AboutBlogBusiness First AIFounder FreedomBook a conversation

How to review an AI insurance policy for SME risks

May 17, 2026
A business owner and broker sitting across a desk reviewing a printed insurance policy document together
TL;DR

Standard UK SME cyber and professional indemnity policies may respond to AI incidents without mentioning AI by name, but cover depends on how existing terms are defined and whether your AI use meets policy conditions. A practical review maps each AI use case to specific insuring clauses, checks key exclusions, and prepares the governance documents that both regulators and insurers now expect.

Key takeaways

- Standard UK cyber, PI, and tech errors and omissions policies may cover AI incidents without naming AI, but coverage depends on how terms like "computer systems" and "professional services" are defined in the wording. - AI risk falls into four categories: privacy exposure from public AI tool use, security risk from AI integrations, liability for AI-generated outputs, and operational disruption if a critical vendor fails. - Four exclusions frequently appear in AI-related claims disputes: reasonable precautions clauses, contractual liability exclusions, uninsurable regulatory fines, and systemic cyber war exclusions introduced across the Lloyd's market from 2023. - The ICO's DPIA requirement and NCSC Cyber Essentials are increasingly referenced by insurers at underwriting; documented AI governance strengthens your position on both cover and price. - A practical review starts with listing every AI dependency, maps each to a risk category, then walks each scenario with your broker pointing to the specific clause expected to respond.

Six months into using an AI assistant, the owner of a small professional services firm has an experience many will recognise. Things run smoothly, client work gets out faster, and nothing has gone wrong. Then a colleague mentions that their insurer declined a claim after a staff member fed client data into a public AI tool. The policy required reasonable precautions. Using an uncontrolled public tool for sensitive data hadn’t met that standard.

Many owners can’t say clearly what their policy would cover. The wordings predate AI as a normal business tool and are often silent on it. A methodical review tells you where you stand.

What does reviewing an AI insurance policy actually cover?

Reviewing an AI insurance policy means checking whether your existing professional indemnity, cyber, and tech errors and omissions cover actually responds to AI-related incidents. UK SME policies rarely mention AI by name. Coverage depends on how terms like “computer systems”, “software”, and “professional services” are defined in the wording. A review maps your specific AI use cases to each insuring clause and identifies where you have genuine cover and where you don’t.

Specialist underwriters including CFC Underwriting and Beazley have begun adding AI elements to technology and cyber products, covering IP disputes from AI-generated outputs, regulatory investigations, and AI-caused system failures. Marsh reported in 2024 that these are mostly add-ons to existing professional indemnity, tech errors and omissions, and cyber policies, not standalone products. For an owner-operated firm, what’s available is an endorsement to an existing policy, not a separate AI insurance market.

The practical starting point: before you speak to your broker, write a short paragraph describing what you believe you’re insuring. Something like: losses if an AI assistant leaks client data, produces negligent advice, or goes offline for 48 hours. Then check whether each of those scenarios appears in your cyber section, your professional indemnity section, or your media and IP cover. If you can’t find a match, you have a gap worth discussing.

Why does standard cover leave gaps when AI is involved?

Standard policies were written before AI became a normal part of running a small business. The gaps appear in four places: privacy exposure when staff paste client data into public AI tools, security risk from AI integrations, liability when AI-generated advice turns out to be wrong, and operational disruption if a critical AI vendor goes offline. Each sits in a different policy section, and not all sections will respond.

On privacy, the ICO has confirmed that data protection law applies when organisations use AI to process personal data, and that an unlawful or insecure AI transfer is treated as a UK GDPR breach. Your cyber policy’s privacy liability section is typically what responds, but only if the incident fits the defined trigger. On security, the NCSC advises firms to treat AI systems as high-value assets and warns of prompt injection and data exfiltration risks when third-party AI APIs connect to internal systems.

On liability for outputs, AI produces false or misleading content with more regularity than users expect. If a client relies on AI-generated advice and suffers a financial loss, professional indemnity or errors and omissions cover is the relevant section. On operational disruption, Hiscox’s 2024 Cyber Readiness Report found the median cost of a single cyber incident for small businesses was approximately £13,000, including recovery and lost income. If an AI tool embedded in your workflow goes down, business interruption cover triggered by a system failure is what you’d look to.

Where are the exclusions that regularly catch SMEs out?

