McGill and Partners’ Nirali Shah on D&O Trends

How do you talk to your stakeholders, your investors, your employees, about artificial intelligence and what you are doing?

By: Dan Reynolds | March 13, 2025

In early March, Dan Reynolds, the editor in chief of Risk & Insurance, caught up with Nirali Shah, head of U.S. D&O with McGill and Partners. What follows is a transcript of that discussion, edited for length and clarity.

Risk & Insurance: Thanks for meeting with us Nirali. When you think about AI and the exposures it might create for officers and directors. What crosses your mind?

Nirali Shah: It’s been a really fascinating time for the D&O world. AI is one of the things that we are talking about quite frequently. In terms of exposures for boards, a lot of what we are talking to clients about is how they monitor the use of AI, how they monitor AI as a risk to their business, whether it’s competitive risk, and whether it’s embedded risk from a tech standpoint.

And then for D&O, an important topic is disclosure. How do you talk to your stakeholders, your investors, your employees, about artificial intelligence and what you are doing? How you are using it, how it’s good for you, how it’s not good for you, how it may or may not be good for your industry.

In addition to disclosure, companies are also considering how closely they have to monitor their use of it. One of the things that we talk about with clients is, do you understand how technology, whether it’s ChatGPT or some other variety of AI, may already be in use with the vendors that you work with. Are your employees using it and you’re not aware of that? Do you have parameters and policies around the use of that technology for your employees?

Are you building anything internally that is a closed system AI that you can start to really ramp up?

Clients obviously have to very closely monitor that. I think they’ve gotten much more aware of how embedded it can be with some of the vendors and suppliers that they work with. The next piece of that is, “Okay, well, then how do you disclose how that affects you from a risk standpoint?” That’s really where we see the evolution of it at the moment.

R&I: Your vendors may be picking AI up at a rate that you’re not that well aware of.

NS: It was surprising for some of our clients to learn that it was being used by vendors before people understood what AI even was. Or that it was so mainstream. I think people were not understanding that, for example, offerings from recruiters, may have embedded AI that you’re just not aware of. This could potentially mean that the company was inadvertently discriminating against certain types of candidates because of the way that AI technology was screening people. Does that, then, lead to discrimination suits or systemic issues?

If you’re not asking those questions, if you’re not diving in a little bit further, you might not be aware of what’s happening in the background.

R&I: What about the use of AI in claims? Is that something that’s crossing your mind, or are you seeing conversations around that?

NS: It’s different, I think, for financial lines. It’s harder to use AI, because of the way that financial lines claims typically come in, and how you have to dissect them against the policy. That’s not to say that AI isn’t being used in some stage of the claims review process, it is just harder to use.

R&I: I’ve heard pretty much the same thing from financial lines underwriters. They’re saying much of what you’re saying.

NS: I still think for financial lines coverages, it is a more difficult process to teach an AI model how to look at it because some of it is very subjective. Teaching a model to read the way that a human would and be able to extrapolate the same kind of information is going to be a bit more challenging in my opinion.

R&I: I appreciate that. What privacy exposures or worries does the use of AI create?

NS: It’s been a fascinating thing to talk about with our cyber leaders as well because, obviously, there’s some crossover there in terms of privacy concerns. I think there is obviously more opportunity for bad behavior to happen in terms of private information being potentially utilized or stored in the wrong way when you have an external model that is reading that data. One of the things we have talked about is open system AI versus a closed system.

When a company builds an AI product for internal use only and they can control what data goes into the model, but also where that data ultimately goes, your privacy concerns become a little less robust since you can better control that data. It is not an open system where anybody and everybody now has access to that data.

Where we started to see some issues at the very, very early stages of things like ChatGPT was that companies were finding that employees were going online and just using it to write their internal memos or do a presentation. All this potentially confidential client data was being put into these generative systems that get to keep that data.

So, are you violating privacy laws? Are you at risk of having privacy concerns when that data is being floated into an open system where you don’t have any control of what happens to it?

Companies have gotten very smart very quickly around that issue. Most of the companies that we have spoken to and worked with have policies around the use of ChatGPT or other open- source generative AI systems. If they still allow the access through their IT platforms, there are restrictions around what kind of information you can plug in.

But certainly, there are privacy concerns around its use.

R&I: You may have already touched on it. But what would you say are best practices for disclosing the use of AI?

NS: It’s complex, and I think it will vary company to company, industry to industry, and frankly, geography to geography. There are rules in certain jurisdictions outside of the U.S. that are attempting to regulate the use and disclosure of AI. The U.S. hasn’t quite gotten there yet.

