We saw it on three renewal questionnaires in March, then four in April, and at this rate every UK SME cyber-insurance policy is going to ask about AI by the autumn. The questions are not subtle, and the underwriters have moved faster on this than we expected. Eighteen months ago, "AI" was not a section on a renewal form. In 2026 it is four sections, and the businesses that have an answer ready will renew on better terms than the businesses that do not.

This post is what we are seeing on the forms and what an underwriter is looking for when they read the answers. Cyber-insurance renewals have moved quickly enough on this that the post may not date well, but the pattern is clear enough now to be worth writing down.

Why the questionnaires changed

Two things. The first is a real claims pattern; insurers have started seeing AI-adjacent losses, mostly in two shapes. One is data leakage, an employee pasting customer data into a consumer AI tool and the data showing up somewhere it should not. The other is what one underwriter called "confident-wrong" failures, an AI generating an output (a quote, a contract, a price) that committed the business to something it did not mean.

The second is regulatory pressure. The ICO has been clearer about AI in 2025 and 2026, and the EU AI Act enforcement timeline lands in earnest this year. Underwriters are pricing in the risk that a regulatory action will land on an SME that did not have its AI house in order.

Together those have made AI a category of cyber risk the underwriters now want visibility on, the same way they ask about backups, MFA and patch cadence; the questionnaires reflect that shift.

Section 1: which AI tools are approved for company use

The question, in the formulation we are seeing most: "List the AI products approved for processing company data, including the enterprise tier or licence type." Some forms add: "Note any AI products that have been used on company data without formal approval."

What the underwriter is looking for: a named list of products, with the enterprise tier specified. "Microsoft Copilot for Microsoft 365" not "Copilot". "ChatGPT Team" not "ChatGPT". The enterprise tier matters because it covers the data-handling commitments the underwriter actually cares about; the consumer tier does not.

The bad answer: "Employees may use AI tools at their discretion." That tells the underwriter the business does not know what data is going where, and the premium reflects it.

The good answer: a list of two or three products, with the tier, plus a one-line policy reference. "We use Microsoft Copilot for Microsoft 365 and ChatGPT Team. Other AI products are not approved for company data. Acceptable-use policy attached as Appendix C."

Section 2: what data classes go into AI tools

The question, paraphrased: "Describe the data classes processed by AI tools and the controls preventing higher-classification data from entering AI systems."

What the underwriter wants: evidence that the business has a data-classification model, knows what goes where, and has some controls to enforce it. A three-class model (public, internal, confidential) with a yes/no answer per class is what we usually see ticked off as adequate.

The bad answer: "We trust our employees to use AI appropriately." That is not a control. The good answer mentions training, the policy, and any technical controls in place (DLP rules, conditional-access policies, browser extensions that warn on paste, audit-log review).

Section 3: vendor data-handling commitments

The question: "Confirm the contractual data-handling position of each approved AI vendor, specifically: data residency, retention period, training opt-out, and audit-log access."

This one trips a lot of SMEs because the answer requires having actually read the vendor's enterprise terms. The four items are not always together on a single page on the vendor's website, and they vary by tier.

What the underwriter wants: the four bullets, in plain English, for each product. "Microsoft Copilot for M365: data stays in EU region, default 30-day retention configurable to immediate deletion, no training on customer data by default, audit logs available via Purview." "ChatGPT Team: data in US region with EU pilot available, 30-day retention, no training on customer data, audit logs in admin console."

The bad answer is silence or a link to a page. The good answer fits in a paragraph and demonstrates the business has done the work.

Section 4: AI-related incident response

The question: "Describe how an AI-related data incident would be detected, contained and reported, including any specific procedures for AI tool misuse."

This is the section we see the most blanks on, because most SMEs have not written it. What the underwriter wants is recognisable continuity with the rest of the incident-response plan; the AI-specific bit is usually a paragraph addition rather than a separate document.

The shape that lands well: a named person who handles AI-policy concerns (usually the IT lead or the founder), a route for staff to raise a concern without immediate disciplinary action (the policy-improvement framing matters), a check on whether the data has actually left the business (vendor audit logs, employee account history), and a notification path to the underwriter and to any data subjects if appropriate.

The supporting documents the underwriter wants to see

Three attachments turn a clean answer into a discount-eligible answer:

  • The acceptable-use policy. Two pages, the five-section structure we have written about elsewhere on the site. The underwriter reads it.
  • The vendor data-handling summary. A one-pager listing the approved tools and the four-item table above. Internal document, but the underwriter looks for it.
  • The incident-response addendum. A paragraph appended to the existing incident-response plan, covering the AI-specific bits. Does not need to be a separate plan; it does need to exist.

Three documents, each under two pages, all sitting in SharePoint or Drive in a folder the IT lead can find at five minutes' notice when the broker asks.

What the discount looks like

We have seen renewal premiums move by 5% to 12% on AI-related answers in the last two quarters. That is not enormous on an SME policy, but it is real, and the cost of putting the documentation in place is roughly the cost of two months of premium discount on a typical 25-person business. The maths usually works.

The discount is not the only reason to have the documentation, but it is the reason that gets the conversation on the board agenda when other reasons do not.

Where this lands with us

The four documents are deliverables inside our AI Enablement assessment. We draft them specific to the stack, the work the business does, and the vendors the team uses. The documents are not the point; the answer they give the underwriter is.

The renewal that lands cleanly is the renewal that has the answers ready before the broker asks. The renewal that does not is the one with the awkward phone call in week three of the cycle.

Cyber-insurance renewal coming up and want a second pair of eyes on the AI sections? Drop us a note at info@jmopartners.co.uk.

JMO|Partners · Enterprise IT, sized for SMEs.