For SMBs, AI presents several opportunities to improve productivity, automate repetitive tasks and reduce expenses. However, even as AI introduces new opportunities, it also creates new cybersecurity risks — and in some cases, this can result in major liability issues for SMBs.
According to Blake Fuchtman, Chief Actuary at biBerk, a Berkshire Hathaway Company that offers small business insurance (including cyber insurance coverage), SMBs must be cognizant of several possible cybersecurity liability concerns as they implement AI. By making cybersecurity liability top of mind as they utilize new AI tools, SMBs can have greater peace of mind as they take steps to reduce risk.
1. Be Mindful of What Data You Share With AI
AI tools rely on quality data to generate meaningful insights for their users, but as Fuchtman explains, SMBs must be careful regarding what data they supply to their AI — particularly with free, public tools.
“Free or publicly hosted AI tools may store or log any proprietary business or client information you provide,” he warns. “Depending on how these tools handle data, it can be surprisingly easy for sensitive information to be exposed or misused. Your business could be held liable if such actions compromise personal or confidential data. Before sharing any sensitive information with an AI tool, make sure you understand its data handling and retention policies. Sensitive data should only be processed within private, well-secured language models to mitigate these risks.”
2. Identify and Plan for AI-Powered Threats
Many of AI’s threats to SMBs come through its potential applications for phishing, malware and even deepfake attacks. Despite this, many SMBs are not fully prepared with a strategy for such threats. According to The State of SMB Cybersecurity Report, while 83% of SMBs believe AI has increased cybersecurity threats, only 51% have implemented security policies regarding AI, leaving many businesses woefully underprepared.
In 2024, fraudsters used deepfake video to steal $25 million from an engineering firm in the UK — a key example of how advanced AI attacks can be. Fuchtman advises that as a first line of defense, leaders provide continual training for their team. “Most cybersecurity incidents can be traced back to employee error, and with AI attackers getting more advanced, this is only likely to continue,” he explains.
“Ongoing training that helps employees recognize threats, as well as report and respond correctly to suspicious incidents, will help make your team a cybersecurity asset rather than a liability. In addition, cyber insurance through biBerk can help you be financially prepared for attacks, with coverage for first-party and third-party response expenses, such as notifying affected individuals and providing services for them, conducting forensic IT reviews and obtaining legal defense.”
3. Ensure IT Oversight of AI Tools
As part of training and support for employees, SMBs should also ensure that there is full IT oversight of the AI tools being used by team members. Newsweek reports that over half of employees report mistakes resulting from unmonitored use of AI tools, and 66% say they don’t verify the accuracy of the AI outputs the receive.
“Especially with the rise of tools like ChatGPT, we see a trend where employees at many companies will frequently use AI at work, even without approval from IT,” Fuchtman explains. “Unfortunately, this can create major blind spots in your cybersecurity setup, especially if employees end up providing sensitive information to an unapproved AI tool. Business leaders should establish clear policies requiring IT oversight for any AI use. Detailed guidelines and structure can help reduce the risk of a liability issue arising from unauthorized tools or practices.”
Without proper oversight, employees’ work could result in costly compliance issues. Leaders should provide training and guidance on which tools to use and how to use them to reduce the risk of such violations.
4. Thoroughly Vet Vendors
In today’s increasingly interconnected tech world, Fuchtman also advises that SMBs should carefully vet how their vendors are using AI. Third-party integrations, especially those that share data across platforms, can open up new cybersecurity risks if your vendors aren’t fully secured.
By only using tools from reputable vendors, and carefully assessing how the AI tools used by third-party partners interact with their own system, SMB leaders can better evaluate the potential risk and liability of their tech stack.
This also requires increased scrutiny of cybersecurity providers. SMBs need vendors who are continuing to update and support their own security posture in line with the advances being brought about by AI.
5. Develop Layered Cybersecurity Defenses
As the cybersecurity landscape becomes more complex, Fuchtman recommends that businesses focus on developing a layered defense strategy that always maintains a level of human oversight.
“Security-focused AI can and should be part of your cybersecurity profile, alongside tools that many SMBs already use like firewalls, data backups and multi-factor authentication,” he explains. “Combining rigorous defense tools with training of your staff and ongoing human oversight of your plan is what will have the greatest impact on reducing your risk. When you combine this with a cyber insurance policy from biBerk, you can have confidence that you will also be financially protected if a successful attack occurs.”
By combining layered defense mechanisms with a comprehensive recovery strategy, SMBs can ensure that AI enhances their cybersecurity profile, rather than simply introducing new risks.
Successfully Navigating AI and Cybersecurity
As Fuchtman’s insights reveal, AI has introduced several new cybersecurity risks for SMBs. However, those that take a proactive approach to managing their cybersecurity liability, including by obtaining cyber liability insurance, will position themselves to maximize the advantages of AI while minimizing risk for themselves and their customers.