Reading time: 4 minutes

Part 1 Of Our Deepfakes Miniseries

A finance director joined a video call with his CFO, his CEO, and two colleagues.

None of them were real. He followed their instructions and wired $25.6 million across 15 transactions. By the time anyone caught it, the money was gone.

The deepfake playbook now works at industrial scale, and most financial institution insurance programs haven't caught up.

The $25.6 million wire fraud started with a routine video call.

That was Arup, a global engineering firm, in early 2024. Attackers built real-time deepfake replicas of multiple executives and ran a live video conference convincing enough to override every instinct a trained finance professional had.

Financial institutions should pay close attention.

Your executives sit on hundreds of hours of public video and audio. Earnings calls, conference panels, LinkedIn clips, and webinars. Every recording is training data for the next synthetic clone. FS-ISAC has built a dedicated Deepfake Threat Taxonomy for financial services because FIs combine high-value payment authority with trust-based communication workflows. One person on one call can move seven or eight figures at most mid-market institutions.

The attack surface is your Tuesday morning Teams call.

Your policies were written before attackers could clone your CEO's face!

Most FI programs carry some combination of cyber, crime, and professional liability that should — in theory — respond to a deepfake loss. In practice, the coverage fragments across lines and falls through the gaps between them.

Start with crime and cyber social engineering coverage. Most of the time it requires the fraudulent instruction to arrive via email or written communication. A deepfake video call may not qualify. Even where the trigger is broad enough, the "voluntary parting" defense looms: the employee knowingly authorized the transfer, so carriers argue the loss wasn't "direct."

Chubb now explicitly references deepfake CEO impersonation in its social engineering materials.

We think this is a sign that sophisticated markets are adapting, but most standard wordings haven't followed. Layer on the emerging wave of AI and synthetic media exclusions that coverage counsel and market alerts (Zelle, Lowenstein, and others) have documented spreading through D&O, E&O, and even cyber forms. Broad language excluding claims "arising out of or related to artificial intelligence" can swallow a deepfake event whole, even when the insured was the victim.

No single policy owns the full loss.

Cyber picks up social engineering. Crime covers funds transfer. D&O responds if shareholders allege governance failures. Media liability handles content claims. The deepfake event sits in the middle, and whoever wrote the policy language five years ago wasn't thinking about synthetic video.

When was the last time someone stress-tested your program against a scenario where attackers weaponized your own CEO's face?

Underwriters are already pricing this. The question is whether your controls earn you coverage or cost you coverage.

Carrier appetite is changing. Deepfake risk is becoming controls-driven and endorsement-driven, mirroring what happened with ransomware three years ago.

Callback verification for high-value transfers is moving from best practice to policy condition. Dual-approval workflows, tiered authorization thresholds, and documented deepfake-specific training now show up in underwriting questionnaires. If your procedures don't match the conditions embedded in your social engineering endorsement, you've purchased coverage you can't collect on. AXA XL's Gen AI endorsement for CyberRiskConnect signals where the market is heading...Affirmative, tailored coverage for AI-related risks including data poisoning, regulatory violations, and usage-rights exposure.

But you have to ask for it, and you have to demonstrate you maintain a control environment that earns it.

Bring six questions to your next renewal conversation.

1. Does your social engineering wording cover AI-generated voice and video instructions, or only email and written communications? What is the limit, and is it adequate?
2. Are there AI or synthetic media exclusions anywhere in your cyber, crime, D&O, or E&O tower?
3. What do the definitions of professional services and wrongful act look like in your cyber, crime, D&O and E&O tower — is AI included anywhere?
4. Will your cyber policy fund technical authenticity analysis and platform takedown after a deepfake attack?
5. Do your crime sub-limits reflect the size of loss a convincing deepfake could actually produce?
6. And do your internal verification protocols satisfy the callback and dual-approval conditions your policies require?

The answers will tell you whether your program is built for 2026 threats or 2021 assumptions.

An Offer from the LION Team:

This is the kind of cross-program analysis LION runs for every financial institution client at renewal. Cyber, crime, D&O, E&O and now Media. All mapped against real scenarios, not hypotheticals.

We put together a one-page Deepfake Coverage Gap Checklist that goes deeper than the six questions above — the endorsements worth asking about, the exclusion language that should raise a flag, and what your renewal conversation should actually sound like in 2025.

Reply "DEEPFAKE" and we'll send the checklist over.

Stay Covered,

TASH & FLIP
​

P.S. We recently partnered with one of our key trading relationships heavily focused on quantifying and properly covering these types of deep fake risks. More on that soon.

Want to share this edition via text, email or social media? Simply copy-and-paste the link below:

​http://lionspecialty.ck.page/posts/what-happens-when-bad-guys-deepfake-your-ceo​

And if this briefing was forwarded to you, subscribe directly here.
​