Synopsis
Indian insurers are rethinking how they assess cyber risks. Regulators have asked them to review exposure to artificial intelligence-driven cyber threats. Traditional underwriting models may not be enough. New threats like AI-enabled phishing and deepfake fraud are evolving rapidly. Insurers are shifting to new risk assessment frameworks. This is a significant change for the industry.Listen to this article in summarized format
The Insurance Regulatory and Development Authority of India’s (IRDAI) directive has triggered an industry-wide reassessment of cyber underwriting frameworks, insurers and brokers told ET.
Threats such as AI-enabled phishing, deepfake fraud and automated malware, and systemic risks linked to shared AI and cloud infrastructure are evolving far faster than traditional cyber-risk models, built largely on historical claims data, making cyber risk harder to insure.
“The rise of generative AI is changing the nature, scale, and speed of cyber threats,” said Vishwanathan S, head of underwriting and reinsurance at SBI General Insurance. “The industry increasingly recognises that cyber underwriting must evolve from a periodic assessment exercise to a more continuous and adaptive risk evaluation framework.”
Industry executives said discussions between insurers, reinsurers and regulators on the matter have intensified over the last year, with conversations shifting from static security controls towards continuous cyber monitoring, AI governance, cloud dependencies and incident response readiness, as enterprises accelerate AI adoption.
“With generative AI, cyber risk is becoming more targeted, faster, adaptive and difficult to predict,” said Gaurav Arora, chief of commercial lines and motor underwriting and claims at ICICI Lombard.
He said the industry is increasingly worried about AI-enabled phishing, deepfake fraud, automated cyberattacks, data leakage through public AI tools, and vulnerabilities linked to third-party vendors and shared technology platforms.
Ritesh Thosani, cyber practice leader at Marsh India, said, “Given the relatively recent proliferation of generative AI, there is not sufficient loss data to precisely underwrite and price risks associated with generative AI.”
So, insurers cannot rely on traditional actuarial models when assessing emerging cyber risks.
As a result, insurers are shifting towards scenario-based modelling, stress testing and predictive risk assessment frameworks, executives said.
“We would say the models are under strain, but not broken,” said Tanuj Gulani, president of Prudent Insurance Brokers. “What generative AI does is stretch the distance between what the old claims tell you and what tomorrow’s exposure looks like.”
Gulani said reinsurers are particularly concerned about accumulation risk, where a vulnerability in a single AI model or cloud provider could trigger simultaneous cyber losses across thousands of insured enterprises.
Insurers are also beginning to seek deeper disclosures from enterprises around AI usage, governance frameworks, model oversight and employee access controls during policy renewals.
According to ICICI Lombard, the IRDAI directive has elevated AI cyber risk into a boardroom, chief investment security officer (CISO) and underwriting priority across the industry. The regulatory focus has intensified even before large-scale AI-specific insurance losses have fully emerged.
Cyber security researchers globally have flagged rising AI-led risks. A Gartner survey this year found that 62% of organisations experienced a deepfake attack over the previous year, while IBM reported that one in six data breaches involved AI-driven attack techniques.
