AboutBlogBusiness First AIFounder FreedomBook a conversation

A checklist for checking AI insurance policy wording

May 18, 2026
A person reading printed documents at a desk with a laptop open beside them
TL;DR

Checking AI insurance policy wording means reading your cyber and professional indemnity policies against the AI tools your business actually uses, to find definitions, exclusions, or conditions that could prevent a claim from paying out. Many standard wordings define 'computer system' narrowly, exclude regulatory fines as a matter of course, and require written security procedures you may not yet have for AI. A structured read before renewal, focused on definitions, exclusions, and policy conditions, is work most owner-managed firms can do in an afternoon.

Key takeaways

- Standard cyber and PI policies often define "computer system" to cover only infrastructure the firm owns or operates, which may exclude cloud-hosted AI platforms like Copilot, ChatGPT, or Gemini. - ICO fines and EU AI Act penalties are almost always excluded from standard policies as "fines imposed by law"; what may be covered is the defence cost of an investigation, not the fine itself. - The UK government's 2024 Cyber Security Breaches Survey found 50% of UK businesses experienced a cyber breach or attack in the previous year; AI tools are an increasingly common entry point. - Policy warranty clauses requiring firms to follow their written security procedures can create a claim-denial argument if staff are using AI tools not covered by any written policy. - Before renewing, map every AI tool your firm uses, read the key definitions and exclusions, and ask your broker in writing how specific realistic scenarios would be handled under current wording.

A managing partner at a small accountancy firm spent much of last year copying client tax summaries into an AI drafting tool. No breach occurred. No client ever knew. But when she pulled out her professional indemnity policy to check what would happen if something did go wrong, she found two immediate problems. The definition of “computer system” covered systems “owned or operated” by the firm. The AI tool ran on third-party servers she had never heard of. And the policy required staff to follow all written data-handling procedures. The firm had none that mentioned AI.

The UK government’s 2024 Cyber Security Breaches Survey found 50% of UK businesses experienced a cyber breach or attack in the previous year. AI tools are a growing route into that exposure. What the accountancy partner needed was a structured read of her existing wording, a short checklist, and a broker conversation.

What does checking AI insurance policy wording actually involve?

Checking AI insurance policy wording means reading your firm’s existing cyber and professional indemnity policies against the list of AI tools your business actually uses, to find definitions, exclusions, or conditions that might prevent a claim from paying out. For an owner-managed services firm, this is a structured read-through of two or three documents, plus a broker conversation to resolve any gaps you find.

Three policy types are worth checking. Professional indemnity, sometimes called errors and omissions, covers negligence in professional services. Cyber insurance covers security incidents, data breaches, and incident response. If your firm advises clients and handles their data, you likely carry both. Before reaching for the policy, build a list of every AI tool your firm uses, what data each tool touches, and which services rely on AI output. With that list in hand, reading the policy becomes a matching exercise rather than a general browse.

Why does your current policy probably miss your AI exposure?

Many cyber and professional indemnity policies were written before generative AI became a day-to-day business tool. The definitions they use for things like “computer system” or “professional services” were drafted with traditional IT infrastructure in mind. When staff use cloud AI platforms, the data flows outside those definitions. UK broker Miller Insurance has explicitly flagged this gap, advising clients to review their terms specifically for AI-related exposures.

The NCSC has published detailed guidance on generative AI risks, flagging data leakage, prompt-injection attacks, and supply-chain risks as scenarios existing cyber controls were not designed to address. These are also scenarios that older policy wordings may not name explicitly. Beyond cyber risk, the ICO treats any AI processing of personal data as subject to standard UK GDPR obligations. Failures in that area, such as the £7.5m fine issued to Clearview AI in 2022 for unlawful biometric data collection, sit outside standard policy limits. Fines imposed by regulators are excluded in almost every standard cyber and PI policy as “penalties imposed by law.”

Where do the coverage gaps tend to appear?

The riskiest gaps in AI-related cover tend to cluster in three places: the definition of “computer system” or “IT network”, which may exclude third-party cloud platforms; the scope of “professional services”, which may not explicitly include AI-assisted outputs; and the exclusions section, where fines, intellectual property disputes, and deliberate acts can swallow scenarios that look covered on a first read.

On definitions, check whether your cyber policy’s “computer system” definition includes SaaS platforms and third-party hosted services, or restricts cover to systems you own or control directly. If the wording says “systems owned, operated or used by” the insured, you are in better shape than if it stops at “owned or operated.”

On exclusions, fines and penalties imposed by law are excluded in almost every standard policy, which means ICO enforcement action sits outside the limit. For UK services firms handling EU clients with credit scoring, recruitment, or insurance underwriting tools, the EU AI Act classifies those as high-risk systems, with penalties of up to 7% of global annual turnover or €35 million for non-compliance. That is an uninsured exposure under standard commercial wordings.

A less visible risk is shadow AI. Security and governance specialists have reported that over 70% of employees in some organisations use AI tools that have not been sanctioned by their employer. If your policy requires staff to follow written security procedures and your written procedures say nothing about AI, an insurer can argue that unsanctioned AI use was a breach of a warranty condition even before a claim arises.

When does a gap matter enough to act on?

A gap matters most when the AI scenario is realistic for your firm and the financial exposure is meaningful. If your broker confirms the wording is genuinely ambiguous, that warrants a follow-up. For firms using AI only to draft internal memos with no client data involved, the practical risk is low. For any firm using AI in client-facing work or handling personal data, the conversation should happen before the next renewal.

