The Insurance-Fueled AI Governance Wave

Insurance companies will likely lead the wave of AI governance and security reformation at most enterprises.

Cyber insurance has already done more to move the needle on cybersecurity programs than just about anything else because cyber insurance, or lack thereof, can be tied directly to money out the door with insurance premiums and coverage. 

No MFA on your email accounts? Sorry, no coverage. Are you not using a top EDR provider? Sorry, that puts you in a higher risk category and, therefore, a higher premium. Without the financial incentives provided by cyber insurance, however, many security enhancements would remain on the drawing board.

The question of whether cyber insurance has genuinely improved the cybersecurity industry is still up for debate. According to Munich Re, one of the largest insurance companies in the world, the global cyber insurance market reached $14 billion in 2023 and is estimated to increase to around $29 billion by 2027.

One trend is clear, however: breaches, ransomware, and cyber insurance payouts have all gone up and to the right, and the cyber insurance industry has had trouble keeping up.

Insuring against cyber risk from the ever-increasing Ransomware-as-a-Service (RaaS) models, Business Email Compromise (BEC), Nation-state cyber actors, and supply chain vulnerabilities and breaches is no easy feat. Ransomware payments in 2023 exceeded $1 billion, marking a record high after a decline in 2022, and $2.9 billion was lost in 2023 alone to Business Email Compromise (BEC).

Now, add AI into the mix, and you’ll have an exponential capacity to increase risk across the world. As the cyber risk insurance market has exploded over the past five years, it's reasonable to anticipate a similar trajectory for AI-focused insurance that could drive companies toward better AI risk, safety, and security governance.

We should expect AI to change the entire company-insurer relationship, from using far more data and intelligence signals to create better risk assessment methods to better claims processing. We might soon see AI insurance agents running complex actuarial models to help insurers manage their exposure more proactively. cIt will all be done with AI, and it will all roll downhill and impact those company risk mitigation areas (i.e., cybersecurity) the most.

We should expect this participation to come through increased scrutiny around indemnification, tightened underwriting requirements, and increased liability limitations regarding what AI can be held responsible for. This could look like reducing the liability for things that a company’s AI applications may get wrong, like the issue where Air Canada lost a court case after its chatbot hallucinated fake policies to a customer. It could also just increase fines and thresholds on how much a third party can be sued for.

We should also expect a continued increase in venture capital investments in cyber insurance. Over the last seven years, there has been over $2 billion invested into the cyber insurance space:

VC investment into cyber insurance companies has skyrocketed over the past decade, with $94.2 million raised in 2021 alone—an all-time high. The growth trajectory reflects the increasing reliance on cyber insurance as businesses grappled with ransomware and Business Email Compromise (BEC).

These stats don’t even account for the amount of money invested by the large, established insurance companies worldwide offering cyber insurance. This is just from cyber-specific companies. As more capital flows into these markets, the demand for insurance-led cybersecurity reform will continue to rise.

I anticipate that, much like the spike in cyber insurance investments during the peak years of 2020 and 2021, AI-specific insurance products will likely trigger the next major wave of capital influx and security innovation. The problem of cyber risk is growing exponentially while cyber insurance is evolving. Insurers are now forced to develop new ways to cover these risks, creating a larger and more specialized market for cyber insurance.

This won't be limited to security concerns alone; it will also encompass broader risk management strategies. Businesses already manage risk in several ways, and these existing strategies will likely extend to AI:

1. Businesses manage risk using contractual language to pass it on to additional parties or minimize the scope for which they can be held liable (legal).

2. Businesses manage risk by increasing the requirements and security, privacy, insurance, and compliance practices of the vendors they work with and restricting a third party’s ability to use their business or customer data to train AI models (vendor risk management).

3. Businesses manage risk by limiting the scope of the data they collect and use to serve customers (data minimization - a concept most companies couldn’t dream of following).

4. Businesses manage risk by attempting to hedge business processes and the cost of doing business with others (insurance products).

5. Businesses manage risk by acquiring and using technology to identify and protect against the risk (cybersecurity).

6. Businesses manage risk by accepting it (enterprise risk treatment).

You could slice this up a few more ways, but you get the gist.

These risk management practices will evolve as AI becomes more integrated into business operations. Cyber insurance will play a significant role in this evolution as companies look to distribute the risks associated with AI and the vendors that use it.

Either way, there will be a ton of money made in this space. If my time working at one of the largest insurance companies in the world taught me anything, it’s that insurance companies usually hold the biggest money bag at the end of the day.

The adage of the Golden Rule applies here:

As AI ripples through the global economy and every industry known to man, insurance firms will likely become the players shaping its governance and security landscape.