Can Cyber Liability Insurance Cover AI-Powered Supply-Chain Attacks?

TL;DR AI-powered supply-chain attacks utilise artificial intelligence to execute sophisticated cyber intrusions, creating unique risks that traditional cyber insurance may not fully cover. These attacks include vendor impersonations, advanced phishing, and malware targeting supply chains. While cyber liability insurance could offer protection for first-party losses and third-party claims related to these incidents, gaps often exist due to legacy exclusions and unclear policy language. Insurers are starting to adapt by creating AI-specific endorsements, but businesses need to review their coverage thoroughly. Berkley Risk assists in identifying these risks, advising on policy adequacy, and helping clients navigate insurance solutions for a safer operational environment.

AI-powered supply-chain attacks are becoming a serious concern, utilising artificial intelligence to orchestrate sophisticated cyber intrusions. These involve tactics like deepfake vendor impersonation and automated malware, targeting everything from suppliers to logistics software. Unfortunately, traditional cyber liability insurance may not provide adequate coverage against the unique risks posed by these advanced threats. For example, issues like legacy exclusions and challenges in attributing AI-generated errors can complicate claims processes. However, some policies might still offer protections for first-party losses or third-party claims resulting from such attacks. As this landscape evolves, working with knowledgeable insurers is essential to ensure your coverage includes these emerging risks effectively.

What Are AI-Powered Supply Chain Attacks?

AI driven supply chain attacks are a new type of cyber attack that uses artificial intelligence to make them more effective. They target the complex networks of suppliers, logistics software and digital procurement systems. With AI, attackers can automate their methods making them faster and harder to detect. For example, deepfake vendor impersonation allows malicious actors to create incredibly realistic impersonations of legitimate suppliers and trick businesses into handing over sensitive information or funds.

Additionally, AI generated phishing can mimic the communication style of trusted partners making it more likely to succeed. The impact on businesses can be severe, financial loss, operational disruption and long term damage to reputation. With intelligent malware that can hijack systems and automate attacks the complexity and scale of these threats has increased dramatically. Recent incidents have shown how AI can amplify the attack and we need to be aware of this changing landscape. To mitigate the risk companies need to be proactive and enhance their cybersecurity and train their employees to recognize sophisticated threats.

• Definition of AI-powered supply chain attacks and their rising prevalence.
• Mechanisms through which AI enhances these attacks, including automation and stealth.
• Examples of targets: suppliers, logistics software, and procurement systems.
• Potential impacts on businesses, including financial losses and reputational damage.
• Common methods employed in these attacks, such as deepfake vendor impersonation.
• The role of data flows and communication channels in facilitating attacks.
• The increase in complexity and scale of attacks due to AI capabilities.
• Case studies or recent incidents illustrating the effectiveness of AI in these attacks.
• The importance of understanding the evolving threat landscape.
• Strategies businesses can adopt to mitigate the risk of AI-powered supply chain attacks.

Why Traditional Cyber Cover May Fall Short

traditional cyber insurance policies have a list of exclusions that can leave businesses exposed to modern threats. For example, many policies exclude losses from “acts of war” or don’t cover damages from rogue insiders or automated systems. As AI advances, these legacy exclusions are becoming more and more inadequate especially when it comes to AI-powered supply chain attacks.

Attributing losses to AI errors is a challenge in itself. Unlike human mistakes which are easy to assess, AI errors are complex and hard to pinpoint. This ambiguity can complicate claims processes and leave businesses high and dry when they need help the most. And the line between liability and crime insurance can get blurry when it comes to AI, so businesses can’t even know what coverage they have for AI incidents.

Algorithmic failures which are becoming more common as businesses rely more on AI also raise questions on coverage. If an AI system fails and causes significant losses, traditional policies may not clearly define how these losses are treated. For example, a company can face severe financial consequences if an AI-driven decision causes a supply chain disruption but their policy may not cover the resulting losses because of the ambiguity of algorithmic causation.

These gaps in coverage can have real world implications. A company may find out that their traditional cyber insurance doesn’t cover losses from an AI-generated phishing attack that caused financial loss. As these incidents become more common, insurers need to update their policies to cover these emerging risks. Reviewing policy terms regularly is key for businesses to ensure they have adequate coverage against the evolving cyber landscape especially those involving AI.

What Cover Might Apply Under Cyber Liability Insurance?

Cyber Liability Insurance can cover many losses from AI-powered supply chain attacks. First-party losses are a big part of that, which includes system damage and recovery costs to help you get back up and running after an incident. You may also face third-party claims where you could be held liable for client data breaches or service disruptions caused by attacks on your supply chain. This is especially important as AI can amplify the impact of those breaches and lead to huge liabilities.

Contingent Business Interruption (CBI) coverage is another key part of that, which provides financial support when a business is hit by a cyber attack on a supplier. This is crucial to keep the cash flowing during recovery. Media liability coverage protects against claims related to intellectual property breaches, especially when AI is used to create or distribute infringing content.

Errors and omissions (E&O) insurance is also relevant, which covers claims from failures in AI decision-making. For example, if an AI system fails to prevent a big error that causes client losses, the E&O coverage will kick in.

