Anticipating Artificial Insurer Defenses: Maximizing Insurance Coverage for AI Exposures
In Short
The Situation: The global market for artificial intelligence ("AI") technologies is projected to surpass $1 trillion by 2030.
The Result: In addition to productivity and efficiency improvements, the integration of AI technologies into business operations may create new, or amplify existing, enterprise risks.
Looking Ahead: Commercial policyholders should proactively review their insurance coverage provisions to guard against the risk of AI-related claims and losses.
Introduction
The accelerated adoption of generative AI technologies is expected to create opportunities for business innovation across virtually all industries. At the same time, the commercial use of AI technologies will not eliminate existing, and may create new, enterprise risks. Fortunately, businesses can proactively manage their AI-related exposure now by carefully reviewing their existing insurance programs to determine whether adequate coverage is afforded for AI-related claims and losses. While the scope of coverage will depend on the specific terms of each insurance policy, a number of coverages may respond with insurance for AI-related claims and losses.
Cyber Insurance
The increased use of AI technologies to conduct business operations has created additional targets for cyber attacks. The unauthorized use or disclosure of personally identifiable or proprietary business information used by AI technologies can result in privacy breaches, leading to potential legal exposure or reputational injury. In addition, so-called "data poisoning" attacks deliberately import false or incorrect information into AI training data sets with the objective of compromising the output generated by AI algorithms. Cyber criminals have also weaponized AI voice technology to perpetuate social engineering schemes.
All of these risk exposures are potentially covered by cyber insurance policies. These policies typically contain insuring agreements addressing third-party liabilities (e.g., network security, privacy, and media liabilities); and incident response costs (e.g., forensic investigation, defense costs, and customer notification and credit monitoring expenses). Some cyber coverages also provide insurance for first-party losses, including business interruption, the cost to restore lost or compromised data, and cyber extortion expenses.
Given that there are dozens of cyber insurers and no standard forms, policies vary greatly in scope. It is important for risk managers to pay particular attention to the fine print of their company's cyber insurance coverage.
Policyholders should also review their cyber coverage for any advance insurer consent provisions, which can apply to forensic investigation and incident response expenses incurred to investigate, evaluate, and address insured events. These provisions can present an additional logistical hurdle for policyholders during such crises. While it is important for policyholders to be aware of such provisions, policyholders may be able to negotiate the deletion or modification of these and other provisions with their cyber insurers for no additional cost or only a modest increase in premium.
Commercial Property Insurance
Although many commercial property insurance policies now contain exclusions (or a small sublimit) for cyber-related losses that may potentially apply to AI-related losses and should be reviewed, those that do not may also afford coverage for AI-related loss.
To the extent that improperly functioning AI technologies cause tangible harm or loss of use to a company's own property, including damage to company infrastructure or products, commercial property insurance may respond. Such policies may include business interruption insurance, which typically covers income losses sustained as a result of disruptions to the company's operations. Contingent business interruption coverage similarly provides insurance for financial losses resulting from disruptions to a business's customers or suppliers, usually requiring that the underlying cause of damage to the customer or supplier be of a type covered with respect to the business's own property.
In many commercial property insurance policies, business interruption coverage is triggered when the policyholder sustains "direct physical loss of or damage to" insured property by a covered cause of loss. In the event of AI-caused business interruption, insurers may dispute whether the "physical loss" requirement of such policies has been met. Policyholders should keep in mind, however, that courts in certain jurisdictions have determined that the loss of use or functionality of computer networks may constitute "physical loss" sufficient to trigger business interruption coverage. The determination of whether "physical loss" has occurred will, therefore, continue to require a close examination of the particular facts of each case.
Liability Insurance: CGL, EPLI, D&O and E&O Coverage
The use of AI technologies to conduct business operations may also give rise to a host of third-party claims covered by traditional liability insurance policies. Companies may soon face lawsuits for injuries caused by alleged defects in the AI technologies included in their products. At the same time, AI-generated content used in company advertisements that inadvertently relies upon the intellectual property of others may be subject to claims for misappropriation of advertising ideas or copyright infringement. Commercial general liability, or CGL, insurance policies should respond with coverage for these type of claims because they are intended to cover third-party claims for bodily injury, property damage, and advertising injury resulting from a business's operations and products.
