Cloud Outages, AI Fraud, and Supply Chain Attacks: The New Cyber Claims Frontier

The cyber insurance claims landscape has always been dominated by two categories: ransomware and business email compromise. Together they account for over 60% of all claims by volume and an even larger share of incurred losses. But the claims mix is shifting. Five emerging categories are reshaping what brokers and underwriters need to watch in 2026 and beyond.

None of these are hypothetical. Each has already produced real claims — and real coverage disputes.

1. Non-Malicious Cloud Outages

On July 19, 2024, CrowdStrike pushed a faulty Falcon sensor update to 8.5 million Windows devices worldwide. Airlines grounded flights. Hospitals delayed surgeries. Rail networks stalled. Retailers went dark. It was not a cyber attack. It was a software defect.

Financial Times estimated insurer losses at potentially over $1 billion. The CrowdStrike incident forced the industry to confront a question most policies had not been designed to answer: does a non-malicious IT failure trigger cyber coverage?

Many policies require a “cyber event” — typically defined as a malicious attack — as a coverage trigger. CrowdStrike-style failures may fall into a gray area between cyber policies, technology errors and omissions policies, and property policies. Contingent BI coverage varies significantly. Many policies have 12-hour or longer waiting periods that eliminate smaller outage claims entirely.

Beazley warned in December 2025 that “2026 could be the year a major business suffers long-term damage or even failure from an outage caused by a cyber attack.” The Jaguar Land Rover hack in August 2025 proved the point: nearly six weeks of production shutdown, £1.9 billion cost to the UK economy, and over 5,000 downstream organizations affected.

Munich Re’s data shows a 3:1 ratio of malicious to non-malicious cyber claims — but non-malicious events are gaining significance in both frequency and severity.

The broker action item

Review whether policies cover non-malicious IT failures affirmatively. Do not assume. Many policies silent on this point, and silence does not equal coverage. Ask carriers to confirm in writing whether software defects, configuration errors, and update failures trigger BI and incident response coverage.

2. AI-Enabled Fraud and Deepfake Claims

The FBI’s Internet Crime Complaint Center published its first-ever dedicated section on AI as a cybercrime tool in 2025. The data is striking:

• $893 million in confirmed AI-enabled fraud losses (conservative — real figure likely much higher)
• $3.5 billion in total AI-enabled losses (FBI estimate)
• 3,000% increase in deepfake fraud attempts since 2023
• 54% success rate for AI-generated phishing vs. 12% for traditional attempts

The claims implications go beyond bigger losses. They challenge fundamental policy definitions.

When a finance employee at a multinational company joined a deepfake video call and saw what appeared to be the CFO and several colleagues on screen, they wired $25 million to accounts controlled by the attacker. The entire interaction was AI-generated — the faces, the voices, the mannerisms.

In traditional BEC, there is usually a discernible email trail. In deepfake fraud, the attack may happen entirely over voice or video — leaving minimal forensic evidence. This creates several coverage questions:

Voluntary parting exclusion. If an employee transfers funds using legitimate systems and credentials, some carriers argue the loss falls under “voluntary parting” — the employee chose to send the money, even if they were deceived. This exclusion was written for physical goods, not wire transfers induced by AI-generated executives.

Cyber vs. crime policy territory. If no network intrusion occurred, the loss may not trigger cyber coverage. It may fall under a crime policy — if the client has one. Many organizations carry cyber insurance but no separate crime policy, creating a coverage gap.

Social engineering sublimits. Policies typically cap social engineering losses at $250,000 on a $1M+ policy. Average deepfake incident costs are now around $500,000 — double the typical sublimit. The $25 million case above would exhaust most standalone cyber policies many times over.

The broker action item

• Verify that “fraudulent instruction” definitions cover AI-generated voice and video, not just email
• Check whether social engineering sublimits are adequate for $500K+ average deepfake losses
• Confirm whether the policy requires a network intrusion trigger (many do) and whether social engineering losses bypass this requirement
• Ensure clients have either comprehensive crime coverage or affirmative deepfake/social engineering coverage in their cyber policy

3. NIS2 and DORA Regulatory Fine Claims

NIS2 and DORA create a new category of insurable (and potentially uninsurable) loss: regulatory fines. The scale is significant.

GDPR fines alone reached approximately €1.2 billion in 2025, bringing the total since 2018 to roughly €7.1 billion. NIS2 penalties can reach €10 million or 2% of global turnover — and they can be applied to individual board members personally. DORA, in force since January 17, 2025, adds sector-specific penalties for financial institutions.

The EU AI Act introduces fines of up to 3% of global turnover (7% for prohibited AI practices), potentially stacking on top of GDPR, NIS2, and DORA penalties for the same incident.

The critical question for brokers: Are regulatory fines insurable?

An Aon/A&O Shearman report from February 2026 concluded that many regulatory fines are “only insurable to the extent permitted by local law.” In some EU member states, insuring against regulatory penalties is restricted or prohibited. Non-monetary sanctions — operational suspensions, management bans, license revocations — are generally not insurable at all.

As of mid-2025, only 14 of 27 EU member states had fully transposed NIS2 into national law. The enforcement landscape is fragmented and evolving.

The broker action item

• Confirm whether the policy covers regulatory fines and, if so, under which jurisdictions
• Check whether the policy distinguishes between insurable fines and uninsurable penalties
• For clients subject to NIS2, assess whether the policy covers personal fines against board members
• Stack potential exposure: a single incident could trigger GDPR + NIS2 + DORA fines simultaneously, potentially exceeding policy limits

4. Supply Chain and Vendor-Driven Claims

Third-party involvement in breaches doubled from 15% in 2023 to 30% in 2024-2025. The claims mechanics are complex because they involve multiple layers of coverage and liability.

The Change Healthcare breach (February 2024) was a single compromised credential on a system without MFA — but the impact cascaded through the entire US healthcare system. UnitedHealth Group reported $2.457 billion in response costs and $3.3 billion in provider reimbursements. CDK Global’s June 2024 ransomware attack disrupted approximately 15,000 auto dealerships, forcing many to revert to paper-based operations.

From a claims perspective, supply chain incidents create three coverage challenges:

Contingent BI quantification. How do you measure business income loss when your client could not operate because a vendor they depend on was down? The loss is real but the quantification is disputed.

Vendor coverage triggers. Many policies require the insured’s own systems to be directly affected. If the insured was unable to operate solely because a vendor was down, some carriers argue this does not trigger the insured’s cyber policy.

Subrogation against vendors. Insurers are increasingly pursuing subrogation claims against cybersecurity vendors to recover paid claims. Three landmark cases illustrate the trend:

• Travelers v. Blackbaud (Delaware Supreme Court, April 2025): Subrogation claims dismissed — blanket allegations insufficient, must link to specific insureds
• Ace American v. Accellion (N.D. Cal. 2022): Accellion failed to notify customer of vulnerability; case settled
• Ace American v. Congruity 360/Trustwave (D.N.J., September 2025): $500K subrogation claim for cloud services failing to implement required 2FA

The risk for insureds: they may be pulled into subrogation litigation long after their own claims are settled.

The broker action item

• Verify that the policy covers contingent BI from vendor outages and does not require direct system compromise
• Review vendor contracts for indemnification provisions, limitation of liability clauses, and waiver of subrogation language
• Consider whether the client’s critical vendors carry their own adequate cyber insurance

5. Data Exfiltration Without Encryption

The newest claim pattern is also the hardest to detect. Coalition’s 2026 report found that 70% of ransomware claims in 2025 involved data exfiltration. But increasingly, attackers are skipping encryption entirely — exfiltrating data and threatening to release it without ever deploying ransomware.

These “encryption-less” attacks create unique claims challenges:

• No system outage means no traditional BI trigger
• Data exfiltration may not be detected for weeks or months, complicating notification timelines
• Regulatory notification obligations (GDPR 72-hour requirement, NIS2 reporting rules) may be triggered even without system disruption
• Third-party data exposure can create liability to the insured’s own customers and partners

Forty percent of large claims (exceeding €1 million) in 2025 involved data theft, up from 25% in 2024. Only 41% of claims involved actual data exfiltration — the rest were outages, ransomware without theft, or BEC.

The broker action item

• Confirm the policy triggers on data exfiltration even without encryption or system outage
• Check whether the incident response and forensic investigation coverage applies when the only event is unauthorized data access
• Verify notification cost coverage includes scenarios where regulatory obligations are triggered without operational disruption

The Bottom Line

The cyber claims landscape is diversifying faster than policy language is evolving. The policies that were adequate in 2023 may have silent gaps in 2026 — gaps that only become visible when a claim is filed and denied.

Brokers who understand these five emerging categories can structure coverage that actually responds when their clients need it. The alternative is finding out after a $25 million deepfake heist that the policy does not cover AI-generated fraud because the exclusion was written for email and the attack happened on Zoom.