Insurers face AI coverage gaps

Cyber insurance is supposed to be the backstop when a digital mess turns into real money loss. But AI is making that backstop fuzzier, not clearer. The basic problem is simple: companies are using generative AI, AI coding tools, AI customer bots, and AI decision systems faster than insurers are rewriting the policies that are supposed to cover the fallout. That gap is now showing up in underwriting, in claims fights, and especially in healthcare, where a cyber event can interrupt patient care as well as trigger privacy and liability costs. ### What changed? A fresh industry warning landed this week: insurers and brokers are saying cyber coverage language is struggling to keep up with AI-related risk. The issue is not just “AI is risky.” It is that policies often still hinge on older categories like data breach, system failure, fraud, or professional error, while newer losses can involve AI hallucinations, model manipulation, deepfake-enabled social engineering, or a vendor’s AI tool causing downstream damage. When the event does not fit neatly into the old bucket, coverage gets murky. ### Why does AI make coverage murkier? Because AI creates weird chains of causation. A human employee might approve a payment after a deepfake voice call. A chatbot might give harmful advice. A coding assistant might introduce a vulnerability that later gets exploited. An underwriting or claims model might create bias or regulatory exposure. Each of those losses touches a different insurance lane — cyber, E&O, D&O, professional liability, even crime. The fight becomes less “did harm happen?” and more “which policy, which trigger, and which exclusion applies?” ### Why are insurers nervous about wording? Policy wording is where insurance really lives. If the language says a covered event must be a “security failure” or “privacy breach,” then an AI-caused loss may or may not qualify depending on how directly the model was attacked, how the tool was deployed, and whether a third-party system was involved. Legal commentary this week flagged a growing “AI coverage gap” as some carriers add AI-specific exclusions or tighten wording around intellectual property, privacy, and professional services. Basically, the market is trying to price a risk it still has not named cleanly. ### Why is healthcare the sharpest example? Because healthcare gets hit from both sides. It is a prime cyber target, and the operational consequences are brutal. Hospitals, clinics, and physician practices hold sensitive data, run legacy systems, and cannot tolerate much downtime. Cybersecurity specialists in healthcare have been warning that attacks do not just expose records — they can delay care, divert staff, and disrupt treatment. The FBI’s 2025 internet crime data, highlighted by hospital groups in April, showed healthcare and public health was the top sector targeted for cyberthreats, with 460 ransomware attacks and 182 data breaches. ### Where does AI raise the stakes in healthcare insurance? AI adds speed and scale. It can sharpen phishing, automate reconnaissance, and help criminals craft more convincing impersonation attacks. But it also expands the insured’s own exposure — think AI note-taking tools, diagnostic support, scheduling bots, claims automation, and vendor software tied into clinical workflows. If one of those systems fails or gets compromised, the loss is no longer just a data event. It can become a patient safety event, a malpractice question, a business interruption claim, and a regulatory problem all at once. ### Are regulators pushing insurers to get more specific? Yes — and that matters. U.S. insurance regulators have been building out AI governance expectations through the NAIC’s AI work, including an AI Systems Evaluation Tool for exams and ongoing pressure for insurers to show how AI models are governed, monitored, secured, and audited. That does not solve coverage wording by itself, but it raises the bar. If insurers use AI internally while also selling policies that barely define AI-related loss, that mismatch gets harder to defend. ### So what happens next? Expect more endorsements, more exclusions, and more attempts to separate “AI-assisted” losses from “AI-specific” ones. Underwriters will ask sharper questions about model governance, vendor dependency, and incident response. Claims teams will want better evidence showing exactly how an AI system was involved. The catch is that every extra clarification can narrow coverage unless buyers push back. ### Bottom line? The real story is not that AI created a brand-new insurance market overnight. It is that AI is breaking the old boundaries between cyber, liability, fraud, and operational risk faster than policy language can catch up. Until insurers and buyers define those triggers more clearly, the biggest exposure may be discovering the gap only after the claim arrives.