The growing AI adoption by both enterprises and threat groups that attack them is having an increasingly large influence on
a cyber insurance market that continues to expand and evolve.
Analysts with market research firm
GlobalData wrote in a report this week that AI-related risks are now the second-largest driver behind the decision of small and midsize enterprises (SMEs) take out a cyber insurance policy. Insurance broker advice topped the list, with 39% of the 2,054 respondents pointing to it. The risks of adopting AI were mentioned by 35.8% of SMEs.
“The rapid spread of AI and its integration across all industries is making SMEs feel uneasy and anxious about the technology, perceiving that it may pose a significant risk,”
Beatriz Benito, lead insurance analyst with GlobalData,
said in a statement. “Given that many standard cyber policies do not mention AI cover, there could be a gap between what clients expect from their policy and what it actually covers.”
GlobalData’s report came days after
Gallagher, an insurance, risk manage, and consulting business, wrote in its
2026 Cyber Insurance Market Outlook that AI – along with other trends like the threats from quantum computing and supply chain vulnerabilities – are driving a global cyber insurance market that could grow from $16 billion to $20 billion last year to $30 billion to $50 billion by 2030.
“The sudden onset of AI-based attacks has driven the immediate need for more advanced cyber defense strategies,”
John Farley, managing director for Gallagher’s cyber liability practice, and
Dan Burke, senior vice president and cyber practice leader, wrote in the report. “We are also beginning to see increasing evidence of AI-driven cyber losses.”
Farley and Burke put a spotlight on the use of
AI deepfake technology and its role in increasingly sophisticated phishing campaigns, noting that “unlike traditional phishing, deepfakes exploit visual and auditory trust, making detection difficult and amplifying social engineering risks.”
Rising 'AI Anxiety'
None of this surprises
Cork Cyber CEO
Dan Candee, who told MSSP Alert that the AI anxiety among organizations is “palpable.”
“Clients view AI as the new great unknown,” Candee said. “They know they need to understand and leverage it to compete, but many are concerned it opens a back door they can’t lock. It’s no longer just about checking a compliance box; fear of AI-driven attacks is actively pushing them toward coverage. They are looking for reassurance that if this new technology turns against them, they won't be left footing the bill alone.”
GlobalData analysts noted that standard cyber policies typically exclude losses that are tied to a company’s own AI tool-generated erroneous outputs – like quoting the wrong data in a chatbot – or litigation stemming from biased data from AI algorithms. That said, policies usually will cover losses from AI-powered attacks.
That view is on target, Candee said, adding that while traditional uses historical data, AI at the moment has no history.
“Right now, most policies are like buying insurance for a Formula 1 race car,” he said. “If another driver crashes into you – an AI-driven cyberattack – you’re covered. But if you tune the engine wrong and blow it up yourself – AI hallucinations or biased outputs – the insurer leaves you high and dry. The industry is great at covering theft, but terrible at covering mistakes with new tech."
Adapting to AI
It’s also an industry undergoing significant changes, some driven by the rise of AI. Insurers are shifting from self-attestation to evidence-based underwriting, according to
Noma Security CISO
Diana Kelley. With traditional cyber risk, that includes baseline cyber hygiene, like enforced
multifactor authentication (MFA) for cloud and privileged access, comprehensive and tested backups, and vulnerability management with documented SLAs.
What’s changed in the past year is that insurers are rigorous in expecting those controls to be proven, not just described, Kelley told MSSP Alert.
“What is emerging alongside that is a parallel shift around AI risk,” she said. “Insurers are increasingly concerned about AI as a source of systemic, aggregated loss. The concern is not just individual failures, but correlated loss driven by shared models, platforms, and agent frameworks.”
AI failures like deepfake-enabled fraud, IP exposed through large language models (LLMs), and automated systems making decisions that are unsafe or noncompliant have caused financial and regulatory harm.
“As a result, some carriers are exploring AI-related exclusions, while others are beginning to underwrite AI risk explicitly by evaluating the strength of an organization’s AI security and governance controls,” Kelley said.
Responsibility Falls on Companies, Suppliers
Matthieu Chan Tsin, senior vice president of resiliency services at
Cowbell, a cyber insurance provider to SMBs, said organizations not only need to have strong and verifiable internal defense, but they also must ensure that supply chain partners also follow basic cybersecurity best practices, including MFA, password management systems, and incident response strategies.
Cyber insurance is playing a role in such strategies, Tsin told MSSP Alert.
“It’s not just about financial protection,” he said. “Many insurance providers offer value-added services such as security partnerships, threat intelligence sharing, and access to expert advisory support. These resources can help businesses strengthen their cyber posture before an incident even occurs, making insurance an important part of an overall cyber resilience plan.”
Going forward, organizations need to take such steps as verifying tools, avoiding inputting sensitive data into chatbots, and keeping vigilant against sophisticated AI-driven phishing attacks, according to
Rajeev Gupta, co-founder and chief product officer at Cowbell.
“Building a culture of awareness and implementing robust AI use policies will be critical to mitigating these emerging risks,” Gupta told MSSP Alert.
From Passive to Active
This will be needed as the cyber insurance industry shifts from passive policies to active participation,
Cork’s Candee said.
“Carriers can no longer just write a policy and hope for the best; they will start demanding 'AI-proof' validation before binding,” he said. “Expect to see more hybrid models like ours, where verified security posture directly dictates coverage terms. The days of filling out a questionnaire once a year are over; AI moves too fast for slow insurance.”
