The Cyber Insurance Question: Would Your Policy Pay If AI Caused the Breach?
AI is the part of this conversation that gets people in the room. Cyber resilience is the part that keeps the board awake. The two are now connected — and most firms haven’t checked the join.
There’s a question I’ve put to a lot of business owners, almost in passing: if you had a cyber claim tomorrow, are you confident your policy would actually pay? Most say yes without hesitation. Then I ask whether they could evidence the specific controls their policy assumes are in place — and the confidence drains out of the conversation.
Insurance is contractual and every policy differs, so this needs care. A cyber policy is not an unconditional promise to pay. Many are written on the basis that the insured maintains certain security controls. If those controls turn out not to have been in place, a claim can become contested rather than straightforward.
What most businesses misunderstand
The misunderstanding isn’t that businesses are reckless about cyber risk. Most SME leadership teams are competing with other priorities: revenue, hiring, delivery, reporting deadlines and margin management.
The hidden problem is that many firms have become more operationally fragile than they realise. Systems, suppliers, people, remote access and dependencies have multiplied, while the controls have not always kept pace.
Where AI changes the picture
For years, the textbook fraud has looked like this: a supplier’s mailbox is compromised, an invoice arrives looking normal except the bank details have changed, the payment goes out, and the money is gone before anyone notices.
AI makes that harder to catch. The old defence was often human instinct — this email doesn’t quite sound like them. Writing style, tone and increasingly voice can now be imitated well enough to clear that bar.
The attack isn’t new. What’s new is that the cues we relied on to catch it are becoming forgeable.
The leadership question
If you had to evidence your security controls to an insurer tomorrow, could you — today, with what is actually in place, not what you intended to put in place?
And where are you still relying on a human noticing that “something doesn’t sound right” as a control?
Three questions to take to your broker
- What controls does our policy assume or require us to maintain, and are those written as conditions?
- If we had a claim, what evidence would we need to produce to show those controls were in place at the time of the incident?
- How does our policy treat social-engineering and authorised-push-payment fraud, as opposed to a technical breach?
What to do next
Read the conditions and requirements section of your cyber policy, and map your actual, current controls against it. Where they don’t match, you’ve found your priority list.
No review guarantees a payout, and no article can promise a regulatory or insurance outcome. The aim is more grounded: make sure the controls your business is relying on actually exist, and that you could prove it.
In closing
AI is the attraction. Cyber resilience is the consequence sitting right behind it. A business that races to adopt AI while leaving its security foundations and insurance assumptions untested is moving fast in exactly the wrong direction.
If your leadership team would value a clear-eyed session on where AI, fraud and cyber insurance now intersect, Savant and Axulu can help you check whether your controls match your cover.