As previewed in part 1 of our AI Policyholder’s Guide, we now discuss how businesses can assess their AI risk to ensure that they are properly positioned to secure insurance coverage should those risks come to fruition. Because no two businesses will have the same AI risk profile, businesses should consider undertaking organization-wide AI risk audits to evaluate their unique AI risk profile.
Understanding the nature of AI-focused legal risk is not only important for business planning, but essential to crafting a comprehensive AI-specific risk management plan. Indeed, because insurance is often underwritten relative to specific risks, knowing the risks to be insured is a prerequisite to procuring the right type of coverage with terms most suitable to a given risk profile.
In thinking about an organization’s specific risk profile, businesses may benefit from considering their AI exposure relative to four-broad risk categories: (1) industry-specific risks; (2) location-specific risks; (3) business-organization-specific risks; and (4) business-function-specific risks. While consideration of these risk categories will not cover all AI risks, they provide a useful baseline for businesses trying to understand the risks they face and how best to counter to them.
The profile for a company’s AI risk, like any risk profile, will be shaped by the industry that it participates in. For example, AI liability risks in the healthcare industry raise a distinct set of issues, not the least of which is potential medical malpractice liability. Likewise, manufacturers of AI-related technologies may face unique legal risks in the form of product liability or negligence actions that may not be present in other industries. Because of these varying exposures, an industry–specific AI risk analysis can be a useful starting point for understanding an organization’s distinctive risk profile.
As the saying goes in real estate, “location, location, location.” This adage also applies to AI. Indeed, as AI is increasingly being regulated by local, state, federal and international governments, not every AI law or regulation will affect every business. For example, as our colleagues recently wrote, state and local governments are now leading the way in the development of AI rules and regulations. As just two examples of state- and locale-specific rules, Illinois businesses, but not New York businesses, may have to contend with the Illinois Artificial Video Interview Act. Likewise, New York City-based employers, but not Illinois-based employers, may have to contend with New York City’s rules about employers’ use of AI.
Business Organization-Related Risks
The type and extent of AI-related risk will also depend on how the business is structured. For example, public companies are increasingly disclosing AI-related risks in their corporate disclosures and public filings. These public statements create the potential for liability under federal and state securities laws for public companies, however the same risks may not exist private companies. Relatedly, state-specific fiduciary duty laws are likely to evolve relative to AI and reshape the parameters of the duties of care, oversight, or loyalty as to specific organizational forms. All told, businesses must remain cognizant of how their business organization can shape the type and extend of AI exposure and, likewise, continually monitor the evolving landscape of corporate regulation regarding the use of AI.
Business Function-Related Risks
AI could also generate distinctive risks that depend on the functional business area at issue, whether that be human resources, procurement, marketing, legal or any other key business subcomponent. For example, the legal risks associated with algorithmic bias might be more acute in the human resources sphere because of how HR functions are regulated by federal and state antidiscrimination laws. Likewise, the legal risks associated with intellectual property infringement may be more acute relative to a business’s marketing function, which may use certain protected content for promotional purposes.
The Importance of Holistic Risk & Insurance Evaluation
Because the nature and extent of AI-induced legal risks can turn on many factors, including those discussed above, businesses should consider taking a proactive approach to AI risk. One approach could entail an AI-related risk and insurance audit. By calling on all stakeholders across all key business and operational units, businesses can help to ensure that their AI-risk management is comprehensively tailored to address AI risk in all the ways it might arise.
Thoroughly understanding specific risks is especially important when it comes to insurance, since proper coverage is tightly connected to fully understanding the types of risks being insured and the potential type and scope of liability that might arise. While some insurance coverage—e.g., cyber, technology errors and omissions, and directors and officers insurance—are likely to apply generally to large categories of AI risk, a thorough insurance, and risk management program will be required to fully-ensure each business’ unique AI risk profile.
For example, healthcare organizations must evaluate how their potential AI-related exposures might implicate their E&O/medical malpractice insurance. In contrast, public companies should consider their board and management-level exposure; not from the actual harms that might arise from the use or misuse of AI, but from the management-level liabilities tied to C-Suite-level decisions about what to do or not do about AI. Likewise, public companies must ensure that their public filings accurately reflect the company’s realistic AI exposure. An audit of all existing lines of coverage will be necessary to gain a clear and holistic understanding of how well-protected (or not) a company may be from AI risk.
Businesses may also want to consider whether to solicit AI-specific coverage, which remains in its infancy. Currently, only one major insurer, Munich Re, offers AI-related coverage forms.
In sum, as businesses adopt to the ever-changing nature of AI, they should consider conducting a thorough audit of the legal risks posed by AI to ensure a full understanding of each company’s individualized AI risk profile. And, as always, consultation with experienced coverage counsel can help guide an organization as they work through how best to assess that profile and craft an appropriately tailored insurance program.