As artificial intelligence (AI) and data-driven decision-making become central to business operations, companies face a rapidly evolving landscape of cybersecurity and data privacy risk. Yet, many existing cyber insurance policies have not kept pace — and may leave organizations exposed to significant gaps in coverage.
A thoughtful review of your policies is essential to ensure they address the full range of potential risks, including AI-related incidents, data breaches and novel data privacy class action lawsuits.
Does Your Policy Cover AI Risks?
While most cyber policies are designed to cover traditional data breaches and network intrusions, many exclude or narrowly define losses involving AI systems. For example, policies may not cover:
- Failures or errors in AI-generated content or decision-making tools;
- Unauthorized access, manipulation or poisoning of machine learning models; or
- Third-party claims arising from biased, inaccurate or infringing AI outputs.
Companies leveraging AI tools—whether proprietary or through third-party vendors—should confirm whether these scenarios are within the scope of their policies. As regulators and plaintiffs’ counsel begin to scrutinize AI use, especially in consumer-facing contexts, potential exposure could extend well beyond traditional cybersecurity events.
Are You Protected Against Data Privacy Claims and Losses?
Companies today face a broad spectrum of data privacy litigation and regulatory risk.
Many policies cover direct breach response costs — forensics, notification and credit monitoring — but may exclude coverage for regulatory investigations, fines or class action defense costs stemming from certain alleged data privacy violations. These exclusions can prove costly, as data privacy class actions continue to surge following high-profile data incidents.
Organizations should review whether their policies:
- Cover both first-party and third-party privacy claims;
- Include defense and indemnity for statutory damages under privacy laws; and
- Provide coverage for regulatory investigations and consumer class action litigation.
Do Your Coverage Limits Match Today’s Risks?
Even the best policy language can fail in practice if retention levels are too high or coverage limits too low.
Companies should:
- Benchmark coverage limits against peer organizations and current regulatory trends;
- Confirm that limits apply per incident, not in the aggregate, where possible; and
- Consider additional coverage for media, technology errors and omissions and reputational harm.
Can You Use Your Preferred Counsel in a Crisis?
When a cyber event or privacy investigation occurs, time is critical. Insurers often maintain "panel counsel" lists that may not include the firm most familiar with your operations and risk profile. To ensure a coordinated and effective response, companies should request that their preferred outside counsel — such as Smith Anderson — be listed as an approved provider on the policy.
This designation allows your organization to immediately engage trusted advisors for:
- Incident response and breach notification guidance;
- Communications with regulators and affected parties; and
- Defense of privacy class actions and regulatory enforcement actions.
Do Your Vendor Contracts Protect You?
When vendors handle sensitive data or access critical systems, their vulnerabilities can quickly become yours. Due diligence in evaluating such vendors and agreements with them is not only essential, but often required under certain regulations.
Companies should seek to ensure that their vendor contracts require:
- Minimum insurance coverages, proof of insurance, naming the customer as an additional insured, waiver of subrogation and maintenance of coverage through the duration of service (and often, beyond);
- Indemnification for data privacy or cybersecurity incidents; and
- Either no liability caps (or at minimum a supercap) or specific carve-outs related to such events.
Next Steps: Strengthening Your Cyber Coverage
Cyber insurance should evolve with your business, and with today’s AI and data privacy risks, it’s critical to make sure your policies keep pace. Here are key actions to consider:
☑ Review your policies to identify exclusions and confirm they align with your operations and emerging legal standards.
☑ Reassess retention levels and coverage limits to ensure they reflect your organization’s risk exposure.
☑ Confirm your preferred counsel (such as Smith Anderson) is listed as an approved provider, so you can respond quickly when an incident occurs.
☑ Align vendor contracts with your policies, ensuring third-party risks are covered and liability is appropriately allocated.