Examples of scenarios where cyber insurance would apply are when a company is sued after an AI-generated phishing attack causes client losses or when intelligent malware disrupts logistics and causes delays. The importance of clear policy terms around AI cannot be overstated, as ambiguity will lead to disputes during claims. As the risks around AI evolve, bespoke insurance products are becoming more necessary to address these emerging threats. Talk to your insurers to get the right coverage for your business.

Are AI-Specific Exclusions or Endorsements Emerging?

Insurers are increasingly aware of the unique risks presented by artificial intelligence, leading to the development of AI-specific exclusions and endorsements in cyber liability policies. Underwriters are revising policy language to explicitly address AI-related exposures, reflecting a growing understanding of the challenges these technologies pose. For instance, some insurers are introducing clauses that specifically cover AI-generated errors or failures, ensuring that businesses are protected against losses stemming from algorithmic decisions that go awry.

Moreover, the concepts of silent cyber and affirmative endorsements are becoming crucial in this context. Silent cyber refers to the lack of clear coverage for cyber incidents in traditional policies, while affirmative endorsements are explicit additions that clarify and extend coverage to include cyber risks associated with AI. This shift is driven not only by market demand but also by an evolving regulatory landscape that encourages clearer definitions of coverage relating to AI.

Global markets are responding to these changes differently, with some regions moving faster than others in adapting their offerings. Insurers in more competitive markets may be more inclined to create tailored options that address AI risks, influenced by the demands of businesses seeking comprehensive coverage. As case law continues to develop around AI-related incidents, insurers are also adapting their policy language to mitigate potential liabilities.

For businesses, staying informed about these changes is vital. Engaging in discussions with insurers about AI-specific risks can lead to better coverage. Companies are encouraged to advocate for tailored solutions that reflect their unique operational challenges, helping ensure that they are adequately protected against the evolving landscape of AI-powered threats.

Real-World Scenarios of AI Attacks

Recently there have been some AI-powered attacks that have made it clear that businesses need to relook at their cyber risk strategies. One example is the use of AI to generate fake invoices where attackers create documents that look like legitimate suppliers. This has resulted in big financial losses where companies have paid cybercriminals instead of their actual suppliers.

Another scenario is AI driven malware targeting logistics operations. In one case a sophisticated malware infected a logistics software platform and shut down operations for several days. The disruption not only caused immediate financial losses but also damaged relationships with clients who rely on timely deliveries.

In South Africa we have local issues like load shedding which can be used by attackers to disrupt digital logistics chains. These unique contexts create specific vulnerabilities that cybercriminals will exploit.

Lessons learned from these real world examples highlight the need for businesses to include scenario planning in their risk management. By understanding how AI can be weaponised businesses can negotiate better insurance terms that cover these emerging risks. As AI continues to evolve, the methods attackers use will likely become more advanced, making it imperative for businesses to stay ahead of the curve in their cybersecurity and insurance coverage.

How Berkley Risk Helps Navigate This Emerging Risk

Berkley Risk takes a proactive approach to help businesses understand and manage the unique insurance needs arising from AI-related threats. Their team reviews existing cyber insurance policies to identify gaps specifically linked to AI exposures, ensuring that clients are protected against the new risks emerging in the supply chain. They provide tailored advice on contingent business interruption (CBI) and third-party wording, helping organisations to close any coverage gaps that may exist.

To prepare clients for potential AI-related claims, Berkley Risk emphasises the importance of scenario planning. By exploring various risk scenarios, they guide businesses in understanding the potential financial implications of AI attacks and how to respond effectively.

Berkley Risk also works with clients to create awareness about emerging risks and the evolving landscape of insurance. These online engagements foster collaboration between insured teams and risk management experts, creating a shared understanding of the challenges posed by AI in the supply chain.

Furthermore, Berkley Risk plays a crucial role in negotiating with insurers on behalf of their clients. Their insights and expertise help in securing better terms and conditions, ensuring that businesses have adequate coverage tailored to their specific needs. Successful risk mitigation strategies have been implemented through this collaboration, demonstrating the value of a comprehensive approach to risk management in the context of AI.

As the role of brokers evolves, Berkley Risk remains committed to staying ahead of emerging risks and developing insurance solutions that address the complexities of AI-powered supply-chain attacks.

Frequently Asked Questions

1. What is cyber liability insurance and how does it work against supply-chain attacks?

Cyber liability insurance helps businesses cover losses from cyber incidents, including supply-chain attacks. It provides financial support for recovering from damages, paying legal fees, and notifying affected customers, ensuring the business can bounce back more quickly.

2. Can cyber liability insurance protect my business if the AI I use is hacked through my supply chain?

Yes, if your business suffers a loss due to a hacking incident where AI systems in your supply chain are compromised, cyber liability insurance may help cover the damages. However, specific coverage depends on the policy details.

3. Do I need to inform my insurance provider about using AI in my supply chain?

It’s a good idea to let your insurance provider know if you use AI in your supply chain. This helps ensure your policy accurately reflects the risks involved, which can affect your coverage during a claim.

4. What types of incidents can cyber liability insurance cover related to supply-chain attacks?

Cyber liability insurance can cover various incidents, such as data breaches, loss of sensitive information, business interruptions, and legal claims arising from cyber attacks on your supply chain.

5. Does the effectiveness of my cyber security affect my insurance coverage for supply-chain attacks?

Yes, the strength of your cyber security measures can influence your insurance coverage. Insurers may assess your cybersecurity practises before providing a policy, as better protection might lead to more favourable coverage terms.