← Back to Blog

A friend of mine runs a 30-person manufacturing shop. Last month he forwarded me his renewed cyber insurance policy with a one-line note asking if he was covered for all this deepfake stuff. He wasn't really asking me to read the fine print. He was asking me to tell him he could stop worrying. I read it twice, and I could not give him the answer he wanted.

Buried in the definitions, his carrier had added a few words to the social engineering section. AI-generated impersonation was now carved out. On paper his business still had fraud coverage. In practice, the exact kind of fraud that is growing fastest had been written out of it.

I want to talk about that gap, because a lot of owners are sitting right where my friend is sitting and have no idea.

Here is what changed. Starting around January 1, 2026, a wave of cyber carriers began narrowing or excluding AI-generated deepfake fraud from standard social engineering coverage. The reasoning is technical and a little maddening. Traditional social engineering coverage was written around one human manipulating another human. A deepfake adds a synthetic layer, a face or a voice that was never real, and several carriers now argue that this breaks the definition their older policy was built on. Broker analyses of the 2026 deepfake insurance gaps describe businesses renewing after the new year and finding they had less protection than the year before, sometimes for the same premium.

Meanwhile the losses keep climbing. Deloitte's Center for Financial Services projected that generative AI could push US fraud losses to $40 billion by 2027, up from $12.3 billion in 2023. That is a 32 percent compound growth rate on a category that already drains bank accounts. And these are not hypothetical attacks. When the engineering firm Arup lost about $25 million to a single deepfake video call, the finance worker approved 15 separate transfers because every colleague on the screen looked and sounded exactly like people he knew. I wrote about that one in more detail in the story of the boss's face that wasn't his boss, and it still sits with me.

So the honest picture is this. The threat is rising, and some of the coverage is moving the other way. I say that as someone who sells insurance and believes in it, not to talk anyone out of a policy. Pretending the gap isn't there just leaves people exposed.

Now the part I actually get excited about. This gap is fixable, and you have more control than the headlines suggest.

Start by reading your own policy the way an adjuster would after a loss. Find the social engineering or fraudulent instruction section and look for words like artificial intelligence, synthetic, deepfake, or impersonation. If any of them sit next to an exclusion, that is your answer. If you cannot tell, that ambiguity is reason enough to email your broker and get the reply in writing, so there is a record.

Then ask specifically about affirmative deepfake coverage. Plenty of carriers went the other direction and updated their social engineering agreements to name AI voice cloning and video deepfakes as covered events. Standalone deepfake endorsements exist too, often somewhere between $500 and $3,000 a year depending on your size and your controls. That is real money. It is also a lot less than one wire transfer.

After that, close the gap insurance was never meant to fill on its own. Most deepfake fraud still comes down to one person acting on one urgent request. A written callback rule, where any payment change gets verified through a number the requester did not give you, stops a surprising share of these attacks. I walked through building that exact control in a guide to checking whether a wire request is actually real, and it pairs well with the broader small-business deepfake defense playbook if you want a full checklist.

The reason I care this much is personal. I have watched people build years of trust and revenue on top of a digital identity that no policy was watching, the same blind spot I described in why your digital twin has no insurance. The businesses that come through these attacks intact are rarely the ones with the biggest budgets. They are the ones who checked their coverage before they needed it and built one boring verification habit that a convincing fake could not talk its way past.

If you are not sure where your business stands right now, start there. Take our free 2-minute Deepfake Risk Assessment and at least you will know what you are working with.