AI intelligent agents accelerate deployment, as commercial insurance enters a crucial moment to fill the gap

Recently, the National Internet Emergency Center and other departments have issued multiple risk alerts related to AI, sparking widespread market attention. This phenomenon also reflects that as AI accelerates its integration into people’s work and daily life, the forms of cybersecurity risks are continuously evolving—from traditional system vulnerabilities to new security hazards brought about by high-privilege automated execution.

When AI agents have the ability to invoke systems, read data, and connect to external tools, the complexity of security defenses increases accordingly. If misoperations, overreach, or malicious exploitation occur, they could adversely affect businesses and individuals. Therefore, for the rapidly growing AI industry, cybersecurity insurance is not only a tool for post-incident compensation but also an important supporting mechanism to stabilize innovation expectations and facilitate the commercialization of technology.

Several industry insiders interviewed by the reporter stated that with the widespread application of AI technology, cyberattacks are becoming more intelligent and covert, and vulnerabilities in a single node could trigger broader chain reactions. Against the backdrop of coordinated development and security, cybersecurity insurance has opened up new development opportunities. However, practical challenges such as mismatched supply and demand and the need for improved industry standards still exist. How to better “fill the gap” with commercial insurance has become a key question for supporting high-quality AI industry development.

AI Agents Bring New Risks

The emergence of AI agents may further escalate cybersecurity risks. Recently, the National Internet Emergency Center issued a risk alert stating that AI agents face multiple risks including prompt injection, misoperations, plugin poisoning, and security vulnerabilities. For example, attackers can embed hidden commands in web pages to induce AI agents to leak keys or sensitive data; malicious plugins may also steal keys or implant Trojans, leading to remote control of endpoints.

In fact, similar risks have already been exposed in enterprise-level AI assistants and AI proxy scenarios. Microsoft has publicly warned that indirect prompt injection has become a common attack method against AI systems, where attackers use malicious content in emails, web pages, or documents to induce the system to leak information or perform unintended operations.

These cases demonstrate that once AI agents are granted high system permissions, misoperations, overreach, or malicious exploitation can quickly escalate into real business and security incidents.

Chang Shoukang, head of financial and professional liability risk at Daxin (China) Insurance Brokerage Co., Ltd. (hereinafter “Daxin China”), told Securities Daily that the development of AI technology has not simplified cybersecurity defenses but has instead expanded attack surfaces and intensified asymmetries between offense and defense. “Attackers can leverage AI to generate automated attack tools and deepfake content, lowering the threshold for attacks; defenders need to invest more resources in real-time monitoring and response, and traditional defense methods are no longer sufficient against AI-enabled new types of attacks.”

Chang further stated that future cyber risks will show three major trends: first, intelligence—AI makes attacks more covert and faster; second, expansion—attack surfaces extend from traditional IT systems to IoT and industrial control systems, potentially turning cyberattacks into physical safety incidents; third, systemic—highly interconnected industries mean risks in a single node can propagate through supply chains, causing large-scale systemic losses.

Industry insiders generally agree that current insurance products are still limited in addressing the new risks brought by AI agents. To prevent and transfer these emerging risks, insurance companies and cybersecurity firms need to strengthen collaborative innovation.

Growing Demand for Cybersecurity Insurance

Against the backdrop of escalating cybersecurity risks, the cybersecurity insurance market is gradually heating up. As an innovative integration of cybersecurity and financial services, cybersecurity insurance provides financial resilience support to enterprises and individuals through compensation and risk management, becoming an important tool for risk management in the digital economy era.

Policy improvements continue to support the development of cybersecurity insurance. In 2023, the Ministry of Industry and Information Technology and the China Banking and Insurance Regulatory Commission jointly issued the “Guidelines on Promoting the Healthy Development of Cybersecurity Insurance,” clarifying the path of integrated development of “technology + insurance.” Subsequently, the first and second batches of cybersecurity insurance service pilot programs were launched. In March 2026, four departments including the Ministry of Science and Technology jointly released opinions promoting innovation in cybersecurity insurance, continuing pilot projects, and expanding application scope.

