Viewpoint: The AI Boom – When Risk Stops Being Rare, Insurance Must Evolve

Insurance has always depended on a simple premise. Losses must be possible but not inevitable. You’ve got to be able to know something could happen, and plan for it if possible, but really hope that it doesn’t. That assumption has underpinned everything from property cover to cyber policies.

Losses can be modeled because they are contingent, bounded, and relatively infrequent. But a new class of artificial intelligence tools is starting to erode that foundation, and cyber insurance is going to feel the strain.

The immediate catalyst is Anthropic’s latest AI model, Claude Mythos, which has prompted warnings from cyber-security experts, regulators and government alike. The company has said the system is capable of identifying and exploiting software vulnerabilities at a scale and speed that makes full public release too risky, with access restricted to a small group of major technology firms.

Reports suggest it has already uncovered thousands of high-severity flaws across widely used systems, raising concerns that AI is now able to outpace the ability of organizations to fix the weaknesses it finds.

When the discovery and potential exploitation of risk accelerates this quickly, the assumptions that underpin how cyber exposure is priced and managed start to shift. How can you insure for something completely unprecedented? Is it possible to mitigate the risks of something that has never happened before? And how do we counter the speed at which it’s all happening?

Insurance is built around fortuitous risk – events that may happen, but often do not. A burglar might target your home, but most households are never affected. That balance changes if the tools to break in are widely available.

Claude Mythos points to a world where the digital equivalent of copying the keys to your house becomes far easier and more accessible. Even if access is currently restricted, the concern is that these capabilities will not remain contained for long. And if they do become widespread, insurers will be forced to reprice that risk – and in some cases, step back from covering it altogether.

Recent warnings from the UK government to business leaders reflect the level of concern. Cyberattacks have historically relied on a relatively small pool of highly skilled actors, and it’s that limited capability that has helped keep risk within manageable limits. AI’s scale and capability are beginning to change that.

We are seeing tools emerging that can identify vulnerabilities, generate ways to exploit them, and scale attacks at a speed and level of sophistication that was previously out of reach. That is potentially very scary for individuals, businesses, organizations and governments – and thus to the insurance industry as well.

The Pace of Scale

The key shift is not just more attacks, but the pace at which vulnerabilities are discovered as opposed to fixed. AI can find and exploit flaws at a rate organizations cannot realistically patch.

That matters for insurers because insurability depends on time as much as probability. There has always been a gap between risk emerging and loss materializing, and that is what allows organizations to mitigate exposure and insurers to price it. When that window compresses, risk becomes harder to manage and harder to model.

The reaction from regulators and financial institutions suggests this is already being taken seriously. Reports of urgent discussions between UK regulators and major banks point to growing concern about the systemic implications of advanced AI models. The focus is not just on individual breaches, but on the possibility of simultaneous, large-scale events driven by shared vulnerabilities.

This is where cyber risk moves from individual incidents to a bigger systemic shock. Insurers are already sensitive to this type of exposure. Cloud outages and supply chain attacks have shown how a single point of failure can affect thousands of organizations at once – but right now, AI is accelerating it all. If the same flaw can be identified and exploited across multiple systems in near real-time, the scale and synchronicity of loss can lead to huge losses and damages. The risk is moving ahead faster than the caution.

More Sophisticated Attacks

At the same time, AI is making sophisticated attacks easier to carry out. Capabilities that once required deep technical expertise are becoming more accessible. That does not mean every organization will be targeted by the same actors, but it does mean the overall threat landscape becomes broader and more constant.

As a result, premiums are likely to rise as both the frequency and potential severity of claims increase. Policy wordings will tighten, particularly around “reasonable precautions” and the standards expected of insured businesses in managing their own security. Exclusions may expand as insurers seek to limit exposure to events that resemble systemic failures rather than insurable incidents. This means that organizations may be left unprotected against things that they cannot even imagine.

More fundamentally, some categories of cyber risk may become difficult to insure at all. Insurance works best where losses are independent and diversifiable. Where risks are highly correlated, affecting many policyholders at once, the model starts to break down. So in those cases, either capacity withdraws or cover becomes prohibitively expensive.

There is also a shift in how underwriting is likely to operate. As uncertainty increases, insurers tend to move from pricing risk to policing behavior. Greater scrutiny will be placed on how organizations manage vulnerabilities, deploy AI internally, and respond to emerging threats. The emphasis shifts from transferring risk to demonstrating that it is being actively controlled. That’s an interesting change, and not wholly a bad one – businesses should be managing their risk.

Broader Impact on Businesses

The consequences extend beyond the insurance market itself. If businesses find that certain digital risks cannot be transferred, they will need to absorb them or invest more heavily in mitigation. That has implications for innovation, particularly for smaller firms without the resources to build robust security infrastructure or self-insure against large losses.

It may also reinforce existing concentrations of power. Organizations with the capital to invest in resilience, absorb shocks, and negotiate favourable insurance terms will be streets ahead in this environment. Those without may face higher costs, reduced access to cover, or greater exposure to loss.

So what does this mean for cyber insurance? As everything, it is evolving – although this time under quite a lot of pressure. New forms of cover may emerge, alongside greater involvement from governments in managing systemic risk, as seen in other areas where private markets struggle to carry the full burden alone.

What is clear is that the assumptions that have underpinned cyber risk for the past two decades are being tested. When the tools to identify and exploit vulnerabilities become faster, cheaper, and more widely available, the nature of that risk changes. For insurers, the challenge is therefore to adapt to a threat landscape where the nature of uncertainty is harder to define, measure and price.