1. Cyber Insurance
With the rapid advancement of technology, the variety of risks has also increased. This diversification has led to the emergence of new types of insurance policies within insurance law. One such policy is cyber insurance. As crimes and torts have increasingly migrated into the digital environment due to the close integration of the virtual and real worlds, the necessity of covering risks that may arise in cyberspace has emerged.
In this context, cyber insurance refers to a type of policy designed to protect businesses against potential damages arising from the exposure or compromise of sensitive and confidential information that must be protected.
Events that may occur as a result of cyberattacks include data deletion or manipulation, business or production interruptions, extortion, threats, and reputational damage. Among these, reputational damage is considered the most severe risk.
Cyber insurance has been a topic of discussion globally since the 1990s, whereas awareness on the subject in Türkiye began to emerge around 2010. As of now, there is no specific legislation regarding cyber insurance under Turkish law. Therefore, the general provisions of the Turkish Commercial Code No. 6102 and other relevant regulations governing insurance law are applied to cyber insurance.
2. The Use of Algorithmic Risk Scoring in Cyber Insurance
The rapid advancement of technology has triggered digital transformation across various sectors, significantly impacting the insurance industry as well. In this context, artificial intelligence (AI), which has started to play a major role in many industries, has also influenced several key processes in the insurance field, including data analysis, risk assessment, policy pricing, claims evaluation, and customer relations.
One of the areas where AI is most needed is the calculation of risks in cyber insurance, which involves highly complex risk factors—unlike more traditional forms such as life, property, or commercial insurance.
AI can analyze large and complex datasets and perform risk scoring through algorithms to evaluate a company’s cyber risk level. A subfield of AI, machine learning (ML), has the ability to detect patterns in massive data sets and use these patterns to make predictive assessments. As such, ML plays an active role in risk evaluation. It generates risk scores by taking into account parameters such as a company’s history of cyberattacks, its IT infrastructure, and the cybersecurity awareness level of its employees.
3. Disadvantages of AI Applications in Insurance: Information Asymmetry
Since AI and ML algorithms are complex and often difficult to interpret, they make it challenging for users to understand how decisions are made, and to detect or correct potential errors and biases. The opacity of these algorithms’ internal workings may undermine user trust and lead to potentially unfair practices. For this reason, the explainability and transparency of AI and ML systems are of critical importance.
When these algorithms cannot be sufficiently understood by policyholders—or when the inability to comprehend them prevents the identification of underlying errors—it creates a problem of information asymmetry in the insurance contract from the policyholder’s perspective.
“Information asymmetry” refers to an imbalance where one party to a contract has more or better information than the other. In this context, equal access to information means both parties can obtain the relevant knowledge without undue difficulty and are on equal footing regarding uncertain events that influence the contract.
In insurance policies, the policyholder generally possesses less technical knowledge than the insurer regarding the pre-determined contract terms and the insurance coverage itself. Thus, the policyholder is considered the weaker and more vulnerable party in the policy. This disparity gives rise to “information asymmetry” between the parties. Furthermore, since insurance policies are categorized as consumer contracts, and insurance is a legal product with a complex structure—unlike ordinary goods or services—there is an even greater need for legal protections against this imbalance.
In some cases—particularly in health insurance—the policyholder may have more information than the insurer regarding the underlying risk, and may not disclose this information transparently. In such situations, the asymmetry of information favors the policyholder. To mitigate this asymmetry for both parties, Turkish Commercial Code provisions impose a disclosure obligation on the policyholder and an informational duty on the insurer.
However, when insurers use AI-based algorithmic risk scoring systems to evaluate the fundamental component of the insurance policy, it may deepen the information asymmetry to the detriment of the policyholder. Given the complexity of these systems, the policyholder may be unable to comprehend the risk assessment or identify how the input data used in the algorithm might reflect different realities from their own perspective.
AI systems often reach conclusions based on unverifiable inferences and predictions about individuals’ behaviors, preferences, or private lives. Even when such systems are fueled by rich and diverse datasets, reliance on unexpected or opaque variables may result in biased or discriminatory decisions, particularly when they are based on sensitive attributes related to private life.
Furthermore, because the policyholder cannot fully understand the risk evaluation process, they may be unable to adequately assess the proposed premiums or insured amounts. As a result, a clear case of “information asymmetry” arises. In such scenarios, there may also be violations of Article 11 of Turkish Law no. 6698 on the Protection of Personal Data.
Indeed, policyholders do not know how their data, provided to the insurer for risk calculation, are processed by AI, and therefore do not exercise their rights under Article 11, especially the paragraphs: “d) Requesting the correction of personal data if they are incomplete or incorrectly processed,” “g) Objecting to the emergence of a result against oneself by exclusively analyzing the processed data through automated systems.”
Ultimately, ensuring that AI and ML systems are fair, transparent, and accountable is essential to eliminating bias and preventing unjust treatment of individuals. The development and implementation of explainable AI (XAI) systems is vital for building trust and ensuring legal compliance. This calls for the creation of new standards and regulatory guidelines.
4. Policy Cancellation Issues
Insurance companies, based on the algorithmic scores generated by AI systems, may narrow the scope of coverage, cancel the policy altogether, or classify the applicant into a high-risk group and refuse to provide insurance. Although this does not contradict the principle of freedom of contract, it may lead to unfair outcomes, particularly due to the information asymmetry present at the moment the policy is formed.
Since insurance policies are standard-form contracts, unilateral cancellations based on algorithmic scoring should be subject to judicial review. However, due to the complex nature of these algorithms, the policyholder may not fully understand them and therefore may refrain from exercising their right to legal recourse.
5. Conclusion
While AI-based algorithmic risk scoring in cyber insurance policies increases speed and efficiency for the insurance industry, it also leads to issues of information asymmetry and lack of transparency for the policyholder. This situation may result in loss of rights for policyholders, particularly in cases involving policy cancellation or narrowing of coverage. Therefore, it is essential to enhance the explainability of algorithmic systems and to introduce new regulations in the field of insurance law to ensure fair treatment and legal certainty.
Duygu Yaren Yıldırım, Legal Intern
