Evolving Cyber Coverage: AI Threats, Policy Exclusions, and Recovery

In the IRMI webinar, "2025's Cyber Insurance Trends: Stay Ahead of the Curve," speakers Richard S. Betterley, president of Betterley Risk Consultants, and Jes Alexander, senior research analyst at IRMI, examined how cyber insurance is adapting to emerging risks in artificial intelligence, coverage exclusions, and policy design.  

A central theme was the accelerating role of artificial intelligence (AI) in cyber incidents. Mr. Alexander explained that generative AI has increased the sophistication and frequency of social engineering attacks, including deepfakes that convincingly impersonate executives to authorize fraudulent transactions. "Now, if you call your CEO to verify a wire transfer, you may be met with a deepfake saying, 'Yes, please transfer that,'" he said. This shift challenges longstanding verification practices and underscores the limitations of traditional safeguards. 

Despite these developments, most insurers have not updated their policies to directly address AI. When surveyed, few insurers reported incorporating AI-specific definitions, exclusions, or coverage grants. "A majority of insurers are simply keeping an eye on AI rather than directly modifying coverage," said Mr. Alexander. Only a small number have affirmatively included AI in definitions of covered security events, and it remains unclear whether such language will materially impact coverage. 

Defining artificial intelligence within policy language is itself proving difficult. Mr. Alexander shared an example of a cyber policy that defined "generative artificial intelligence" by referencing the use of "any artificial intelligence application"—without defining the term "artificial intelligence." He noted that this circular drafting could lead to disputes over interpretation and coverage in the event of a claim. 

The presenters also addressed the expanding intersection between cyber events and physical damage. Traditionally, cyber policies exclude bodily injury and property damage, reserving those exposures for general liability or property programs. However, Mr. Betterley cited recent incidents in which cyberattacks caused operational failures at more than 500 industrial sites worldwide, with losses ranging from $10 million to $100 million. "The boundary between digital harm and physical harm continues to shrink," he said. While some insurers offer contingent coverage on a difference-in-conditions basis, adoption remains limited—raising questions about how captives and other insureds will close this gap. 

Another pressing issue is the evolution of war exclusions in cyber policies. Following the New Jersey Supreme Court's ruling in Merck v. ACE American Insurance Company, which limited the scope of a traditional war exclusion, Lloyd's introduced four model clauses for cyber insurers. One of these clauses excludes all coverage for state-sponsored cyberattacks. "A very broad exclusion [is] going to swallow a lot of coverage," warned Mr. Betterley. He advised insureds and brokers to push for clear attribution standards and meaningful carve-backs at renewal to preserve protection against nation-state threats.

The discussion also explored the emergence of cyber insurance products that integrate advanced technology services into the core of their offering—what Mr. Betterley referred to as "tech-forward" policies. These offerings go beyond traditional value-added risk management services, incorporating tools such as exposure analytics, automated scans of IP addresses, and active threat mitigation.

"The technology capabilities of the product are critical," Mr. Betterley explained, emphasizing that these features are not simply supplemental but central to the insured's risk management strategy. Of the five tech-forward product providers, so far, only one—Corvus—has been acquired by a traditional insurer, having been purchased by Travelers. Mr. Betterley noted he had expected more consolidation in this space, given the model's strong reception among buyers. 

Coverage for intellectual property loss due to cyber breaches was another area flagged for improvement. Mr. Betterley explained that while most cyber policies focus on privacy violations or operational disruption, they do not consistently address the theft of proprietary business data. For innovation-driven organizations, this exposure is material. "Insurers seem to be of very different opinions on whether that's a coverage they're willing to offer," he said. 

In discussing insurers' ability to recover losses from cybercriminals, Mr. Alexander noted that subrogation efforts are largely unsuccessful. "Recovering against those who actually commit the crimes is rare," he said, citing the anonymity and international nature of ransomware operations. However, both Mr. Alexander and Mr. Betterley noted that recovery efforts have been more successful when directed at third-party vendors whose systems were compromised during an attack—particularly when those vendors were contractually required to maintain cyber insurance. 

The session closed with a look at how emerging technologies, including autonomous vehicles and connected systems, may further complicate risk allocation. Mr. Betterley explained that as cyberattacks increasingly affect physical operations, the line between cyber liability and product liability may blur. He encouraged risk managers to anticipate these hybrid exposures and ensure they are properly addressed across insurance programs.