Cyber insurance in crisis with AI blind spots

We’ve long known that a single compromised supplier can cascade across industries and borders. Now, there’s another knock-on effect, companies are struggling to collect cyber insurance payouts when the breach originates from a vendor in their supply chain, especially when the AI involved is a black box, with no transparency, traceability, or audit trail to support the claim.

The reasons are complex, policy exclusions for state sponsored attacks, unclear attribution, invisible AI risk, and often, an unwillingness to pursue legal action against a valued supplier or large tech vendor. 

When your vendor’s breach becomes your uninsured loss 

The rise of supply chain attacks from software vulnerabilities to compromised service providers exposes a growing blind spot in cyber insurance, your third-party risk. Recent high-profile attacks, including those impacting M&S, Qantas, and UBS, show how indirect threats can create direct damage.

Yet many cyber insurance policies still struggle with how to handle attribution when responsibility lies several layers deep in the supply chain. 

Worse still, companies may be reluctant to even claim, fearing reputational damage or strained supplier relationships, or exclusions subject to ransomware payments (which I wrote about recently – How do you know you haven’t already been compromised?) Absurdly, the insured parties often silently absorb losses, and reputational damage undermining the purpose of the policy in the first place. 

Cyber hygiene alone isn’t enough anymore 

While cyber hygiene programmes, like the NCSC Cyber Essentials scheme, remain a minimum baseline for insurance premium scoring, what do they do for your supply chain. Practices like multi-factor authentication, credential auditing, and mandating a Software Bill of Materials (SBOM) help reduce risks in your supply chain.

But cyber insurance providers increasingly demand proof of such controls as a condition of coverage. Unfortunately, many organisations still lack visibility and can’t provide evidence beyond their first-tier suppliers. 

Insurers are responding, with some now require vendor due diligence programs and evidence of third-party risk supply chain governance. Others are reassessing the insurability of certain high-risk sectors and software providers in geopolitical cross hairs. For policy holders, this is a wake-up call, for good cyber hygiene, it must include your digital supply chain. 

The disconnect between cyber insurance and third-party reality points to a broader failure in digital governance. Insurance is meant to reduce systemic risk. But when digital infrastructure is fragile, fragmented, combined with ever-present AI services and lacks transparency, no policy can cover what it can’t see. 

Insuring the intelligent but hidden AI risk  

We’re all too familiar with ransomware data breaches, sadly in my view, this isn’t going away, but you should beware of the intelligent threat hiding in plain sight. As our digital eco systems grow more complex and AI becomes more embedded in our software supply chains, the insurance industry must contend with risks that are harder to detect, attribute, and insure. 

We’re already seeing warning signs of deep fake digital identities, AI-generated synthetic vendors slipping through procurement checks undetected. Poisoned training datasets corrupting AI models at source, introducing hard to trace backdoors.

At the same time, the claims landscape is evolving, newer risks like model manipulation, IP infringement, hallucinated outputs, and data poisoning are rarely addressed explicitly in current policy language. AI induced attacks are likely to increase the frequency and complexity of cyber insurance claims. 

To remain relevant and resilient, the cyber insurance market must innovate fast. Designing coverage frameworks that account for AI induced failures and software supply chain anomalies. Provide incentives for organisations that can show how their AI works, clear and explainable models should mean fewer surprises, leading to faster claims and offering better coverage. Transparent AI could move from best practice to competitive advantage. 

Cyber insurance is still a vital pillar of digital business resilience. But unless we expand our definitions of risk, demand greater visibility and transparency into AI models and AI enabled supply chains, and close the gap between coverage and exposure, the system may not deliver when it’s needed most.

AI is driving how cyber insurance is priced, assessed, and delivered, if insurance brokers, CFO’s and compliance teams can’t explain how a model works or prove its fair and secure, insurance cover could be denied, claims disputed, and trust lost.  

Because in a world where trade flows through algorithms and code, if you can’t see the risk, you can’t insure against it, and if you can’t insure it, everyone is exposed. 

AI is becoming embedded across every business function, with hidden risks like bias, model drift, privacy breaches, and regulatory gaps. Without oversight, AI audit skills to spot hidden risks, internally and through the supply chain most businesses lack the tools and expertise to assess this risk and critically jeopardise the ability to claim on your cyber insurance when it matters most. 

Give your team the skills they need to protect against AI threats with our AI security training, and governance, risk and compliance courses. 

Richard Beck is an experienced security professional, turned educator, with over 15 years in operational security roles.