There are rumors of things in the works, and there are states like California which are very active in regulation/disclosure. Generally speaking, there is going to be a risk of under disclosing and over disclosing. What we encourage clients to do is understand what their risks are and understand the parameters with which they need to disclose that to investors and other stakeholders.

Also, make sure that those disclosures appropriately align according to the environments that you’re operating in. That’s not always an easy answer. We’ve seen a wave of what is being dubbed as AI-washing claims where people are maybe touting their use of AI or their investment in AI more than is factual.

They’re getting caught on that and that’s going to lead to some issues. We give clients examples of what might happen. We don’t have the perfect formula. It’s really going to be client-dependent. It’s going to be very specific to the geographies they operate in and the industry that they’re in.

But just understanding the parameter of what could go wrong if you’re making disclosures and how do you want to operate within that framework is important.

R&I: What energizes you about the work that you do? What do you like about this kind of work?

NS: There’s a lot that I like. One of the really fascinating things for me is how dynamic financial lines insurance can be. We evolve sometimes as quickly as the world is evolving. The tie that we have to current events and how closely we have to understand the business world, the social world, the legal world of everything that companies are contending with is just fascinating to me.

Another thing is working with clients and being their sounding board for some of what’s going on and how it impacts them from an insurance standpoint. One of the reasons I became a broker is that I spent the first ten years of my career on the underwriting side, and the client interaction was always something that drew me in.

I’m also a self-professed policy nerd. So if you give me an insurance policy, I will read probably every word and pick it apart. It’s just something that really fascinates me. I think it’s an interesting, exercise, especially when you start talking about if you change that one word in this one sentence, all of a sudden, the coverage works differently. &

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected].

How Insurance is Adapting to the Shifting Cyber Landscape

As cyber exposures evolve along with advancing technology, businesses and their insurers will need to work closely together to strengthen security, fine-tune coverage, and stay ahead of emerging risks.

By: MSIG USA | April 1, 2025

Cyber risk remains a top exposure for companies of every shape and size. In our increasingly connected, technology-dependent world, the opportunities for system failure continue to multiply, with ever-expanding ripple effects.

The insurance industry, however, continues to respond. Though coverage terminology is shifting to adapt to evolving threats, capacity remains plentiful as insurers and brokers work to meet the needs of their clients.

Here are the key trends shaping the cyber landscape today, and how businesses and their insurers can work together to mitigate the risks:

Ransomware and BEC Remain Top Threats

Siobhan O’Brien, head of cyber insurance, MSIG USA

“Ransomware and business email compromise remain significant threats. The increased utilization of technology in our world, particularly with the hybrid working model and the reliance on cloud sharing, file sharing, and video conferencing tools, presents potential weaknesses if cybersecurity measures are not robust enough,” said Siobhan O’Brien, head of cyber insurance, MSIG USA.

According to the Cyber Infrastructure Security Agency (CISA), 90% of successful ransomware attacks in the US start with a phishing attack. These attacks open the door for bad actors to plant malware within a targeted organization’s system. The consequences can be severe, with sensitive data, customer information, intellectual property, and revenue all at risk. Not all companies have the financial resilience to survive the downtime, loss of income, and reputational damage resulting from such an attack.

Employee training is critical to mitigate this risk. Employees should not only be able to recognize the characteristics of a fraudulent email, but also appreciate their role in protecting their company as a whole.

“Taking the time to train employees is vital because phishing scams can harm individuals and companies in many ways. Phishing training emails and videos may seem simple, but they highlight the importance of being vigilant. Employees must understand the implications of clicking on malicious links to prevent harm to the company and ensure its survival,” O’Brien said.

Vulnerability to Non-malicious Events

Increasing interconnectivity and reliance on cloud services mean that an outage can disrupt millions of businesses. The CrowdStrike outage of 2024 exemplifies this. A flawed software update caused a system failure that affected Windows users around the world, impacting industries including airlines, airports, hotels, healthcare, financial services to emergency services and more. Disruptions like this have the potential to bring the global economy to a halt.

Cyber policies are not consistent in how they respond to these unintentional failures.

“The biggest headline event in the cyber world last year was a non-malicious event, which some risk models didn’t anticipate. Some policies have responded positively to such incidents, while others have excluded coverage. Purchasers of cyber insurance will likely seek clarification on the intent of policies to cover non-malicious events without limitations,” O’Brien said.

For insureds, this underscores the importance of keeping technology systems up to date and having backup processes in place, but it also highlights the unpredictability of cyber risk. Insurers, brokers and clients will have to work closely together to identify vulnerabilities, strengthen risk mitigation strategies, and clarify coverage terms and conditions so everyone understands the potential impact of an outage.

