insurers and brokers are embracing some/all of the following:
- Don’t assume Silent AI and Cyber Coverage ambiguity will work out well: Coverage should be scenario-based. Instead of tacking silent AI onto cyber language, underwriters should create distinct AI triggers and clarifications, especially for unique AI risks like model errors, wrongful outputs, and training data exposures.
- Get granular with Incident and Claim Modeling: Following the Gallagher Re and Swiss Re approach—segment and regularly refresh models for hybrid/future claim types, not just past ransomware events. Model claims as “complex compositions.” Adopt the practice of reserving and scenario analysis by loss type and by threat stage-anticipating that AI claims may “mutate” from nuisance to attritional or catastrophic over time.
- Industry-wide technical audits and benchmarks: Move beyond vague public-private frameworks to transparent, shared, and regularly updated industry benchmarks for AI system failures and supply chain/composite models/agentic workflow dependencies. Cross-carrier natcat modeling knowledge exchange is an approach to emulate.
- Close the SME and supply chain gap: Product and rate design should meet underserved (and high latent risk) segments where they are; create SME-targeted solutions, literacy, and proactive support.
- Regulation as lever, not just retrofit: Insurers and buyers should treat emergent regulation as active frameworks for product development and loss prevention, and not wait around for stabilization and precedent to address AI risk.
- Nix reliance on compliance questionnaires and framework checklists: Policyholders, AI risk vendors and insurers should work in concert to embrace active, technical AI risk solutions—demanding (and auditing for) dynamic threat monitoring, red-teaming, incident detection, traceability, and explainability. Cyber has seen early success with this approach, it will be even more urgent for AI insurance.
- Tie premium differentiation to real performance metrics: Premium and coverage incentives should reward demonstrable technical outputs and outcomes: attack resistance, transparency, and time-to-failure/mitigation – not merely superficial framework compliance.
- Transparent benchmarking with teeth: Incentivize periodic, published results of aggregated insurer’s claims and organization’s AI systems incidents and near-misses to raise the bar for insurability, lower the risk knowledge asymmetries, and pre-empt or mitigate systemic shocks.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
History Repeats by Design, Not Accident
The current relative stability in cyber insurance is no assurance that latent AI risks are being adequately considered. The ransomware insurance crisis was not merely a market quirk, it was the direct result of systemic underestimation, delayed technical engagement, and misplaced confidence in superficial risk assessments (Kenneally, 2021). If the current soft market in cyber perpetuates a recycling of those missteps, where novel risk is met only with policy level toggles, and insight and protection gap closure is forsaken for premium then AI risk insurance portends ransomware redux.
With AI risk, the outcome likens to be more severe, faster, and complicated. Conjoint sell side profitability and buy side protection demands scenario-specific coverage, dynamic models, meaningful industry-wide visibility & benchmarking, and embedded risk-reducing guardrails. At present, the uncertainty that pervades the economics of AI risk parallels that of AI capabilities. What’s not uncertain is that catastrophic forgetting of insurance’s history with ransomware is a recipe for catastrophic summoning of its repeat with AI risk.
The views and opinions expressed in this guest article are those of the author and do not necessarily reflect the official policy or position of Cyber Insurance News & Information