Cyber insurance just stopped covering deepfake fraud — what to do now

Anxious finance professional staring at a monitor showing a $680,000 fraudulent wire transfer flagged with a deepfake-detected alert

If your organisation renewed its cyber insurance policy in early 2026, there's a good chance the small print quietly removed something significant: cover for fraud committed by an AI-generated voice or video. Standard cyber policies renewed after 1 January 2026 may now provide no coverage for deepfake fraud, even as deepfake-enabled vishing attacks surged by more than 1,600% between Q4 2024 and Q1 2025 in the United States alone. The financial backstop most boards assumed they had against synthetic-media fraud has been pulled — and the only people who haven't noticed yet are the ones who haven't read their renewal endorsements.

Why insurers are walking away from deepfake claims

Traditional social engineering coverage was written for a world in which a human being on a phone call or in an email persuaded an employee to wire funds. Underwriters could quantify that risk because the attack surface — and the manipulation pattern — was well understood. Generative AI broke that model. As eSecurity Planet reports, carriers spent late 2024 and 2025 rewriting wordings to explicitly exclude AI-generated content from social engineering coverage, on the basis that a deepfake creates an "intermediary technological layer" that voids the direct-human-manipulation requirement most policies are built around.

The pricing trajectory is just as stark. Industry analysts are forecasting annual premium increases of 15–20% through 2027 as carriers reprice AI-enhanced risk. Specialist endorsements — like Coalition's recently announced Deepfake Response Endorsement — are appearing as bolt-on products, but they typically cap out at forensics, takedown, and crisis communications, not the multi-million-dollar wire-transfer losses that have defined the headline cases.

The exposure is no longer theoretical

The Arup case set the bar — a finance employee approved a $25 million transfer after a video conference in which every participant, including the CFO, was a deepfake. But that incident is no longer an outlier. The FBI's Internet Crime Complaint Center attributed $893 million in losses to AI-related scams in 2025, across more than 22,000 complaints, and average losses per deepfake incident at large enterprises now sit around $680,000. When that loss falls outside the cyber tower, it lands directly on the operating P&L.

Where the gap bites hardest

  • Wire-transfer fraud initiated through a synthesised executive voice or video call.
  • Account takeover via voice-clone authentication of a high-net-worth client.
  • Vendor impersonation in payments and AP workflows, where the "supplier" on the call has never existed.
  • Insider impersonation in remote-work contexts — fraudulent password resets, MFA pushes, and privileged-access requests sourced from a cloned voice.

Closing the gap: detection becomes the new control

If insurance is no longer a usable backstop, the next-best line of defence has to be a technical one. Deepfake fraud differs from traditional social engineering in a critical way: the synthetic artefact itself is detectable. Modern audio and video deepfakes carry signal-level traces — micro-prosody anomalies, formant inconsistencies, biometric-physical mismatches — that purpose-built detection models can flag in real time, even when a human listener cannot.

For banks, contact centres, and any organisation running high-value voice or video workflows, three controls now matter more than they did six months ago:

  1. Real-time deepfake detection on every inbound voice and video channel — not just at onboarding, but at every step where money or access can move.
  2. Multimodal biometric verification that cross-checks voice against face (or other physical attributes) so a single cloned modality cannot complete an attack.
  3. Out-of-band verification policies for any payment instruction or privileged action that originates from a voice or video channel, regardless of who appears to be on the other end.

What to ask your broker — and your security team — this quarter

Before the next renewal cycle, two conversations are worth having in parallel. With your broker: ask explicitly whether AI-generated impersonation is excluded from social engineering, computer fraud, and funds transfer fraud sections, and whether a deepfake-specific endorsement is available and what it actually pays. With your security team: ask what percentage of voice and video channels into the business are protected by real-time deepfake detection today, and what the roadmap is for getting that number to 100%.

The bottom line

The insurance market has effectively repriced — and in many cases, declined — the deepfake fraud risk that enterprises now face. That is not a temporary hardening of the cycle; it is a structural recognition that AI-generated impersonation is too frequent, too cheap, and too plausible to be absorbed under legacy social engineering wordings. Organisations that treated cyber insurance as their primary mitigation for synthetic-media fraud need a new primary mitigation. Detection, deployed at the channel layer and backed by multimodal biometrics, is the most direct way to put one in place.

See how Corsound AI's Deepfake Detect platform identifies synthetic audio and video in real time →

See Corsound AI Voice Intelligence In Action
Thank you.
Your submission has been received.
Oops! Something went wrong while submitting the form.
Voice-to-Face AIDeepfake DetectLaw EnforcementBanking & FinanceCompany
© Corsound 2026. All rights reserved.
Privacy PolicyTerms of Service