The Unknown Impact of Artificial Intelligence

Emerging capabilities of artificial intelligence have both positive and negative potential for insurers and insureds alike.

“AI can be very positive from a cybersecurity perspective, enabling better protection through enhanced threat detection and rapid response, but it can also be negative, allowing for an increased frequency of attacks on companies. New technologies often come with both benefits and challenges, so it is important to find the right balance,” O’Brien said.

The risk presented by AI is multifaceted. Companies can employ AI to streamline processes, reduce the risk of human error, boost efficiency and cut costs. But AI platforms also represent another potential entry point for cyber criminals. Perpetrators can also utilize AI themselves to commit fraud, leveraging “deepfake” technology to execute social engineering schemes. There are also broader questions around liability when it comes to decisions made based on AI-driven algorithms.

Despite its many potential benefits, many questions remain around the utility of AI platforms and how best to keep them secure. Insurers and insureds will have to grapple with these questions together as the technology continues to evolve.

“We must continually work with partners to assess the current and future risk landscape. The past is not always a predictor of the future in cyber, as it’s a unique universe with different needs compared to property or casualty insurance,” O’Brien said.

How the Cyber Insurance Market is Adapting

The US cyber insurance market is currently robust, with plenty of capacity available for both primary and excess positions. The number of cyber insurance policies being purchased is increasing year over year, as reported by the 2024 NAIC Report on the Cyber Insurance Market, indicating room for growth in the market.

“According to recent reports from global insurance and reinsurance brokers, the cyber market experienced single-digit decreases in pricing in Q4 in the US,” O’Brien said.

Good risk selection remains critical, with insurers seeking clients who have strong cybersecurity measures in place, such as strong passwords, regular updates to software thorough employee training, and multi-factor authentication.

“Insurers want to understand the security posture of the company, their data encryption practices, their actual utilization of multifactor authentication, strength of the firewalls and ultimately their capability to recover from an incident,” O’Brien said.

“We want to know that the risks being brought to us are well managed, well considered, and well protected,” O’Brien said. “We also look for a partnership, where the client is seeking an insurer who can bring their expertise in cyber protection and ultimately bring partnership in managing the claims handling process. When a cyber incident occurs, clients want to know that their insurer is there, partnering with them and providing the necessary support through a combination of their in-house capabilities and trusted vendors.”

Characteristics of Top Cyber Insurer

As a new entrant in the cyber insurance market, MSIG USA has the advantage of a fresh perspective without any legacy issues.

“While we have the robust infrastructure and financial strength of a 350-year-old company behind us, our team is equipped with the expertise and capabilities to innovate and respond to clients’ cyber needs,” O’Brien said.

This supports the type of collaborative partnership that will be necessary to address cyber risk exposures for years to come.

“From an underwriting perspective, we are assembling a team with deep expertise and a holistic view of our clients’ risks across all lines of insurance. In claims handling, to enhance the capabilities of our in-house claims team, we are partnering with vendors who can help us respond rapidly and diligently to get our clients back up and running,” O’Brien said.

And then there is the sheer scope of MSIG USA’s reach.

MSIG USA currently serves approximately 40+ regions and countries around the globe, with plans to continue growing.

“MSIG USA is uniquely positioned to provide comprehensive strategies that protect clients and help them achieve their goals in today’s technology-driven world. Our aim is to enter the market in the mid-excess capacity but with a view to developing a primary product offering bringing innovation to our products based on client needs,” O’Brien said.

To learn more, visit https://www.msigusa.com/commercial-insurance/.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with MSIG USA. The editorial staff of Risk & Insurance had no role in its preparation.

MSIG USA is a member of MS&AD Insurance Group Holdings, Inc. which is the 8th largest non-life insurance group in the world by revenue. Based in Tokyo, Japan, we operate in 48 countries/regions and generated $46B in 2021 with approximately 40,000 employees globally. MSIG USA is the marketing name used to refer to MSIG Holdings (U.S.A.), Inc. (“MSIGH”), and its subsidiary companies.

The Buckeye State’s Insurance Talent Recruitment Approach

CAC Specialty’s Fred Smith on the Risks and Opportunities in Lithium Extraction

Strategic Boards Should Have a Look at Captives for Managing Personal Reputation Risk

From the U.S. Air Force to Insurance: Insights on Authenticity, Belonging, and Doing the Right Thing

The 2025 Marine Power Brokers

In Conversation: From Top Tier Talent to Data Analytics, Alliant Retail Brokerage’s Peter Arkley Shares What Keeps Insurance Going

Risk All Star Darrell Mathis Is Transforming Workers’ Compensation for City of Chicago

Alicia Williams Promoted to Vice President of People and Culture at United Educators