In a Shifting Digital-Risk Landscape, Is Your GL Policy Leaving You Exposed?
The Shifting Landscape of Digital Risk:
For years, many businesses have operated under the assumption that their general liability (GL) policy might offer a safety net for the physical consequences of a cyber event. However, since 2014 the ground beneath our feet has been inevitably shifting. The insurance market has been moving decisively to eliminate “silent cyber” coverage, and recent changes have largely completed this shift.
The Past: A “Carve-Back” for Physical Harm
Not long ago, the standard approach was to exclude liability for most data breaches from GL policies. However, insurers often “carved back” coverage for resulting bodily injury. This meant that if a cyber-related failure led to physical harm, for instance, a hacked industrial control system causing an injury, the GL policy could still respond. This provided a limited, but necessary, scope of coverage.
The Present: The Definitive “Cyber Incident” Exclusion of 2023
Today, the safety net of “silent cyber” coverage has been decisively removed by the majority of carriers adopting Insurance Services Office (ISO), or similar, exclusionary Cyber Incident wording (CG 40 35 12 23).
Rather than simply addressing customary data breach expenses such as notification costs, credit monitoring programs, and forensic investigations, this endorsement fundamentally alters standard GL policies. It does so by critically shifting the focus from the type of information lost to the cause of the loss itself.
Using a wide-ranging definition of a “Cyber Incident” including unauthorized access, viruses, or denial-of-service attacks, this form seeks to exclude all resulting Bodily Injury, Property Damage, and Personal and Advertising Injury. The underwriting intent is no longer just to manage data risk, but to isolate and remove cyber-related losses from the GL policy entirely, establishing a clear boundary that potentially leaves businesses with a gap in cover.
Given these market shifts, companies should proactively assess operations for contingent physical damage scenarios and conduct a thorough review of their GL, Property, and Cyber policies. If this highlights meaningful coverage gaps, partnering with your broker is a proven strategy for securing tailored underwriting solutions.
The (Not so Distant) Future: Generative AI and the Next Evolution of Exclusions
In much the same way that carriers introduced exclusionary language to define the boundaries around cyber incidents, underwriters are now adopting a similar framework to address a distinct, rapidly emerging exposure: Generative AI.
To clarify that standard GL policies are not intended to cover these novel liabilities, ISO introduced new targeted endorsements in 2026:
- CG 40 47 01 26 (The Broad Exclusion):This sweeping endorsement applies to both Coverage A (Bodily Injury and Property Damage) and Coverage B (Personal and Advertising Injury). In its current form, the endorsement is drafted broadly to effectively preclude coverage for claims arising from any aspect of artificial intelligence (AI), generative AI, or large language models (LLMs). As a result, the ISO GL policy will not be positioned to respond to liabilities such as AI-generated defamation, intellectual property disputes, or third-party bodily injury stemming from AI related inaccuracies.
- CG 40 48 01 26 (The Coverage B Exclusion):A narrower endorsement targeting only Coverage B. It explicitly removes protection for claims such as defamation or copyright infringement stemming from AI-generated materials, while theoretically preserving Coverage A in limited scenarios.
- CG 35 08 01 26 (The Products-Completed Operations Exclusion): A tailored exclusion for bodily injury and property damage that arises out of generative AI solely to Products-Completed Operations Liability Coverage. By using a broad definition of generative AI, this form effectively removes coverage for scenarios where a finished product or completed work causes physical injury or property damage due to an error or output from an integrated AI system.
In the immediate term, underwriters are anticipated to prioritize applying these endorsements to sectors with high-exposure profiles, particularly technology companies, media outlets, marketing and advertising firms, as well as software developers and app publishers – however, wider adoption can also be anticipated.
Bridging the Gap: The Emergence of Standalone AI Liability Markets
In response to this widening industry coverage gap, and the traditional market’s clear reluctance to carry unpriced AI risk on GL forms, the insurance industry is beginning to innovate. Novel insurance products are starting to emerge, and we are likely to see an expansion of these dedicated solutions over the next few months and years.
Rather than relying on ambiguous coverage that is rapidly being excluded by forms like CG 40 35 and CG 40 47, these new products will look to provide a dedicated avenue to affirmatively insure third-party Generative AI claims. Specifically, these solutions are designed to respond directly to the unique exposures of the AI era, including:
- Financial loss and negligent misrepresentation resulting from AI errors
- Defamation and reputational harm
- Intellectual property (IP) infringement
- Unauthorized data disclosure
- Bodily injury or property damage
As such broad cyber exclusions and specific AI exclusions become standard across the industry, business leaders must recognize that their liability policies are no longer a viable safety net for digital risks.
What This Means for Your Business
A coverage gap may now exist where you previously had silent protection. It’s crucial for business leaders and risk managers to take proactive steps:
- Review Your Operations: Identify scenarios where a cyber event or an error from an AI tool could lead to contingent bodily injury, property damage, or significant financial loss in the physical world.
- Analyze Your Policies: Conduct a thorough review of your entire insurance portfolio, including your GL, Property, Technology E&O, and stand-alone Cyber policies, to understand how these new exclusions impact your coverage.
- Engage Your Broker: This is not a time for assumptions. A detailed discussion with your insurance broker is essential to identify any gaps and explore how your unique exposures, including those from emerging technologies, can be properly underwritten.
The evolution of cyber and AI exclusions is a critical development that all businesses must address. Ensuring your business is not left exposed requires a proactive and informed approach to your risk management strategy.