Companies developing or deploying AI systems are exposed to numerous risks, such as damage claims, reputational loss, and regulatory fines, which can significantly impact investors.

How can insurance play a role in mitigating these risks and ensuring that investors are not overly exposed when investing in AI companies?

When target companies develop or deploy AI systems, we should look at insurance solutions in two parts – Warranty & Indemnity (W&I) insurance for transactional risks and cyber insurance that covers operational cyber risks.

Cyber insurance protects the company against losses due to cyber fraud, identity theft, restoration expenses, extortion costs, and other consequences of cyber-attacks, which are increasingly common.

What role does W&I insurance play in M&A transactions involving AI?

W&I insurance offers protection against financial losses arising from the discovery of unidentified risks post-completion that result in breaches of warranties.

Every M&A transaction includes elements of risk and uncertainty. Buyers and sellers negotiate extensively on allocation of unidentified risks in their agreements. Warranties are key mechanisms for allocating those risks.

In the case of target companies developing or deploying AI, warranties can extend to elements that are crucial for retaining value in the acquired business.

• For example, a warranty might assert that the business owns relevant assets, such as unencumbered intellectual property rights in the algorithm; has no undisclosed liabilities, such as pending copyright claims related to training data; and complies with laws, including data protection laws.
• Additionally, warranties can extend to claims that all material contracts are valid and enforceable, which may be particularly important for companies incorporating third-party AI in their offerings.

Today's W&I insurance policies are generally "non-recourse", meaning that any breaches are resolved directly between the affected party (the buyer) and the insurer. This approach helps reduce tension in the buyer-seller relationship.

Sellers are generally excluded from the settlement process, except in cases of fraud or claims explicitly agreed to be the sellers' responsibility. If there is a breach of warranty due to previously unknown risks, W&I insurance will cover the resulting losses, provided the applicable policy terms are met. This ensures that the buyer is compensated without needing to pursue the seller for damages.

What role does cyber insurance play in M&A transactions involving AI?

Most industries today have an element of AI embedded in their operations or service offerings, whether in healthcare, finance, automotive, or professional services. AI systems are akin to complex IT infrastructure. Businesses that operate such infrastructure are particularly exposed to a set of serious business risks, including data breaches and other cybercrimes.

Studies suggest that the costs of cybercrime have skyrocketed over the last years, and are now nearly 10 times higher than they were just five years ago.

Cyber insurance protects the company against losses due to cyber fraud, identity theft, restoration expenses, extortion costs, and other consequences of cyberattacks, which are becoming increasingly common.

How can investors assess if a target company has appropriate insurance coverage?

Today, insurance due diligence is very common, and I see it in virtually all the transactions I am involved in. This process helps investors identify any material gaps in coverage, any pending or threatened claims that need to be accounted for, and factors that could affect future insurance premiums.

Why do parties choose to purchase W&I insurance?

W&I insurance can be taken out either by the seller or by the buyer. There are different motivations for obtaining W&I insurance: 

A buyer may be concerned about the financial strength of a prospective seller and their solvency to meet post-completion obligations, leading them to seek additional coverage. Additionally, a buyer may want to maintain a good relationship with the seller who can bring vital skills and connections to the acquired business. Making claims against the insurer instead of the seller directly can help preserve those relationships.

A seller may seek a "clean exit" from their investment, meaning a sale without any remaining liabilities or obligations towards the sold business.

Private equity and venture capital sellers, in particular, need to distribute or reinvest proceeds immediately and avoid contingent liability under warranties. 

Auction sellers may attract more bidders and increase sale price by offering customary warranties with a higher cap, making the bidding environment more competitive.

W&I insurance can benefit both buyers and sellers by helping to unlock negotiations when no agreement on the allocation of risk can be reached between the parties. The W&I policy “steps into the shoes” of the seller by assuming responsibility for claims from the buyer. 

What are the differences in underwriting a W&I policy for AI service providers compared to deployers? What factors are assessed in the process?

The W&I due diligence process begins when the selected insurer gains access to the transaction data room and due diligence reports. After reviewing this information, the insurer drafts an underwriting questionnaire to address any concerns. The insurance broker then reviews and refines the questionnaire, ideally eliminating unnecessary questions to reduce the client’s workload without compromising coverage. The client then answers the remaining questions.

This general W&I due diligence process applies to both AI system providers and AI system deployers, but the insurer’s focus areas will differ for each:

• AI system providers may face a more direct risk of liability for cyber breaches compared to those who only deploy third-party AI systems. Specifically for AI system providers, insurers will regularly request a technical due diligence report from third-party IT experts. The purpose of such report is to give comfort that the backend coding and the foundational framework of the AI system function as intended before the W&I insurance policy is issued. Also, insurers often seek assurance that the client complies with data protection and intellectual property laws. To avoid liability, providers need to ensure their AI systems are trained on datasets in a manner that respects privacy and intellectual property. This involves questioning the source and legality of the training data.
• AI system deployers face similar risks, albeit often on a smaller scale than developers. For example, deployers may process personal data, but typically not as extensively as developers, who may also use personal data to train algorithms. For deployers, W&I insurers focus on the validity of third-party AI supply arrangements and ensure that the deployer has unencumbered rights to the AI output necessary for their business operations.

However, these are generalisations, and there will be many exceptions. It is crucial that each business and transaction receives a solution tailored to its specific risks.

Do W&I policies cover all AI related risks? 

A W&I insurance policy generally covers the full suite of warranties agreed to in the SPA (or APA).

W&I insurers’ starting point when underwriting businesses with any form of technology exposure is to not pick up cyber-related risks that are in excess of existing operational cyber insurances the company already has taken out.

This means that losses due to cyber fraud, identity theft, restoration expenses, extortion costs, and other consequences of cyber-attacks will only be covered up to the limit prescribed in the company's operational cyber insurance, provided it is in existence and in effect, and the W&I policy may not provide any additional coverage.

However, this is only the starting position. An experienced broker can help guide insured parties in obtaining the appropriate W&I coverage and advocate on their behalf to persuade insurers to expand their W&I coverage to include certain or all cyber-related risks.

How is the role of insurance evolving with AI advancements, and are there new products emerging to better serve this market?

As insurers gain more experience covering businesses that develop or deploy AI systems, I believe their ability to underwrite related risks and provide meaningful coverage will also improve.

We will also see insurers increasingly apply AI themselves, whether to improve customer experiences, such as through personalised policy recommendations, or to streamline their internal processes, such as with semi-automated claims processing. A few insurers have started automating parts of the W&I insurance process, particularly for transactions involving small businesses and real estate. The insurance industry’s own experiences in using AI systems may influence their readiness to cover AI-related risks.

Will insurance become a fully automated process someday? Who knows.

What I do know is that W&I underwriting, at its core, is about managing unidentified risks. It will remain highly deal- and industry-specific. And because it involves dealing with the unknown, W&I underwriting will continue to require strong judgment from everyone involved.

‍

Sandra Lee is the Chief Executive Officer of BMS Asia, a specialist insurance broker, and a corporate lawyer by training.