Some industry stakeholders say cyberattacks driven by artificial intelligence (AI) are presenting SMEs with increasing insurance coverage challenges. However, they also say the risk management advice brokers can give SMEs is an important defence against this growing threat.
“Yes, SMEs are increasingly facing challenges when it comes to insurance coverage for AI-driven attacks, such as deepfake CEO impersonations,” said Mitch Riley-Meijer (main picture). “There is growing concern among stakeholders that cyber insurance policies are struggling to keep pace with the rapid evolution of AI-driven threats.”
Riley-Meijer is Canberra-based cyber risk and incident response manager for law firm Mills Oakley.
He said while some comprehensive cyber insurance policies may cover these incidents, “many do not” and lack explicit provisions for social engineering or deepfake-related threats.
“This gap in coverage can leave SMEs vulnerable, especially as AI-generated impersonation attacks become more sophisticated and harder to detect,” said Riley-Meijer.
Other stakeholders agree.
Skye Theodorou said cybercrime was already a significant challenge for the SMB insurance industry. However, the CEO of the insurtech, upcover, said the latest AI-powered wave has kicked this trend into “overdrive.”
This increasing risk is already being reflected in claims from SME businesses.
“Perhaps we can simply say that we have paid claims arising from AI related attacks and can only expect the trend to continue to rise,” said James Crowther, head of emerging risks for Agile Underwriting Australia. Agile’s cyber offerings focus on the SME space.
Riley-Meijer said the growing accessibility of AI tools means that even low-skilled threat actors can launch highly convincing and scalable attacks.
“These tools can automate and enhance traditional cybercrime tactics — such as spear phishing —making them faster, more targeted and harder to detect,” he said. “For example, AI can generate personalised phishing emails or clone a person’s voice from a short audio clip, enabling attackers to convincingly impersonate trusted individuals.”
Riley-Meijer said these attacks are particularly dangerous because of their realism, speed, and scalability.
The Mills Oakley expert referred to a recent example.
Last year, Arup, a British design and engineering company involved in the construction of the Sydney Opera House, was targeted in a deepfake scam. One of the firm’s Hong Kong employees was deceived into paying US$25 million to fraudsters.
According to a CNN report quoting police, the worker initially suspected he had received a phishing email because it specified the need for a secret transaction.
Arup’s chief information officer, Rob Greig, said these sorts of attacks are happening more frequently than a lot of people realize.
“Organizations like mine – we are on the receiving end of attacks every week,” he said in a recent interview published on the World Economic Forum’s (WEF’s) website. “It’s really important we’re more open and transparent about this.”
Riley-Meijer suggested that part of this openness and transparency needs to involve brokers.
“Brokers play a critical role in helping clients manage this emerging risk,” he said.
The cyber expert provided three steps brokers should take with their clients:
Ensure cyber insurance policies explicitly address AI-driven threats, including deepfakes and social engineering attacks
Keep clients informed about the evolving threat landscape and the importance of proactive cyber hygiene and insurance coverage
Encourage clients to adopt strong internal controls, such as multi-factor authentication, voice verification protocols and employee training to detect and respond to AI-enabled threats.
However, Riley-Meijer said insurers will continue to face a challenging time designing and pricing cyber insurance
“The dynamic nature of cyber risk means that traditional actuarial methods — relying on historical claims data — are often inadequate,” said Riley-Meijer. “Incomplete datasets and the unpredictability of emerging threats, such as AI-generated deepfakes and synthetic identity fraud, further complicate underwriting and premium setting.”
He said some insurers have introduced AI specific endorsements but significant coverage gaps remain.
“As AI threats continue to evolve, the insurance industry will need to adapt quickly to ensure policies remain relevant, comprehensive, and accessible,” said Riley-Meijer.
Have any of your SME clients experienced a deepfake cyberattack? Please tell us about it below.
