AI liability could be the new ‘superfund’ for insurance carriers

Three decades ago, many of the world's largest insurance carriers were brought to the brink of collapse by claims involving toxic substances and hazardous waste. In 1991 Lloyd's of London estimated that its investors had lost more than $11 billion over the prior four years. Other carriers were treading water as they paid out hazardous waste and Superfund clean-up costs. These losses occurred in large part because insurance policies did not exclude such risks.

A lot has changed in the past thirty years, but some aspects of the insurance business remain unchanged. An industry that was celebrated for anticipating new developments and managing risk missed the boat on environmental issues in the 1990s; environmental claims nearly tanked companies that had survived a depression and two world wars. It was a costly lesson, one from which those companies needed to learn.

A new risk

Today, many of the same carriers could be facing another potential Superfund. Artificial intelligence (AI) is the new asbestos: unseen, ubiquitous, and potentially deadly. Businesses are just beginning to grasp what it currently does and one day may do. As AI takes over more space in the computing world, claims stemming from its use are likely to become commonplace and costly to entertainment and tech companies.

This past December, the New York Times sued the makers of ChatGPT for appropriating its content to train AI systems. It was the latest volley in a growing cannonade against the use of copyrighted works for this purpose. Last summer, comedian Sarah Silverman and other authors brought copyright infringement actions against a group of key players in the AI space, including Meta. As the AI players face large verdicts, they are poring over business insurance policies that are largely silent on the subject of AI.

Most policies were drafted without factoring AI into their risk analysis. This doesn't mean that insurers have not been forward-thinking. Add-on cyber risk policies and technology errors and omissions policies would likely cover many tech-related business losses - for a significant price. These policies generally provide protection against business interruption due to digital asset loss following a cyber incident, including when an AI system is hacked or when its data is compromised, as well as third-party liability for data breaches.

Commercial general liability (CGL) policies typically have two parts: Part A, which covers physical damage to third-party property; and Part B, which covers personal injury including defamation, libel, and slander. AI currently poses a potential risk on both fronts. Traditional property policies may cover physical loss or damage attributable to AI, but courts have been mixed as to whether loss of electronic data or injury to electronic information is physical damage. Many policies these days contain an "Other Insurance" provision, whose purpose is to drive each claim to the policy intended to cover the particular risk involved. Such provisions are designed to prevent claimants from shoe-horning a product liability claim into a CGL policy.

AI claims

The risk landscape has changed significantly for businesses in the age of AI. An entirely new field of potential claims arises from AI use, and policies are just starting to address these landmines. Because entertainment policies are issued on an occurrence or claims-made basis, incidents that arose at any point during the policy term could result in a covered claim.

The ticking time bomb for insurers and insureds is so-called "silent" exposure claims. Just as in the case of toxic waste buried under property, claims stemming from the use of AI could be buried liabilities that ultimately become catastrophic. Unless the existing policy failed to specifically exclude AI-related claims, the carrier might be held responsible for paying out against another Superfund.

When AI is used to copy protected content or access private or privileged information, a standard errors and omissions policy will not account for claims by copyright holders or others whose online postings were intentionally taken and repurposed. When AI is used to write a movie script or compose background music, few - if any - policies will have tabulated the potential exposure of the production company or its backers.

Take, for example, a script written by AI that incorrectly identifies a natural person as a forger or a murderer. This is a prime example of a claim that may be subject to CGL Part B coverage. Does this represent a different risk than one written by a human being? Both insurer and insured should consider this upfront when the policy is written, rather than after the fact.

Unless these types of claims are expressly excluded from a business policy, carriers could be on the hook for payment. They must understand the scope of risk they assume when they write a policy. How much of the script was written using AI? What percentage of post-production was handled by an algorithm? Did a human being adapt or rewrite the music before it was recorded? Were humans involved in most, some, or any of the creative processes?

Assessing risk

Insurance is an intelligent gambler's game. What are the odds that something bad will happen? How does a carrier stay solvent when dealt a losing hand? Ultimately, insurance involves the study of large numbers and an understanding of potential risk. This requires a considerable amount of data - a resource in relatively short supply in the early stages of AI.

Transparency is imperative for both sides of the transaction. The policyholder is expected to disclose facts that might alert the carrier to potential risk. Was an auto policy applicant involved in a drunk-driving incident? Did a business engage in unfair trade practices? But it is not enough to ask for and rely upon information given. An applicant may not understand or appreciate the implications of a past act or omission. It may purposely hide bad facts or dissemble about them in its disclosures.

It is therefore incumbent on carriers and insureds to do their due diligence. An insurer that writes an auto policy without checking DMV records will not stay in business. The same holds true for AI. The carrier must be transparent with its policyholders, defining the scope and limits of their coverage.

AI coverage

The insurance industry is just waking up to the potential fallout from inadequate protection under their existing insurance products when faced with the novel risks posed by AI. A handful of carriers have started promoting new AI-specific insurance products, but these appear to be the exceptions and all such offerings seem to be narrowly drafted.

These include Robotics Shield by American International Group Inc. and aiSure and aiSelf from Munich Re. Marsh McLennan offers a Silent Cyber Bridge endorsement to existing policies that otherwise exclude silent cyber claims, while Lockton offers a separate Silent Cyber Property Solution for Businesses covering property damage and time losses resulting from cyber-attacks or cyber terrorism.

None of these policies would appear to cover the types of claims that might be asserted against an entertainment production company or against other businesses that are alleged to have appropriated third-party content. If and when such AI policies become available, they will likely be issued as riders to existing errors and omissions policies.

Conclusion

Given how little data is available to insurers, calculating the right risk/reward profile may be like asking a blind man to throw darts at a target. AI is evolving and learning rapidly; the current risks businesses face, at the beginning of implementation, may be very different from the risks 10 or 15 years from now. The coming years should provide a much richer pool of data on AI-related claims, but in the near term expect to see a rude awakening for a large share of the insurance industry.