AI and Cyber Risk: Why the human factor still matters

Our services

We advise businesses in all sectors, and have particular expertise in hospitality, technology, property, healthcare, transport-logistics, food delivery and more.

Running your business and keeping it on track is your key to success, but every now and again things can go wrong. Verlingue can help you access the right insurance tailored to your unique business needs.

Employee Benefits

Verlingue, as your expert insurance broker, understands the strategic value of Employee Benefits. We design programs that are considered, affordable, and sustainable, empowering businesses to attract, reward, and retain the exceptional employees essential for prosperity.

The human factor has not gone away

Artificial Intelligence is changing cyber risk, but not always in the way most people expect. For all the discussion around AI and cyber risk, one thing has not really changed. Most cyber losses still start with a person. Across claims, there is a consistent pattern - phishing emails, payment diversion, impersonation and social engineering.

However sophisticated the attack appears on the surface, the root cause is often the same - someone has been manipulated into making the wrong decision. That human element is not incidental, and in many cases, it is the central driver of loss.

When reflecting on cyber incidents and claims, the weak point was never the system; it has always been the decision from your front line of defence.

AI does not change that dynamic. It amplifies it.

AI is making manipulation more effective

What previously relied on poor grammar, generic messaging or basic spoofing is now being replaced by highly convincing, context-aware interactions. Emails read naturally, messages reflect genuine business relationships and tone, timing and context are often closely aligned to real activity. In some cases, voices and identities can even be replicated with a level of realism that removes many of the warning signs organisations have traditionally relied upon.

This is already feeding into the types of incidents seen across cyber claims, particularly in areas such as payment diversion and impersonation fraud. In addition to this, there have already been a number of deepfake-enabled payment diversion cases which demonstrate just how difficult these losses can be to identify in real-time;

A finance employee may receive a request from a known supplier advising of updated bank details. The message references genuine transactions and uses familiar language. The request is followed. Payment is made. The issue is only identified later, once funds have been misdirected.
In another scenario, an employee receives a call appearing to come from a senior colleague, requesting urgent action on a transaction. The tone feels right and the context makes sense. Even where two step verification processes are in place, the instruction is ultimately followed.

Only later does it become clear that, in both scenarios, the requests were fraudulent, made significantly more convincing using AI-enabled impersonation techniques. In practice, the entry point into a loss has not really changed. What has changed is how effective that entry point now is.

From system compromise to decision manipulation

Traditionally, cyber incidents have been framed around system compromise. Network breaches, unauthorised access or malicious code execution. Controls, underwriting assessments and policy structures have largely developed around that model. In reality, this is where things have started to shift.

Cyber Risk Management

Over the last few years, losses are not solely being driven by systems failing. Increasingly, they are linked to decisions being manipulated or influenced.

In some cases, systems appear to operate exactly as intended, outputs are generated, processes are followed, no alerts are triggered and from a technical perspective, everything looks normal. However, the underlying inputs or context may have been influenced in a way that leads to the wrong outcome.

An internal team might rely on automated outputs to validate or prioritise an action. The process completes without issue. The decision appears reasonable at the time. The loss only becomes clear later.

This is not unusual. It reflects patterns already being seen across a range of cyber claims.

What is interesting here is that the issue is no longer simply whether systems have been compromised, but whether the information driving decisions can be trusted in the first place.

The growing challenge for cyber insurance and claims

This shift has direct implications for how cyber risk is understood and insured. More convincing attacks are likely to lead to higher success rates, particularly in social engineering and fraud-related incidents.

At the same time, they introduce greater ambiguity into how losses are assessed and categorised. From a claims perspective, this is where things become more complex.

Key questions begin to surface:

Was the loss caused by a cyber incident or a business decision?
Were controls genuinely inadequate, or was the attack simply more sophisticated than expected?
To what extent can an organisation reasonably defend against this type of manipulation?

These questions are not entirely new, but AI is making them more difficult to answer with certainty. There is also the issue of visibility.

Technical compromises tend to leave behind evidence such as logs, alerts and indicators of suspicious activity - manipulated decisions often do not.

Systems continue to function as expected, but the outcome is wrong. That distinction matters, particularly when it comes to both investigation and coverage assessment.

A shift towards less visible cyber risk

What this ultimately points to is a broader shift in the nature of cyber risk. The risk is moving, at least in part, from system failure to outcome failure. The technology operates as designed, but the outcome is compromised through manipulation or distorted inputs.

This type of exposure is more subtle. It can be harder to detect, harder to evidence and, in some cases, harder to attribute clearly to a single cause.

For insurers, this creates pressure in several areas:

Defining what constitutes a cyber event
Maintaining clarity around coverage boundaries
Assessing the effectiveness of controls in an environment where threats are becoming more adaptive

Arguably, this is where traditional approaches to cyber risk start to feel less well-aligned.

Closing thoughts

Whilst AI is introducing some new categories of cyber loss, in many respects it is accelerating trends that already existed, particularly the reliance on human judgement as a point of vulnerability. By making manipulation more scalable, more targeted and significantly more believable, it increases both the likelihood of those failures and the difficulty in identifying and categorising them.

For cyber insurance, the challenge is not just an increase in cyber risk. It is the emergence of less visible, less easily defined risk, built on the same human behaviours that have always sat at the centre of cyber claims.

In reality, this is something the market is only just starting to grapple, and there has not yet been a clear or consistent market response. However, as with most emerging risks, the industry tends to react over time rather than anticipate. This is likely to be another area where understanding and, ultimately, insurance solutions develop as loss patterns become more established.

Cyber and Data Protection Insurance