Reducing cyber claims severity

Governance over technology deployment

01 Adopt, monitor, and enforce cybersecurity policies.

Training employees on new methods of AI-driven attacks becomes imperative in this environment. All employees should understand defenses against cyber intrusions, including multifactor authentication, and use them regularly. Additionally, company officials should regularly conduct incident response exercises, particularly to account for the speed at which cyberattackers can use AI to infiltrate and extract sensitive data.

02 Expect more questions from insurers on AI.

Companies should expect to receive increasingly detailed questions about how they use AI and what policies they have adopted to address its use when renewal time comes. How are company leaders enforcing their AI policies? Conversely, businesses can demonstrate to underwriters how they use AI to defend against cyberattacks.

03 Treat pixel tracking as a legal, governance, and insurance risk, not simply a marketing or IT function.

Limit who can approve website technologies, implement control group structures, and document that senior leadership does not knowingly authorize tracking tools without legal review. This is critical to preserving coverage and avoiding intent‑based exclusions. Companies should communicate with outside marketing agencies and website designers to understand if pixel tracking applications or other advertising technology tools are embedded in websites.

04 Treat business email compromise as a governance issue, not an IT issue.

Assign clear ownership to finance, operations, and leadership — not just cybersecurity.

Identity & access discipline

01 Strengthen identity and access controls.

Prioritize multifactor authentication, privileged access management, and credential hygiene as the most effective preventive measures.

02 Assume humans are the primary attack surface.

Invest in regular, realistic employee training focused on urgency, impersonation, and authority‑based manipulation.

03 Do not keep old data around.

Companies should adopt, maintain, and enforce retention schedules for data and dispose of old, unneeded files regularly. Keeping unnecessary data poses a significant and avoidable risk if a breach occurs.

Payment & verification controls

01 Strengthen payment controls to minimize deepfake and ransomware threats.

Require dual approvals, segregation of duties, and mandatory callback verification for payment or account change requests.

02 Do not rely on email alone for approvals.

Prohibit financial or vendor changes based solely on email or messaging instructions.

03 Map and test response workflows.

Ensure staff members know how to pause, escalate, and validate suspicious requests without penalty.

Incident response speed

01 Design for speed and pressure.

Controls must hold up during peak periods (quarter end, deals, vendor changes), when fraud risk is highest.

02 Align response, governance, and insurance for ransomware threats.

Establish clear ransom decision frameworks, engage experienced incident response partners early, and stress‑test insurance coverage and sublimits before an event.

03 Do not rely on ransom payments to resolve risk.

Payment rarely prevents data release, litigation, or regulatory action; it should not be viewed as a mitigation strategy.

04 Monitor the web for discussion about stolen data.

IT teams or third-party services should examine the internet for mentions of stolen data for sale. This can be the first indication that a breach has occurred and is where plaintiffs’ attorneys sometimes look for litigation opportunities. Companies should hire third-party services to examine the dark web for any discussion about stolen data.

Preparing for losses

01 Prepare for business interruption losses.

Test recovery timelines realistically, including third‑party and cloud dependencies.

02 Assume data exfiltration will occur.

Plan for data theft and extortion, not just system encryption. Backups alone can no longer neutralize ransomware risk.

03 Regularly audit websites to inventory pixels, cookies, session‑replay tools, and third‑party scripts.

Apply particular scrutiny to those enabled by vendors or marketing platforms. Question whether your organization truly needs tracking tools and strongly consider eliminating unnecessary pixels to reduce exposure.

04 Pay attention to different privacy and data collection consent regulations.

Implement transparent, jurisdiction‑specific consent mechanisms and genuine opt‑in/opt‑out functionality in compliance with the most stringent regulatory regimes (particularly California).

05 Prepare for deepfake and impersonation attacks.

Update controls to assume voice and identity spoofing will be credible, not obvious.

06 Understand insurance limits and conditions for cyber incidents.

Confirm where coverage sits (usually crime, not cyber) and design controls to align with policy requirements.

07 Train employees regularly on intellectual property risks.

Employees should receive training on applicable intellectual property and copyright laws, including what constitutes fair use and what does not. They should also understand social media risks, including what actions could give rise to allegations of defamation.

08 Manage IP and defamation claims proactively.

Policyholders should immediately notify insurers and attorneys about claims or threats to initiate claims for intellectual property theft or defamation. Ignoring potential claims increases the risk of litigation and can result in a denial of coverage.

09 Establish contracts with outside marketing partners, including influencers.

Terms should clarify insurance and indemnification agreements if and when claims are made.