New AI-Enhanced Cyber Attacks Increase Risks for the Uninsured

By David A. Gauntlett*

Introduction

In recent weeks, the tempo of reporting on cybercriminals’ use of artificial intelligence has only accelerated. What was once speculative commentary about AI-enabled threats has matured into detailed accounts of how threat actors are integrating generative AI into the core of their operations. With these developments, the attacks are both more sophisticated and more frequent, making it more a matter of “when” rather than “if” a business will be victimized. This makes robust Cyber coverage more important than ever.

Respected Entities Have Warned of Increased Danger

On Jan. 20, cybersecurity firm Group-IB released a report titled “Weaponized AI: Inside the Criminal Ecosystem Fueling the Fifth Wave of Cybercrime,” describing how criminals are leveraging AI tools to automate reconnaissance, enhance phishing campaigns and refine malware. Just two days later, Unit 42 (the threat intelligence division of Palo Alto Networks) warned of a “next frontier” in which attackers use generative AI to dynamically construct malicious payloads after a victim has already visited what appears to be a benign website.

These developments are not merely technical curiosities. They foreshadow an increase in both the frequency and severity of cyber incidents. As AI lowers the barrier to entry for sophisticated attacks and shortens the time between vulnerability discovery and exploitation, businesses across industries face heightened operational risk. Inevitably, this trend will produce more insurance claims and more coverage litigation as policyholders seek indemnification for disrupted operations, lost income and extraordinary recovery expenses.

The financial stakes are significant. In its recent reporting, Munich Re observed that, in ransomware-related claims, business interruption losses constitute the largest share of overall costs. That data point underscores a crucial reality: while forensic response, legal counsel and ransom payments capture headlines, the most substantial economic damage often arises from the inability to conduct ordinary business.

What Is the Full Scope of Coverage?

Policyholders are watching closely as insurers issue initial coverage determinations in the wake of AI-enabled and other cyberattacks. Central to many of these disputes is a deceptively simple question: How long does business interruption coverage last? More specifically, does coverage extend until the insured’s business operations are fully restored? Or perhaps earlier when certain technical milestones are achieved?

Insurance carriers frequently seek to truncate business income and extra expense payments as soon as computer systems are partially restored. Under this approach, once servers are back online or network connectivity is reestablished, insurers argue that the “period of restoration” has ended, even if only limited connectivity is restored. This stance is sometimes asserted regardless of whether the policy language actually ties the restoration period to the functionality of computer systems or, instead, to the resumption of business operations more broadly.

Policyholders confronting such arguments should resist them where the policy language permits. A restoration period that ends when a server pings successfully is not necessarily a restoration of business. In many instances, technical availability is only the first step in a lengthy process of operational normalization. Careful attention to policy wording, coupled with a fact-intensive understanding of post-incident realities, can mean the difference between partial and full recovery.

Why the Period of Restoration Matters

After a ransomware event or other cyberattack, the insured’s central concern is often how quickly it can resume normal operations. From an insurance perspective, however, the more nuanced issue is how long business interruption coverage applies. Does the policy pay for losses only during the time the network is down? Or does it cover the broader period during which the business as a whole is impaired?

Policies with broader wording typically define the restoration period as beginning when the insured’s business operations are interrupted and continuing for a specified number of days, such as 60, 120, or 180 days, or until operations are restored, whichever occurs first. This formulation recognizes that the economic consequences of a cyber event extend beyond the physical repair of hardware or the reinstallation of software. It ties coverage to the commercial reality of disruption.

By contrast, narrower forms define the period of restoration in terms of when the computer system is repaired, replaced or restored—sometimes adding the phrase “or could have been restored.” Under these provisions, insurers often assert that the coverage window closes once systems are technically functional, even if sales pipelines remain stalled, production schedules lag or customer-facing portals operate inconsistently.

The difference between these approaches is substantive, not merely semantic. An operations-focused trigger acknowledges that a business is an ecosystem. Servers, databases and applications are tools that enable revenue generation, but they are not synonymous with it. A company may have restored its email server and enterprise resource planning system, yet still face weeks or months of backlog clearance, customer attrition, regulatory review or vendor re-onboarding.