Four exclusions appear repeatedly in AI-related claims disputes. Reasonable precautions clauses can void cover if staff routinely put sensitive data into public tools without documented controls. Contractual liability exclusions can strip protection if you have promised clients specific AI performance. Regulatory fines for UK GDPR breaches are typically uninsurable under English law. Systemic cyber exclusions introduced across the Lloyd’s market from 2023 may apply to large-scale AI platform failures.

On reasonable precautions: many cyber policies require the firm to take reasonable steps to protect data and to comply with data protection law. Legal analysis suggests insurers may argue that systematic, undocumented use of a public AI tool for sensitive client data breaches these conditions, particularly where the firm had access to ICO guidance and chose not to follow it. The fix is straightforward: a written AI acceptable use policy covering which tools are permitted, what data may go in, and what human checks are required.

On contractual performance: if your firm promises clients specific outcomes from AI use, the contractual liability exclusion in PI policies may apply if things go wrong. Insurers cover professional skill and care, not obligations you’ve taken on contractually beyond that standard.

On regulatory fines: the ICO can issue fines of up to £17.5 million or 4% of annual worldwide turnover for serious UK GDPR breaches. Under English law, penal fines are generally uninsurable, so cyber and PI policies typically cover only defence costs. The more cost-effective protection is documented risk management that reduces the likelihood of a breach.

When do UK regulatory requirements affect what your policy needs?

UK regulators treat AI as part of your existing legal obligations, which affects insurance directly. The ICO requires a Data Protection Impact Assessment where AI processes personal data at high risk to individuals, and having one documented is increasingly cited as evidence of due care in both regulatory investigations and insurance claims. If you operate in financial services, the FCA’s Consumer Duty is another layer that underwriters are starting to ask about.

The ICO’s enforcement history makes the DPIA requirement concrete rather than advisory. In 2020 it issued an enforcement notice against Experian’s marketing analytics operation for opaque data profiling that breached GDPR transparency and fairness duties. The case is frequently cited by legal advisers as a warning that undocumented AI processing creates both regulatory and insurance exposure simultaneously.

The NCSC published Guidelines for Securing AI Systems in 2024, covering model security, supply-chain risk, and incident response. Insurers increasingly reference NCSC Cyber Essentials compliance when assessing SME proposals, and some are beginning to incorporate the AI guidelines as a benchmark at renewal. For financial services firms, the FCA’s Consumer Duty links the obligation to avoid foreseeable harm to documented AI governance including model bias controls.

Before your next renewal, prepare three documents and share them with your broker: an AI acceptable use policy covering which tools are permitted and what staff may input; a brief risk register or DPIA for your higher-risk AI uses; and an updated incident response plan with AI-specific scenarios included. These provide evidence of due care to both the regulator and the insurer, and give your broker something concrete to negotiate with when approaching the market.

What does a practical review sequence look like?

Start by listing every AI tool your business uses, including SaaS products with AI built in. For each one, note what data goes in, what output comes out, and what happens if it goes wrong or stops working. Then pull your cyber, professional indemnity, and tech errors and omissions policies and walk each scenario through with your broker, asking for the specific clause that would respond.

The review works in five steps. First, list AI dependencies: internal tools such as Microsoft Copilot, external tools where client data is input, AI embedded in your CRM or marketing platform, and AI used directly in client deliverables. Second, classify the risk: privacy exposure if personal data goes in, security risk if the tool connects to internal systems, liability if AI output influences client decisions, operational exposure if you cannot trade without it.

Third, pull all relevant policy documents, including cyber, professional indemnity, tech errors and omissions, management liability, and any media or IP cover you carry. Fourth, walk each scenario with your broker and ask four questions: where exactly is this covered; what is the limit and sub-limit; what exclusions could apply; and what conditions must be met for cover to respond. Fifth, close gaps through endorsements where your broker can arrange them, or through operational changes where cover isn’t available at a sensible price. Banning personal client data from public AI tools, for example, removes a significant category of exposure without touching the policy at all.

If you’d like to work through how your AI use maps to your existing cover, Book a conversation.

