By a tech blogger
who learned this the hard way
Last March, a friend of
mine who runs a midsized ecommerce business got a video call from his
"CFO." The voice was right. The face was right. The request wire $180,000 to a vendor account sounded completely routine. He did it. Three
days later, he found out his CFO had been on vacation with no cell service that
entire week.
The call was a deepfake.
Fully AIgenerated. And when he filed a claim with his cyber insurer? Denied.
His policy renewed just two months earlier
had quietly added an exclusion for
"AIgenerated social engineering fraud."
That story hit me hard,
because I'd been researching cyber insurance for my own small agency at the
time. And honestly, I had no idea policies had changed that much. So I went
deep. Talked to brokers, read through actual policy documents, and spent way
too many hours on forums where IT managers were swapping war stories. Here's
everything I learned.
Cyber
Insurance Isn't What It Was Three Years Ago
When most people think
about cyber insurance, they picture ransomware coverage your files get locked, you pay a ransom,
insurance reimburses you. That model made sense in 2021. It doesn't fully hold
up anymore.
The threat landscape has
completely changed, and the insurance industry is scrambling to keep up sometimes in ways that leave policyholders
badly exposed.
AI has done two things
simultaneously: it's made attacks cheaper and more convincing for criminals,
and it's made the damage harder to categorize under old policy language. That
combination is a nightmare for anyone trying to file a claim.
What
"AIPowered Threats" Actually Looks Like on the Ground
Let me break down the real
stuff that's happening not the
theoretical attack vectors you read about in whitepapers, but the stuff that's
actually landing in incident reports right now.
Deepfake fraud is the
big one. Criminals are using tools that, frankly, are not that expensive or
hard to access, to clone voices and generate video of executives. The $25
million deepfake wire transfer that hit a Hong Kong firm in 2024 wasn't a oneoff
that attack model has been replicated
dozens of times since. Losses from deepfakeassisted wire fraud are averaging
around $631,000 per incident now, and that number keeps climbing.
AIsupercharged phishing is
almost worse in some ways because it's everywhere. Old phishing emails had
typos, weird phrasing, generic greetings. Now attackers use AI to scrape your
LinkedIn, your company website, your press releases and write a perfectly personalized email that
references your actual clients, your actual projects, your actual tone. One IT
manager I spoke to said his team's phishing simulation click rates went from 8%
to 23% in a single year. Same employees. Better fake emails.
RansomwareasaService has gone
fully corporate. There are actual affiliate programs now where criminal groups
provide the ransomware tools, tutorials, and even customer support (for the
victim, to facilitate payment), and take a cut of the ransom. AI has lowered
the skill floor dramatically you no
longer need to be a sophisticated hacker to run a ransomware campaign.
The
Coverage Gap Nobody Warned You About
Here's where things get
genuinely frustrating.
Starting in late 2024 and
accelerating through 2025, most major cyber insurers quietly rewrote their
policy language. If your policy was renewed after January 2026, there's a real
chance it now specifically excludes:
- Losses from AIgenerated deepfake audio or
video
- Social engineering fraud where "direct
human communication" can't be proven
- Certain AIassisted phishing attacks that
exploit automated systems
The problem is that most
business owners don't read their policy documents in detail. I didn't not until I had a reason to. The exclusions
are buried in the definitions section, written in language that requires a
lawyer to parse.
My friend's denied claim?
The policy said it covered "direct communication fraud." His insurer
argued that a deepfake video call introduces an "AI intermediary"
that breaks the chain of "direct" communication. Courts are still
arguing about what that means. His claim is in dispute. He's out $180,000 while
the lawyers sort it out.
What You
Actually Need to Do Right Now
Okay, enough horror
stories. Here's the practical side what
I actually recommend after going through all of this.
Step 1: Pull out your
current policy and read the definitions section.
Seriously, do it this week.
Look for words like "direct communication," "human
impersonation," and "social engineering." If you see exclusions
around "AIgenerated content" or "synthetic media," you have
a gap. Flag it immediately.
Step 2: Ask your broker
specifically about deepfake endorsements.
These are separate addons that
cover AIgenerated fraud. They typically run $500 to $3,000 per year for small
to midsized businesses. That's not nothing, but compare it to the average loss
figure and it's obvious math. Not every insurer offers them yet, so you may
need to shop around.
