The Cyber Coverage Gap Is Growing. Can a Micro-Captive Close It? – PODCAST

Estimated reading time: 6 minutes

Tax Day usually belongs to the IRS. This year, it belonged to a federal judge instead. Business owners can breathe easier using micro-captive cyber insurance to cover what their policies won’t. But AI is opening new coverage gaps just as fast.

Inside the Drake Plastics Ruling

On April 15, 2026, the U.S. District Court for the Southern District of Texas ruled against the IRS in Drake Plastics Ltd. Co. & SRA 831(b) Admin v. Internal Revenue Service. The agency had spent 2025 sorting micro-captive insurance arrangements into two boxes. The milder one, a “transaction of interest,” told business owners the IRS was watching. The harsher one, a “listed transaction,” told them they were already guilty, no individual evidence required, penalties up to $200,000 attached.

That second label is effectively an indictment with no jury. The IRS built it the way a school detains an entire class because one student was caught chewing gum. Judge Lee Rosenthal wasn’t buying it. Identifying typical features of an abusive transaction does not identify transactions that are typically abusive, she wrote, and struck the listed-transaction label.

The lighter “transaction of interest” tag survived. Both sides have appealed. SRA wants the rest of the regulation gone. The IRS wants the listed-transaction label back. A sister case in Tennessee already went the IRS’s way, a Texas case from a different plaintiff is still pending in the same circuit, and a split between circuits could put the whole question in front of the Supreme Court. Dustin Carlson, president of SRA 831(b) Admin and a named plaintiff in the case, walked through the regulatory mechanics in detail on CINI in May.

New Podcast Episode: Carlson On The Ruling and 831(b)

We asked him back to talk about it on the record. In the new episode of the Cyber Insurance News & Information Podcast, Carlson sat down with me to explain what the ruling actually changes, what’s still in legal limbo, and why a tax-court fight in Texas matters to anyone buying cyber insurance. The case is the hook. The real subject is what happens when traditional coverage won’t price a risk and a business has to fund the gap itself, the pitch behind micro-captive cyber insurance. Carlson makes the case in full. We let you decide what to make of it.

Get The Podcast At These Spots

YOUTUBE

APPLE

SPOTIFY

AMAZON

The Gap the Case Doesn’t Fix

A favorable ruling on IRS labeling doesn’t make cyber risk smaller. It just makes one financing tool easier to use without drawing an audit. The gap it’s meant to fill keeps widening from both ends.

See also  Cyber Resilience Under Fire: New Data Exposes a Global Confidence Gap

On the buyer side, the market itself says so. Munich Re and the Insurance Information Institute’s RiskScan 2026 survey found cyber to be the top-ranked insurance risk across the US and UK, at 55 percent. Awareness isn’t the problem. NetDiligence’s claims data, cited in that same report, found firms under $2 billion in revenue filed 98 percent of the studied cyber claims. The businesses most exposed are the ones least likely to carry adequate cover, a pattern CINI first flagged back in 2024 and one that hasn’t closed since.

AI Liability Exclusions Are Widening the Gap

On the coverage side, the newest wrinkle is artificial intelligence, and it cuts in two directions that both leave buyers exposed. Willis’s Cyber Claims in Focus 2026 report, drawn from roughly 5,500 claims, found most cyber policies carry no AI exclusion at all, and concluded that’s not the same as AI coverage. A policy pays when a loss fits its definition of a covered cyber incident. Several of the likeliest AI losses, a sabotaged model that needs retraining, revenue lost to hallucination with no network outage involved, never clear that bar.

Meanwhile, a separate and newer shift is closing the door from the other side. Verisk’s ISO Core Lines unit filed three new endorsements, CG 40 47, CG 40 48, and CG 35 08, that took effect January 1, 2026, and let carriers strip generative-AI claims out of standard commercial general liability policies entirely. Gallagher’s brokers flagged the change as a shift that can create coverage gaps “that aren’t immediately obvious,” surfacing only after a claim is filed and denied. Insurers excluding AI from general liability while leaving cyber policies silent on it sounds like good news for cyber buyers. In practice, it means more disputes over which policy, if any, was supposed to respond.

See also  CISOs Beware: Derive Declares the "Dying Breed" Era of Cybersecurity Leadership

The Case for Micro-Captive Cyber Insurance

This is the environment Carlson is selling into, and to his credit, he doesn’t pretend a micro-captive is a substitute for either policy. It’s really just an alternative way to finance risk with tax-deferred dollars, as he’s put it, money set aside for losses your other coverage won’t reach.

On the podcast, we trade real examples of what that looks like on the ground: a bookkeeper who was tricked into wiring a six-figure payment to a fraudulent account, the kind of loss that drains a company’s working capital long before any insurer pays out, if one pays at all. I bring my own story, an airline’s AI-generated rebooking email that quietly moved his flight without telling him, a small, almost funny illustration of how agentic AI creates liability nobody planned for. They also dig into why the claims process is slower than buyers expect, the same friction Marsh built a framework with five major carriers to address this past June.

None of it resolves the core tension. A micro-captive is Carlson’s product. The coverage gap is real regardless of who’s selling the fix for it. Hear him make the full argument, including the legislative push his industry group is taking to Congress this year, and judge the pitch against the gap yourself.

FAQ – Micro-Captive Cyber Insurance

What did the Drake Plastics ruling decide?

On April 15, 2026, a federal court in the Southern District of Texas struck down the IRS’s “listed transaction” label for the micro-captive arrangements at issue, a designation that carried penalties up to $200,000. A lighter “transaction of interest” reporting requirement survived. Both sides have appealed, and a related case is still pending in the same circuit.

See also  Most CISOs Are Fighting The Last War. AI-Powered Cyber Attacks Just Changed The Rules - PODCAST
What is a micro-captive, and how does it relate to cyber insurance?

A micro-captive, built under Section 831(b) of the tax code, is a small insurance company that a business owns to set aside tax-deferred funds against risks traditional carriers won’t price or won’t pay. It is not a replacement for cyber insurance. It is meant to fund losses that fall outside what a standard policy covers.

Does cyber insurance cover AI-related losses?

It depends on the loss. Willis’s 2026 claims data found that most cyber policies carry no explicit AI exclusion, but that doesn’t guarantee payment. A claim still has to fit the policy’s definition of a covered incident, and several common AI losses don’t.

What changed in general liability policies for AI in 2026?

Verisk’s ISO unit released three endorsements, CG 40 47, CG 40 48, and CG 35 08, effective January 1, 2026, that let carriers exclude generative-AI claims from standard commercial general liability policies. Brokers warn that the gaps this creates are often not obvious until a claim is denied.

Episode Transcript – This has been checked for accuracy, but confirm against the recording to be sure.

Leave a Comment

×