AI Is Changing the Nature of Cyber Insurance and Digital Risks Against Small Businesses

How AI Changes Cyber Risk & Insurance Protection for SMEs  

The biggest AI risks for today’s small businesses are the ones that blend into everyday workflows and spread through the tools and vendors you rely on, said Ray Moylan, US Claims Manager.  

AI driven threats SMEs should watch for in 2026:  

AI phishing and deepfakes are harder to spot. Deepfake fraud losses in North America exceeded $200 million in the first quarter of 2025 and recently, Microsoft reported AI phishing emails get 54% click through rates versus 12% for standard attempts. With people fooled by deepfakes more than 75% of the time, relying on an employee to catch a scam in the moment is not enough.  

AI enables automated, large scale cyberattacks. Anthropic recently reported a global AI-enabled cyberattack where AI handled most of the activity at a pace no human could sustain. This means more attempts with less effort and more SMEs caught in the volume.

New risk is showing up inside AI tools. OpenAI has warned about prompt injection, where hidden instructions in content can manipulate an AI system into doing something unintended, including exposing your data. Despite 72% of American companies integrating AI into their business functions, only 20% are confident in securing Generative AI, while 99% report that sensitive data is exposed to AI tools. 

Supply chain exposure grows as vendors adopt AI. More than 75% of organizations suffered a cyberattack linked to their supply chain in the past year, according to a Blackberry survey. In fact, third-party involvement in data breachesdoubled to 30% this year, underscoring growing supply chain risks. When your vendors adopt AI capabilities or fall victim to a cyber breach, their security posture affects yours. 

“Protecting your business means cyber insurance should strengthen cyber readiness, not just reimburse losses,” Moylan says. “That’s why so much of what we do focuses on helping small businesses proactively predict and prevent losses in the first place. Our BOXX HackbustersÒ team provides 24/7 monitoring and containment, preventing over 80% of incidents before they ever become claims.”  

Why Cyber Insurance Wording Matters in the AI Era

AI is changing how losses happen. Some losses are tied to ransomware and fraud. Some are operational, tied to outages and vendor disruption. And some are liability driven, especially for tech firms building or deploying AI. 

“When policy language isn’t continuously updated to reflect the rapidly changing threat environment, gaps can form quickly in a previously solid insurance program before raising a red flag” says Moylan. 

BOXX recently added two new policy endorsements within its commercial cyber solution, Cyberboxx® Business, designed to address how cyber losses play out today. 

This includes First Party Each and Every Loss, which reinstates first party insuring agreement limits after each cyber incident with no aggregate. 

For Financial Crime and Fraud Insuring Agreements, BOXX pays four times the amount of the aggregate.

It also includes Outsourced Provider Amendatory, which expands coverage beyond tech providers and business services to also include product suppliers, with contingent business interruption coverage for the full supply chain.   

For small businesses, this matters because cyber incidents often aren’t one and done. A phishing hit can turn into mailbox compromise, fraud and a privacy breach, or you can get targeted again while you’re still recovering.   

“If your first party policy limits are exhausted after the first event, you may be left financially exposed for the next loss. First party limits that reinstate after each loss help ensure you still have protection and expert support when you need it most, not just for a single unfortunately incident,” Tifft says.  

For technology SMEs facing added exposures, BOXX’s new Tech E&O coverage is designed for modern professional liability exposures, where traditional policies can lag behind. It explicitly addresses emerging risks like AI and LLM related errors, data poisoning and technology discrimination – an area many policies do not clearly cover. It’s built for how tech companies get hit today, with protection for social engineering scams that target key people and other updates that close common E&O gaps as customer and regulatory expectations climb. 

“It’s essential to have the right provider for your Tech E&O and cyber insurance program,” Tifft says. “It can mean the difference between having adequate coverage if an attack happens or dated coverage that doesn’t address the types of digital risks that are prevalent today.”  

How SMEs Can Reduce AI–driven Cyber Risks 

Make verification the default
 
AI impersonation works when speed wins. Slow it down by a verification process using a known number on file, requiring a second approval for high value changes and confirming new instructions outside email.   

Set clear boundaries for AI tools
Treat connected AI like a new employee with access. Limit what it can see, use least privilege accounts, log activity and keep sensitive client data out unless it’s required and approved.  

Limit the damage if credentials get exposed
AI can crack most common passwords in under one minute. Turn on Multi-Factor Authentication, use a password manager to prevent reuse, remove unnecessary admin access and keep backups isolated so ransomware can’t reach them.  

Add early warning with Attack Surface and Dark Web Monitoring 
Attack Surface Management helps you spot exposed systems and misconfigurations before attackers do. Dark Web Monitoring helps you catch leaked credentials tied to your domain early, so you can reset access fast.  

Decide your response plan before you need it 
When an incident hits, time is your enemy. Know who to call first and what information you’ll need for your insurer, regulators and customers. This is where cyber insurance can shift from reimbursement to real-time help, depending on the policy and the support that comes with it.  

Review Your Cyber Insurance Policy Today  
AI has changed cyber risk for American SMEs. The question is whether your coverage has kept pace. 

Reducing exposure means treating insurance as an essential part of your cyber resilience strategy. Small businesses need the right coverage that reflects how modern losses happen, with support that helps you predict, prevent, respond and recover when you need it most.

If your cyber insurance policy has not been reviewed with AI-driven threats in mind, now is the right time to revisit it.