Sources

- Information Commissioner's Office (2023). Guidance on artificial intelligence and data protection. UK regulator position that data protection law applies when organisations use AI to process personal data and that accountability under UK GDPR remains with the organisation. https://ico.org.uk/for-organisations/guidance-index-and-tools/guidance-on-artificial-intelligence-and-data-protection/ - Information Commissioner's Office (2023). Generative AI: guidance for organisations. Regulator position on processing personal data through public AI tools, relevant to cyber cover conditions and reasonable precautions clauses. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/generative-ai/ - NCSC (2024). Guidelines for Securing AI Systems. Cross-government guidance on model security, supply-chain risk, and incident response; increasingly referenced by insurers assessing SME cyber proposals and pricing. https://www.ncsc.gov.uk/whitepaper/guidelines-securing-ai-systems - Information Commissioner's Office (2020). Enforcement notice against Experian regarding data analytics and marketing profiling. Leading UK case that opaque algorithmic profiling breaches GDPR transparency and fairness duties; frequently cited in AI governance and insurance contexts. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2020/10/ico-publishes-findings-in-relation-to-data-broking-with-enforcement-action-against-experian/ - Financial Conduct Authority (2022). Discussion Paper DP5/22: artificial intelligence and machine learning. FCA expectations on firm accountability for AI outcomes including outsourced arrangements, referenced in Consumer Duty governance requirements. https://www.fca.org.uk/publication/discussion/dp5-22.pdf - Marsh (2024). AI and risk: what boards need to know. London Market analysis that AI-related endorsements are predominantly add-ons to existing professional indemnity, errors and omissions, and cyber policies rather than standalone products. https://www.marsh.com/uk/insights/research/ai-and-risk-what-boards-need-to-know.html - Hiscox (2024). Cyber Readiness Report 2024. Median cost of a single cyber incident for small businesses approximately £13,000 including recovery and lost income; illustrates the scale of operational exposure that AI-related incidents can trigger. https://www.hiscoxgroup.com/sites/group/files/documents/2024-03/hiscox_cyber_readiness_report_2024.pdf - Aviva (2023). Risk Insights Report 2023. Twenty-six percent of UK SMEs rate cyber as a major risk, with downtime the most feared consequence; contextualises AI-linked disruption within broader SME risk priorities. https://www.aviva.co.uk/aviva-edit/smarter-business/2023-risk-insights-report/ - Herbert Smith Freehills (2023). New cyber war and systemic risk exclusions in the Lloyd's market. Analysis of the Lloyd's Market Association cyber exclusion clauses introduced from 2023 and potential implications for claims involving compromised AI platforms. https://www.herbertsmithfreehills.com/latest-thinking/new-cyber-war-and-systemic-risk-exclusions-in-the-lloyds-market - Beale & Co (2023). UK Government AI Playbook: implications for construction and insurance professionals. Legal analysis of policy wording gaps and where insurers may resist cover for contractual AI performance promises beyond ordinary professional skill. https://beale-law.com/article/uk-government-launches-ai-playbook-what-it-means-for-construction-and-insurance-professionals/

Frequently asked questions

Does my standard cyber policy cover AI-related incidents?

Many UK cyber policies will respond to AI-related incidents if the underlying trigger is a data breach, network failure, or business interruption, even without mentioning AI explicitly. Coverage depends on how the policy defines "computer systems" and "software", and whether your AI use complies with the policy's conditions, including taking reasonable steps to protect data. A review with your broker, mapping each AI scenario to a specific insuring clause, is the only reliable way to confirm.

Can my insurer refuse a claim if a staff member pasted client data into a public AI tool?

Possibly, if the policy has a reasonable precautions condition. Insurers can argue that systematic, unmanaged use of a public AI tool for sensitive data breaches the policy's duty to protect information, especially where the firm had access to ICO guidance and chose not to follow it. The practical protection is a written AI acceptable use policy confirming which tools staff may use and what data they may input, kept on file before any claim arises.

What three documents should an SME prepare before AI insurance renewal?

An AI acceptable use policy listing approved tools, permitted data inputs, and required human checks. A brief risk register or Data Protection Impact Assessment covering your higher-risk AI uses, per ICO guidance. An updated incident response plan that includes AI-specific scenarios such as a prompt injection data leak, faulty AI advice given to a client, or a critical AI vendor going offline. Share all three with your broker before negotiating terms.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A business professional sitting at a desk reviewing documents on a laptop, with client folders stacked to one side

How to stop staff using ChatGPT with client and confidential data

Your team's ChatGPT habit is likely moving client data outside your legal control, and this post covers the UK GDPR obligations, practical policy, and safer alternatives to get ahead of it.

A business owner looking at documents on a meeting room table with a laptop open beside them

Does your business actually need formal AI governance?

A decision guide for owner-managed businesses on when formal AI governance is genuinely required and when lighter controls are adequate.

Person reviewing a printed document at a wooden desk with a pen, natural light from a window

UK AI copyright rules explained for business owners

What UK copyright law actually says about AI tools and outputs, and where owner-managed businesses carry the real risk.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd