Co-Published with Geoffrey Fehling and Michael Levine, Partners at Hunton Andrews Kurth

According to recent statistics, 50-75% companies today have incorporated artificial intelligence (AI) within their organization for one or more operational processes. An even greater percentage are likely unknowingly utilizing AI as the technology is quickly becoming ubiquitous across all things electronic. Insurers, apparently concerned with AI loss coming within the scope of coverage under existing coverage lines, are looking for ways to limit or exclude coverage via AI-specific exclusions and endorsements.  Most of these exclusions purport to be near absolute in scope, precluding coverage in full for any claim in any way related, directly or indirectly to the usage of any AI. While today’s proposed AI exclusions are relatively easy to bypass, since they are not yet standard in the marketplace, insurers have begun incorporating them slowly with more expected to follow suit. With the growing prevalence of (and myriad of uses for) AI, and given the breadth of AI exclusions, there is an increasing risk of directors and officers operating with unrecognized liabilities, under the false pretense that such risks are fully insured under traditional D&O liability policies. Corporate officers are also more likely to overlook them or fail to recognize their true scope given their recent emergence.

To demonstrate their problematic nature, consider the below exclusion and the issues it poses when attached to a professional liability policy.
 

The insurer will not defend any claims, based upon, attributable to, arising out of, or related to, in whole, or in part, any use of artificial intelligence, including but not limited to:

a)      Errors, omissions, or inaccuracies in the programming, functioning or decision making processes of artificial intelligence systems

b)     Bodily injury, property damage, or economic loss caused by, or resulting from the actions or decisions of artificial intelligence systems

c)      Claims related to data breaches, privacy violations, or cyber incidents caused by the use of artificial intelligence systems.

This exclusion applies to any party, including but not limited to non-insured parties, an insured, their employees, agents, contractors, or any third parties using artificial intelligence on an insured’s behalf”
 

The broad preamble to this exclusion, precluding coverage for claims “based upon, attributable to, arising out of, or related to, in whole, or in part”,  is incredibly broad and may be used by insurers to exclude coverage for claims even where the AI only played a negligible role in the wrongful act or error at issue in the claim. Moreover, AI exclusions are often not limited to usage of the insured’s own AI, but rather extend to usage of any artificial systems (including that of third parties), which is much more common in practice. In fact, an insurer seeking to enforce the broad AI exclusion above may assert that even lawsuits against a policyholder stemming from AI failures at the partner or vendor level would also be precluded by the insurance policy. This is particularly true given that the carrier has drafted the exclusion expressly to apply to “any party including, but not limited to non-insured parties”.

With healthcare practitioners increasingly relying on AI software to diagnose and treat medical conditions, financial firms utilizing AI to maximize investment returns, developers incorporating AI for projects, and virtually anyone engaged in business utilizing AI as a means of enhancing ordinary productivity, an error or failure in the “decision making process” or output can result in large financial losses (including bodily injuries and property damages). While most organizations are simply using AI to aid in their own decision making processes, exclusions like the one above do not specify that the failure be the direct result of a decision made solely by the artificial system. Instead, they can be applied to claim situations where final decisions were in fact human made.

In the context of cyber insurance, such an exclusion is problematic on a number of fronts. For one, many companies are employing cyber security systems that deploy some form of AI. Should that AI fail to detect or respond to a threat, coverage could be nullified by broad AI exclusions. Additionally, malicious actors are increasingly using AI such as deepfakes to deploy phishing attacks. Should an organization be duped into a fraudulent transfer by such a scheme, an AI exclusion could act to bar coverage.

When reviewing any AI exclusion, organizations also need to consider how the insurance policy in question defines “artificial intelligence.” What parameters are within or outside the definition?  Does it require deep learning, machine learning, neural networks and the like?  Likewise, does the definition extend to chatbots, smart client portals or document completion software?  Or is it more limited to self-learning systems performing higher level business critical operations?  Regardless of the answer, is the user of the AI – the policyholder – capable of knowing which automated systems fit the definition and which might not?  Does the insurer even know? 

There is also the concern of AI exclusions working their way into D&O liability insurance policies. As noted here, Berkley’s so-called “absolute” AI exclusion excludes:
 

“any insured’s actual or alleged statements, disclosures, or representations concerning or relating to artificial intelligence, including, but not limited to:

a)      the use, development or integration of artificial intelligence in the company’s business operations;

b)     any assessment or evaluation of threats, risks or vulnerabilities to the company’s business or operations arising from artificial intelligence, whether from customers, suppliers, competitors, regulators, or any other source; or,

c)     the company’s current or anticipated business plans, capabilities and opportunities involving artificial intelligence
 

While the future use of AI exclusions is yet to be determined as AI-specific forms and endorsements continue to enter the market, the immediate and significant exposures presented by AI are already here and are very real. There have already been a handful of lawsuits involving AI washing. While the implications of the above exclusion should be apparent to AI developers, they are equally problematic for a wide range of companies across industries. The “absolute” AI exclusion, for example, could be applied to any organization that suffers litigation as a result of simply failing to properly disclose their use of AI within its business practice, or by failing to adequately disclose to investors, any expansion into AI. That is just one example of the potential use of AI exclusions that could impact an array of companies and their directors and officers incorporating AI into their business operations.

Even in the absence of AI exclusions, organizations may still be at risk. Companies that provide professional services, for example, need to perform extra due diligence when reviewing the scope of covered services, as many professional liability policies may limit coverage solely to those being provided by natural persons, not artificial systems. Policies that are silent on whether or not tech and AI services in fact constitute professional services may lead to future coverage disputes when an AI-related claim arises. Organizations that have secured specific technology errors and omissions (E&O) insurance coverage may assume protections are already in place for any tech or software failures, including those involving AI in one form or another. However, E&O insurance policies may restrict coverage only to failures of software developed or created by the insured organization, which could limit coverage in situations where a third party’s AI malfunctions, triggering litigation against the insured. Consequently, organizations with E&O exposures and coverage should perform extremely careful reviews of any policy definitions related to “technology wrongful acts”, “technology services” and “technology products”.

Additionally, D&O liability policies also routinely contain exclusions for any claims related to the provision or failure to provide professional service. If not amended appropriately, these “professional services” exclusions can extend to preclude coverage for any resulting shareholder, derivative, or regulatory actions following suits stemming from AI failures. Other potential problematic exclusions include those for bodily injuries, property damages, and privacy violations – all of which are particularly problematic for organizations such as healthcare providers and in situations where AI may be collecting or processing personal data.

The end result? A worst-case scenario, where organizations, after structuring a perceived adequate insurance program, could be in the position of having both the lawsuit pertaining directly to an AI failure, and any resulting follow-on investor or regulator claims excluded by both E&O and D&O policies, respectively.

With the continued proliferation of AI exclusions comes a silver lining—innovative insurers seeking to capitalize on AI’s meteoric growth have begun offering affirmative AI liability insurance. These new products offer some of the first AI-specific protections for those risks, as opposed to relying on legacy protections under traditional policies.

So what should policyholders do? Start by identifying their own unique AI risk profile.  Next, carefully review all liability insurance, particularly E&O, D&O, and cyber liability insurance policies each year at renewal, paying careful attention to the application of any AI exclusions and requesting their removal, or replacing coverage with a carrier providing more appropriate terms and precise definitions. Also pay close attention to other exclusions noted above that may come into play with AI-related claims, even in the absence of a broader AI exclusion. All policies should also be re-reviewed should the organization decide to expand into AI offerings or develop their own technology. For companies with specific AI exposures, consider new affirmative AI products and whether they can fill gaps that may remain in legacy policies (with or without AI exclusions). Retaining experienced brokers, outside coverage counsel, and other risk professionals early on in that process can help identify and address issues before they become problems months or years later when an AI claim arises.