Similarly, the use of AI to aid companies' employment-related decisions has given rise to claims of algorithmic bias, alleging that AI algorithms inadvertently perpetuated existing biases in AI training data and programming. Employment Practices Liability Insurance, or EPLI, policies, which are designed to indemnify employment-related wrongful acts, can protect companies from algorithmic bias exposures concerning alleged AI-related discrimination in the hiring, promotion, or termination of company employees.
In addition to third-party claims brought against businesses, companies or their directors and officers may be subjected to shareholder and other lawsuits concerning the alleged misrepresentation, or failure to adequately disclose or address, the potential risks associated with the use of AI technology in company operations. For example, a company's shareholders may allege that management failed to develop adequate contingency plans, implement protocols recommended or required by governmental authorities, and/or properly disclose the AI-associated risks posed to the company's business function and financial performance. Directors and officers ("D&O") insurance policies may provide coverage for the costs and liabilities arising from these lawsuits.
Policyholders evaluating coverage under their D&O policies should pay careful attention to any exclusions that could potentially limit the scope of coverage for AI-related losses, such as electronic data exclusions and/or cyber exclusions, and seek to either remove them or add express carve-outs for securities claims.
Policyholders should also examine the scope of their D&O insurance policies' conduct exclusions. Many D&O insurance policies exclude coverage for certain misconduct by the insured, such as deliberate fraud, dishonesty, and willful violations of the law. The specific language of these conduct exclusions can significantly impact the scope of coverage. For example, some D&O policies apply the exclusion if the proscribed conduct occurs "in fact," while others require that the insured's misconduct be established by "final adjudication." Neither formulation of the exclusion is ideal from a policyholder perspective because insurers may attempt to assert that they themselves can determine the exclusion's application (under the "in fact" trigger) or attempt to litigate in a coverage action the conduct at issue (under the "final adjudication" trigger). Where possible, policyholders should seek to have any conduct exclusions in their D&O insurance policies expressly worded to apply only if the insured's misconduct is determined through a "final, non-appealable adjudication in the underlying action," which should foreclose an insurer from attempting to trigger the exclusion absent a conclusive determination in the underlying litigation.
Finally, errors and omissions ("E&O") liability insurance may potentially respond to claims arising out of AI-enabled professional services, as well as for intellectual property infringement claims based upon the inadvertent and unlicensed use of copyright or patented material in AI training data. Depending on their nature, E&O policies may also potentially cover regulatory fines and penalties pertaining to company use of AI technology in their business operations.
Policyholders Should be Wary of Insurer Reliance on AI-Assisted Claims Handling
Insurers themselves are not immune to the risks associated with reliance upon AI to assist with the performance of ordinary business functions. Indeed, a number of insurers have already been subjected to litigation alleging wrongful use of predictive analytics and AI to systematically and unreasonably deny claims without conducting thorough and individualized claims investigations. To the extent that an insurer may have employed AI technology to automate its claims adjustment function, policyholders should insist upon human review and analysis of their insurer's coverage determinations.
Conclusion
While the foregoing has surveyed various types of insurance that may respond with coverage for AI-related claims and losses, the scope of coverage will ultimately depend upon the specific language of each insurance policy. Businesses interested in proactively managing their AI-related exposure should evaluate the adequacy of the coverage provided under their existing insurance programs before the potential onset of such losses. Policyholders that have experienced an AI-related claim or loss should obtain and carefully review all policies that may potentially provide coverage, including those in which their business is identified as an "additional insured."
Two Key Takeaways
- Various types of insurance policies may respond with coverage for AI-related claims and losses.
- Businesses interested in proactively managing their AI exposure should evaluate the adequacy of the coverage provided under their existing insurance programs before the potential onset of such losses.