A useful test is to write out two or three realistic scenarios. For example: a staff member pastes client financial data into a public AI model and it leaks; an AI-assisted report contains a material error that a client acts on; an AI recruitment screening tool is alleged to discriminate. Send those to your broker and ask how the current wording would respond. If your broker cannot confirm coverage, the options are an endorsement to clarify language, adjustments to internal controls, or moving to an insurer whose form better reflects an AI-enabled business.

What else should be in place before you renew?

The wording check works best when you already know what AI your firm uses and have a short written policy governing it. Insurers are increasingly asking about this on proposal forms, and mis-disclosure can justify a claim denial under the Insurance Act 2015. A brief acceptable-use policy, a list of approved tools, and a note of which client data each tool touches will take a day and materially strengthen your position at renewal.

Two related concepts are worth having a handle on before that conversation. The first is the retroactive date on your PI policy, which sets how far back claims can reach. If AI became part of how you deliver services two years ago and your retroactive date is more recent than that, earlier work may sit outside cover. The second is vendor contracts. Major AI platforms typically disclaim liability and cap their exposure sharply in their terms. If you are promising clients outcomes that depend on those platforms, the gap between what the platform promises you and what you promise your client is risk you carry. That risk is only insurable if your PI wording explicitly addresses it.

The accountancy partner from the opening ended up with one endorsement on her PI policy and a two-page AI acceptable-use document her team actually uses. It took two broker conversations and an afternoon of internal work. The cover she has now reflects the business she actually runs. If yours does not, renewal is the moment to fix that.

Sources

- ICO (2024). AI and data protection guidance. Explains ICO's position that AI processing of personal data is governed by UK GDPR and the Data Protection Act 2018. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/ - NCSC (2023). Large language models: guidance for organisations. Flags data leakage, prompt-injection, and supply-chain risks as AI-specific threat scenarios not addressed by older cyber controls. https://www.ncsc.gov.uk/whitepaper/large-language-models-guidance-for-organisations - NCSC (2023). Guidelines for secure AI system development. Baseline security expectations for organisations using or deploying AI, referenced by insurers as good-practice evidence. https://www.ncsc.gov.uk/guidance/secure-ai-system-development - Department for Science, Innovation and Technology (2024). Cyber Security Breaches Survey 2024. Reports 50% of UK businesses experienced a cyber breach or attack in the previous year, rising to 70% for medium-sized firms. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024 - European Parliament and Council (2024). EU AI Act (Regulation 2024/1689). Classifies certain AI uses as high-risk and sets penalties of up to 7% of global turnover or €35m for non-compliance. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689 - UK Government (2015). Insurance Act 2015. Governs the duty of fair presentation and the consequences of mis-disclosure on commercial insurance policies. https://www.legislation.gov.uk/ukpga/2015/4/contents - Miller Insurance (2024). The importance of implementing an AI policy: a checklist of considerations. London specialist broker guidance on AI governance prerequisites for insurability. https://www.miller-insurance.com/articles/news-and-insights/the-importance-of-implementing-an-ai-policy-and-a-checklist-of-considerations - Lloyd's (2022). Cyber war and cyber operation clauses. Market guidance on systemic risk exclusions affecting state-backed and large-scale cyber incidents, including potential AI-enabled events. https://www.lloyds.com/market-resources/wordings/cyber-war-and-cyber-operation-clauses - Pinsent Masons (2023). The regulation of AI in UK insurance: an introductory guide. Legal commentary on UK regulatory expectations and EU AI Act implications for insurance and professional services. https://www.pinsentmasons.com/out-law/guides/the-regulation-of-ai-in-uk-insurance-an-introductory-guide - NCSC (2023). Cyber Essentials overview. Baseline certification framework referenced on many commercial cyber insurance applications as evidence of minimum security controls. https://www.ncsc.gov.uk/cyberessentials/overview

Frequently asked questions

Does my existing cyber policy cover claims from AI tools like ChatGPT or Copilot?

Many standard cyber policies define "computer system" narrowly, covering only infrastructure the firm owns or operates. Cloud-hosted AI platforms may fall outside this definition unless the policy has been updated or your broker has confirmed coverage extends to third-party SaaS tools. The practical check is to read the "computer system" definition in your current wording and ask your broker in writing whether data processed via named AI tools is covered.

If the ICO fines us for an AI-related data breach, will our insurance cover it?

Fines imposed by the ICO are almost always excluded under standard cyber and professional indemnity policies as "fines and penalties imposed by law". What many policies do cover is the legal defence costs of an ICO investigation, which can run to tens of thousands of pounds. Check your policy's regulatory investigation extension carefully; some wordings include it explicitly and others do not. The fine itself remains your firm's exposure regardless of cover.

Do I need a written AI policy to keep my insurance valid?

An increasing number of cyber and PI policies include conditions requiring firms to follow their written security procedures. If your insurer asked about AI governance on a proposal form and you disclosed having a written policy, that policy needs to be real and followed in practice. Even where no formal question was asked, a documented acceptable-use policy strengthens your position at renewal and reduces the risk of a warranty-breach dispute if a claim arises.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A business professional sitting at a desk reviewing documents on a laptop, with client folders stacked to one side

How to stop staff using ChatGPT with client and confidential data

Your team's ChatGPT habit is likely moving client data outside your legal control, and this post covers the UK GDPR obligations, practical policy, and safer alternatives to get ahead of it.

A business owner looking at documents on a meeting room table with a laptop open beside them

Does your business actually need formal AI governance?

A decision guide for owner-managed businesses on when formal AI governance is genuinely required and when lighter controls are adequate.

Person reviewing a printed document at a wooden desk with a pen, natural light from a window

UK AI copyright rules explained for business owners

What UK copyright law actually says about AI tools and outputs, and where owner-managed businesses carry the real risk.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd