AI-powered cyber threats: legal and insurance challenges
As AI-driven cybercrime escalates, businesses face complex new challenges in cybersecurity, governance and insurance. From deepfakes to synthetic voice attacks, these technologies are pushing the limits of traditional defenses, raising urgent questions about liability and risk management. This blog explores the legal and financial implications for companies and offers essential strategies to mitigate AI-powered cyber threats in an increasingly volatile landscape.
Published: May 19th, 2025
5 min read
It began as a trickle, the odd email that didn’t sound quite right, the unexpected voice message that mimicked a colleague’s tone too closely. But it’s now a flood. AI-powered cyber threats are not speculative fiction; they are current events, and their implications are unfolding faster than most legal and insurance frameworks can adapt.
In a digital landscape increasingly shaped by machine learning and generative algorithms, the tools once seen as futuristic are being wielded by cybercriminals with alarming effect. For businesses, this raises not only technical concerns, but critical questions of liability, governance, and insurance.
Deepfakes, Bots and Machine-Led Mischief
Artificial intelligence has turbocharged the traditional tools of cybercrime. Where once phishing relied on clumsy grammar and suspect logos, it now comes packaged in perfect prose and pixel-perfect branding. Voice cloning and video deepfakes are being used in frauds so convincing that they have duped executives into wiring millions.
Take, for example, the AI-generated voice attacks uncovered by the FBI in May 2025. Malicious actors impersonated senior U.S. officials using synthetic voice technology. These impersonations were not isolated gimmicks; they formed part of coordinated campaigns to gain access to sensitive accounts, redirect officials to malicious platforms, and harvest credentials for further exploitation.
In another case, a major financial institution fell victim to a sophisticated phishing attack in which AI-generated emails mimicked internal communications between senior staff. The emails referenced actual financial matters under discussion within the firm, lending them an air of authenticity. Staff, convinced of the legitimacy, surrendered credentials that granted unauthorised access to sensitive systems.
And then there’s the geopolitical angle. A major investigation by DTEX Systems revealed how North Korean IT operatives were using AI tools and fake identities to infiltrate Western tech companies. One operative alone was linked to a $6 million cryptocurrency theft. Operating out of Laos and Russia, these individuals used AI to craft convincing personas and portfolios, gaining employment via freelance platforms and gaining access to critical systems.
The Legal Fog Surrounding AI Attribution
Assigning legal responsibility in these scenarios is challenging. Who is to blame when a synthetic voice dupes a senior manager? What liabilities arise when deepfake content causes reputational damage or financial loss?
The UK’s existing frameworks, including the Data Protection Act 2018 and the Computer Misuse Act 1990, do address unauthorised access and misuse, but were not designed with generative AI in mind. However, the recently enacted Online Safety Act 2023 begins to plug some of these gaps.
This legislation introduces a statutory duty of care for online platforms to prevent users from encountering harmful content, including that created or propagated by AI systems. Deepfakes, synthetic pornography, and malicious impersonation fall within its scope. Notably, AI-powered tools such as chatbots and generative media software are explicitly covered, bringing them under the regulatory oversight of Ofcom.
While the Act is primarily aimed at protecting individuals from harm, it has significant implications for businesses. Companies that host or disseminate AI-generated media, or fail to detect it, could face legal exposure if that content results in damage. The Act sends a clear message: service providers are accountable for mitigating the harms of generative AI, even if they did not create the content themselves.
Moreover, the legislation lays the groundwork for future AI governance, one that prioritises transparency, safety, and corporate responsibility.
The Consequences of Inaction: Legal and Financial Risks
For companies that fail to implement adequate safeguards against AI-powered cyber threats, the consequences can be severe, and costly.
Civil liability may arise under the UK GDPR and the Data Protection Act 2018, where affected individuals can sue for distress or financial loss if their data is compromised. Regulatory fines imposed by the ICO can reach up to £17.5 million or 4% of global turnover. Contractual liability is also a serious risk; breaches of client agreements or data handling protocols may trigger claims for damages and even contract termination.
Criminal liability, while less common, is not out of the question. Under extreme circumstances, such as gross negligence in critical infrastructure settings, prosecutions under the Computer Misuse Act or even the Corporate Manslaughter and Corporate Homicide Act could be pursued.
The Online Safety Act further adds a layer of statutory obligation. Failure to prevent harmful AI-generated content on your platform, including deepfakes, could lead to regulatory action, including fines and enforcement measures by Ofcom.
Even where formal enforcement doesn’t arise, insurance claims may be denied if a company is found to have failed in its duty to maintain reasonable cyber hygiene. Many policies now include strict conditions on the use of AI and the detection of synthetic media. Failing to meet these standards could leave businesses uninsured and exposed when they most need support.
Cyber Insurance in the Age of Algorithms
The insurance sector is watching closely and reacting cautiously. Traditional cyber insurance policies are already under pressure, with claims rising and margins thinning. The addition of AI-generated risks is a new wrinkle in an already complex underwriting landscape.
Underwriters are beginning to include exclusions for “unquantifiable AI risk” or “acts of synthetic deception”, language that reflects a growing unease about what is insurable. Claims that involve deepfake scams or AI-driven phishing are often contested, especially where the insured party failed to adopt reasonable defences against such technologies.
There’s also a growing concern that existing policy frameworks do not account for AI’s role as both tool and threat. For example, if an AI model built for internal efficiency inadvertently leaks sensitive data due to a coding flaw, is the resulting breach covered? It depends, and that ambiguity is precisely the problem.
Mitigating the Unseen: Best Practices for AI-Cyber Risk Management
In this uncertain landscape, companies must act with greater vigilance. The threat is real, the regulations are catching up, and the insurers are watching. Below are the best practices to help organisations stay ahead.
AI Risk Assessments: Integrate AI-specific scenarios into cyber risk registers and incident planning.
Staff Training: Educate teams about deepfakes, synthetic media, and generative content. Awareness is the first line of defence.
Digital Watermarking and Detection Tools: Invest in technologies that help verify the authenticity of digital content and flag anomalies.
Legal Reviews of AI Deployment: Ensure that all AI tools used internally or externally are compliant with emerging laws and include risk clauses in vendor contracts.
Incident Response Integration: Update your playbooks to include AI-enabled attack scenarios. Who verifies a suspicious voice call? What’s the threshold for activating a breach response?
AI-Cyber Threat Preparedness Checklist
Task | Description | Frequency |
AI risk integration | Include AI threats in cyber risk and legal assessments | Quarterly |
Deepfake detection tools | Deploy and update software to flag synthetic media | Ongoing |
Employee briefings | Conduct briefings on generative AI and cyber threats | Bi-annually |
AI vendor due diligence | Vet all third-party AI tools for security and compliance | Pre-engagement |
Legal compliance checks | Review contracts for liability in AI-related incidents | At signing and renewal |
Policy review with insurers | Ensure AI risks are discussed and properly addressed in policies | Annual review |
Facing the Future: Navigating AI-Powered Cyber Threats
AI-powered cyber threats are not a hypothetical danger, they are reshaping the threat landscape before our eyes. The tools that once dazzled as innovations now pose novel legal and operational hazards. Insurers, regulators, and companies must all reckon with this shift. As ever, those who adapt early, who understand the risks, close the loopholes, and engage meaningfully with stakeholders, will be the ones best placed to weather the storm. In the age of intelligent machines, ignorance is not just costly, it may well be indefensible.
How Forbes Solicitors Can Help
AI-related cyber incidents raise urgent legal questions around liability, regulatory duties, and insurance coverage that many businesses are not yet prepared to answer. At Forbes Solicitors, our Crime and Insurance Law teams work together to provide clear, coordinated advice when the stakes are high.
Whether it's helping you assess exposure, strengthen your response protocols, or challenge an insurer’s refusal to cover AI-related losses, we offer practical legal solutions rooted in experience with digital crime, regulatory defence, and complex insurance disputes.
Led by Craig MacKenzie, Partner and Head of our High-Profile & Private Crime Division, our team brings extensive experience in cybercrime, regulatory defence and complex digital investigations.
Contact Craig at [email protected] or call 01772 220022.
For further information please contact Craig MacKenzie
