How AI adoption is making insurers rethink cyber cover

Cyber threats are among the fastest-growing operational risks facing organisations. Between January and March 2026, the Communications Authority of Kenya (CA) recorded more than 3.3 billion cyber threat events.

Photo credit: Shutterstock

As artificial intelligence (AI) makes businesses smarter and more efficient, it is also making cyber risks more complicated.

For years, companies buying cyber insurance worried about familiar threats like ransomware attacks, phishing emails, data breaches and network outages. While these risks remain, AI is changing how cybercriminals operate and the types of mistakes businesses can make, forcing insurers to rethink what they cover and how they price it.

This comes as companies increasingly embed AI into daily operations to optimise productivity, from customer service chatbots and software development to fraud detection and data analysis.

However, this is also opening the door to cybersecurity risks that did not exist a few years ago. Cybercriminals are increasingly using AI to automate the discovery of software vulnerabilities, generate convincing phishing emails and create deepfake audio and video capable of fooling employees into transferring money or disclosing confidential information.

At the same time, businesses deploying AI systems are creating new forms of risk that may have nothing to do with hackers. An AI model, for instance, can hallucinate inaccurate information, inherit bias from its training data, expose confidential information or fail in ways that disrupt business operations.

At the same time, training datasets can be manipulated by injecting malicious or misleading data into an AI or machine learning model's training dataset, technically called data poisoning, which makes it produce unreliable or compromised outputs.

Because these failures often occur without any malicious third-party attack, many cyber insurance policies may not clearly cover the resulting losses.

As a result, insurers face a new generation of threats that fall outside the traditional boundaries of cyber cover.

Cyber insurance has historically focused on attacks by external actors who infiltrate company systems through stolen credentials, software vulnerabilities or social engineering.

Policies were designed to cushion businesses against financial losses arising from ransomware, data theft, phishing attacks and business interruption following a cyber incident.

The law firm Bowmans says this uncertainty has prompted insurers to change how they evaluate clients. Instead of asking if a business has antivirus software or firewalls, insurers increasingly want evidence that organisations have proper AI governance structures, human oversight, monitoring processes and controls over third-party AI vendors.

“A defensible AI governance policy and evidence of governance, once niche considerations, are becoming a prerequisite for meaningful coverage and favourable pricing,” Bowmans said in a recent analysis.

The insurance industry is also using AI to underwrite insurance more effectively.

Insurers are analysing a company's digital footprint, internet-facing systems and historical cyber incidents in real time, rather than relying solely on annual questionnaires.

This has made risk assessments evolve continuously rather than once a year.

At the same time, insurers are beginning to redesign their products, with some adding endorsements that explicitly cover AI-related incidents such as unauthorised disclosures through AI systems, social engineering fraud or failures involving third-party AI providers.

Others are introducing exclusions where businesses deploy AI without adequate governance or where losses arise from algorithmic decision-making.

Entirely new insurance products are beginning to emerge, covering regulatory investigations linked to AI governance failures, intellectual property disputes involving AI-generated content and business interruption caused by AI model failures or corrupted training data.

Though the market is still in its early stages, it signals a shift in cyber insurance from covering only network breaches to addressing a wider range of AI-driven business risks.

The trend is becoming increasingly relevant in Kenya as businesses accelerate investments in cloud computing, digital platforms and AI.

Cyber threats are among the fastest-growing operational risks facing organisations. Between January and March 2026, the Communications Authority of Kenya (CA) recorded more than 3.3 billion cyber threat events.

According to the regulator, many of the attacks were fuelled by inadequate software patching, low awareness of phishing and social engineering tactics, and the increasing use of AI and machine learning by malicious actors.

Attacks targeting operating systems, databases and network infrastructure were the most common incidents, while malware, distributed denial-of-service attacks and brute-force attacks continued to pose significant threats.

Kenya's insurance industry has been responding to the growing demand for cyber protection, with firms – including APA Insurance, Aon Kenya, Britam and Zamara –already offering specialised cyber insurance products.

"We see new risks coming in with the adoption of technology and AI, and we want to mitigate that. Hacks and ransom demands are becoming a big threat," Ashok Shah, the group Chief Executive of Apollo Investments, APA Insurance's parent company, told the Business Daily in a recent interview.

"In this case, insurance coverage comes in so that clients do not need to pay ransom, but at the same time, their systems are protected."

Analysts say AI governance, amid this increasing adoption, will become a key determinant of whether a company can obtain insurance and on what terms.

Follow our WhatsApp channel for the latest business and markets updates

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.