The Problem with Engineering Milestones as Coverage Cutoffs

When insurers equate restoration with technical functionality, they effectively convert an operational problem into an engineering milestone. Once IT professionals declare systems operational, insurers may deem their payment obligations complete. This reasoning overlooks several practical realities.

First, system availability does not guarantee system reliability. After a cyberattack, businesses frequently undertake data validation, reconciliation and integrity checks to ensure that restored information is accurate and uncompromised. These efforts can slow throughput and limit transaction volume, reducing revenue even while systems appear “up.”

Second, organizations often implement enhanced security controls before fully reopening digital channels. Multifactor authentication resets, password rotations, endpoint hardening and network segmentation can require user retraining and temporary workflow modifications. These necessary safeguards may dampen productivity during the ramp-up period.

Third, third-party dependencies complicate recovery. Vendors, payment processors and customers may require assurance in the form of certifications or attestations before reconnecting interfaces or resuming automated integrations. Until these external relationships are reestablished, revenue streams may remain constrained.

Fourth, the inclusion of “could have been restored” language invites hindsight analysis divorced from real-world constraints. Insurers may argue that, in theory, systems could have been rebuilt more quickly, ignoring supply chain limitations, labor shortages, forensic sequencing requirements or the insured’s reasonable decision to prioritize data integrity over speed. Such theoretical timelines should not override documented operational realities.

Policy Language Should Control

Insurance law in many jurisdictions holds that courts must enforce policy language as written. If an insurer wished to limit coverage to the period of network repair, it could have drafted the policy accordingly. Where it instead tied the restoration period to the interruption of business operations, it should not be permitted to reinterpret that broader wording as though narrower terms had been used.

This principle has practical implications. When a policy defines the period of restoration by reference to business operations, coverage should extend until those operations are no longer interrupted (i.e., until the insured has returned, as nearly as practicable, to its pre-incident level of performance). Partial technical restoration does not necessarily satisfy that standard.

Nevertheless, policyholders should not assume that broader language will automatically yield broader payments. In many claims, insurers retain forensic accounting firms to calculate business income losses and extra expenses. These firms may, explicitly or implicitly, limit the loss period to the time during which systems were completely offline. If their analysis truncates the restoration window based on network uptime rather than operational recovery, policyholders should scrutinize and, where appropriate, challenge that methodology.

The Reality of Post-Restoration Loss

Cyber incidents rarely conclude the moment a data center dashboard turns green. Even after core systems are restored, companies often face extended ramp-up periods. Order backlogs must be processed. Service-level agreements must be re-baselined. Customer trust must be rebuilt. In regulated industries, reporting obligations and compliance reviews may further delay normalization.

Manual workarounds adopted during the outage can depress margins. Employees working from spreadsheets or paper processes may generate errors requiring later correction. Overtime and temporary staffing increase costs. Meanwhile, competitors may capitalize on the disruption, capturing market share that is not immediately recoverable.

All of these effects stem from the same cyber event that triggered the initial outage. They are part of a continuum of loss. A restoration period that ignores these realities risks under-indemnifying the insured for the true economic impact of the attack.

Conclusion

As AI-enhanced cyber threats proliferate, disputes over business interruption coverage are likely to intensify. The central question is whether cyberinsurance indemnifies the period during which the business suffers, or merely the period during which the network malfunctions.

Policies with operations-focused language begin the restoration period when business operations are actually and necessarily interrupted and end it when those operations are restored in a practical, sustainable sense. Narrower policies that hinge on network repair (especially those invoking what “could have been” done) risk truncating coverage in ways that fail to reflect commercial reality.

Even where policy language appears favorable, policyholders should carefully review insurers’ loss calculations to ensure that the restoration period aligns with the contract’s terms and with the lived experience of recovery. In the evolving landscape of AI-driven cybercrime, precision in both drafting and claims handling will determine whether insurance fulfills its fundamental promise: to make the insured whole after a covered loss.

 *David A. Gauntlett is a principal of Gauntlett Law and represents policyholders in insurance coverage disputes regarding intellectual property, antitrust, and business tort claims, as well as in the underlying actions. Mr. Gauntlett can be reached at (949) 514-5662 or dag@gauntlettlaw.com. For more information, visit Gauntlett Law at www.gauntlettlaw.com.