Under policy guidance, corporate demand for insurance continues to grow. Han Yu, head of cybersecurity risk at Daxin China, explained that in recent years, as China’s digital transformation accelerates and “going global” efforts intensify, the cybersecurity insurance market has steadily expanded, with premiums continuously increasing. She identified four main drivers: regulatory and contractual requirements, supply chain cooperation needs, third-party claims risks, and increased risk awareness among enterprises and management.

From the supply side, the product system of cybersecurity insurance is becoming more diverse. Mainstream products mainly focus on two core areas: first-party loss coverage, which protects against direct economic losses of the enterprise; and third-party liability coverage, which covers legal liabilities to third parties.

Public information shows that mature standardized products explicitly named “AI cybersecurity insurance” are still relatively few. The market more often adopts combined approaches such as “AI liability insurance + extended cybersecurity coverage.” Insurance companies and brokers are actively exploring new service models. For example, China Ping An Property & Casualty Insurance Co., Ltd. (hereinafter “Ping An P&C”) has issued over 1,500 policies in the past three years, with premiums exceeding 75 million yuan, providing over 10 billion yuan in cybersecurity risk coverage. Daxin China leverages global resources to offer comprehensive services from pre-insurance risk assessment and plan design during underwriting to claims management after coverage.

Urgent Need to Overcome Development Bottlenecks

Despite the rising market, challenges such as mismatched supply and demand and lack of standards remain. Industry insiders believe that promoting healthy development of the cybersecurity insurance market, supporting technological innovation and commercialization, and better safeguarding digital economy security require joint efforts from multiple parties.

Yang Fan, general manager of Beijing PaiPaiNet Insurance Agency, told Securities Daily that on one hand, enterprises often lack sufficient risk awareness, focusing more on compliance than protection, so demand is not fully released; on the other hand, the lack of unified risk assessment standards and historical loss data makes product pricing and underwriting difficult, with serious homogenization. Additionally, the technical service chain for risk quantification before coverage and claims assessment after coverage has not been fully established, constraining market growth.

A relevant person from Ping An P&C said that compared to auto and general property insurance, cybersecurity insurance has far less data on premiums and claims, and the constantly evolving attack methods pose significant challenges for insurers. Moreover, the cybersecurity insurance ecosystem still needs improvement. The division of roles among stakeholders requires more practice, and current focus remains on insurance products themselves without mature service models.

Furthermore, emerging industries and new technologies increase risk complexity, but corresponding products and risk transfer solutions are still weak. Han Yu pointed out that current cybersecurity insurance products mainly target traditional risks, and there are no comprehensive protections for new risks brought by AI agents, such as AI systems becoming new attack targets. For individuals and sole proprietors, relevant coverage is also limited.

To better promote the implementation of cybersecurity insurance and build a healthy ecosystem, Ping An P&C suggests increasing enterprise guidance, establishing a policy system combining “mandatory, subsidy, and encouragement” measures to boost corporate willingness to insure. It also recommends accelerating the development of industry standards, creating quantifiable cybersecurity risk assessment systems, and establishing clear standards for incident responsibility and damage assessment. Additionally, improving product offerings and service models, and fostering innovation are essential.

Yang Fan further suggests exploring risk diversification mechanisms such as “insurance + reinsurance,” introducing parametric insurance and other innovative forms, and deepening integration with cybersecurity service industries to enhance corporate resilience and recovery capabilities against cyber incidents.

Overall, as AI technology continues to penetrate deeper and the digital economy develops, cybersecurity risks will become more complex and diverse. Cybersecurity insurance, as a core tool for risk transfer, faces unprecedented development opportunities. However, issues like mismatched supply and demand and ecosystem integration still hinder market growth. Multi-party collaboration and precise efforts are needed. Only through product innovation and system improvement can cybersecurity insurance truly serve as a “security barrier,” laying a solid foundation for high-quality digital economy development.