Step 3: Document your
authentication procedures.
Even if you get sued or a
claim is disputed, having written proof that your employees followed
verification protocols matters enormously. Some insurers will honor claims if
you can show you had a callback policy, multifactor authorization for wire
transfers, or a verbal confirmation requirement and that your employee genuinely followed it.
Step 4: Implement a
"CEO fraud" verification protocol.
This is a real internal
process, not just a tech tool. Any wire transfer request over a set threshold
(say, $10,000) requires a secondary confirmation via a preestablished, outofband
method like calling back on a number
already saved in your contacts, not a number provided in the request. Simple.
Free. Stops most deepfake attempts cold.
Step 5: Look at your
insurer's security requirements before renewal.
Insurers are now rewarding
businesses that demonstrate continuous threat monitoring, supply chain
visibility, and incident response planning. Some are offering meaningful
discounts up to 15% for documented cybersecurity programs. Tools
like CrowdStrike Falcon, SentinelOne, and Darktrace are
frequently named in underwriting questionnaires. Having one of these deployed
(and being able to prove it) genuinely moves your premium.
The
Bigger Picture: What Insurers Are Trying to Figure Out
It's worth being fair to
the insurance companies here, even if the coverage gaps are maddening. They're
dealing with a genuinely new problem.
Traditional insurance is
built on actuarial tables historical
loss data that lets you price risk accurately. Deepfake fraud at scale is two
years old. There isn't enough claims history to price it confidently. So
insurers are either excluding it entirely (to avoid unknown exposure) or
charging a lot for limited coverage.
The same is true for AIassisted
ransomware. When a single vulnerability in a cloud provider can simultaneously
impact thousands of companies what
insurers call "systemic risk" or "catastrophic aggregation"
the math of traditional insurance breaks
down. One bad software flaw, and suddenly you're paying out billions across
your entire portfolio at once.
Munich Re, one of the
biggest reinsurers in the world, flagged this explicitly: cyber risks are
increasingly interconnected in ways that make individual policy pricing almost
meaningless if a truly catastrophic systemic event hits.
So the market is in flux.
And that flux is falling on businesses that are just trying to figure out if
they're covered.
Mistakes
I See Businesses Make (That You Should Avoid)
Buying the cheapest policy
and assuming it covers everything. Cyber insurance isn't like
car insurance where minimum coverage is a known quantity. The variance between
policies is enormous. I've seen two policies at nearly the same price point
where one covered ransomware extortion payments and one explicitly excluded
them.
Not updating coverage after
a major software deployment. If you moved to a new cloud
platform, added an AI tool to your workflow, or onboarded a large new vendor your risk profile changed. Tell your broker.
Policies have material change clauses that can affect claims if your actual
setup diverges from what you disclosed.
Treating insurance as a
substitute for security. This one comes up constantly. Insurers are
increasingly requiring proof of baseline security controls multifactor authentication, patching
schedules, endpoint detection. If you skip those and get hit, your claim may be
denied on the grounds that you failed to meet policy conditions.
Not having an incident
response plan documented. Most insurers provide access to a breach
response team as part of the policy. But if you don't know that, or don't call
them immediately after an incident, you can inadvertently do things (like
paying a ransom without authorization, or communicating with attackers
directly) that void your coverage.
Where
This Is All Heading
The honest answer is: the
market will stabilize, but not immediately.
We're in a messy transition
period where threat actors are ahead of policy language, and policy language is
ahead of most businesses' understanding of what they actually have. That gap is
where the pain lives right now.
The insurers who are going
to win longterm are the ones investing in AIpowered underwriting using machine learning to continuously assess
a client's security posture, not just at renewal time. A few companies are
already doing this. It's a fundamentally better model.
For businesses, the
opportunity is real too. Demonstrating a strong, documented security posture is
becoming a genuine competitive advantage when shopping for coverage. The
companies that invest in it now will get better rates and better coverage as
the market matures.
My friend with the deepfake
CFO call? He's since implemented a strict wire transfer callback protocol,
added a deepfake endorsement to his renewed policy, and started using a tool
called Ironscales for AIassisted phishing detection. He's also a lot
more paranoid about video calls than he used to be.
Can't say I blame him.
If you found this useful,
the single most important thing you can do today is dig out your current cyber
policy and read the definitions section. Thirty minutes now could save you six
figures later.

0 Comments