An audit perspective for community bank boards, CFOs, and the examiners who eventually have to look at this.
A new insurance unicorn. Total funding raised in under 18 months: over $260 million. Valuation at the most recent round: $1.3 billion. The company writes cyber, tech errors and omissions, directors and officers, even a new product line called AI liability. It quotes and binds policies in minutes. It calls itself an AI-native, full-stack insurance carrier.
The investor narrative is growth and customer count. It does not feature loss ratios. It cannot, because the company has not been writing policies long enough to know.
For a community bank evaluating cyber insurance, the press release reads like good news. Faster quoting. Modern technology. A team that understands how digital businesses work. What the press release does not address, and what the broker placing the policy may not address either, is the question that matters most when you need to use the policy.
This essay is a brief on that question. It draws on 20 years experience on the carrier side and the audit work I do now for community banks.
What “full-stack AI carrier” means
The phrase has been used so often it sounds self-explanatory. It is not.
A full-stack insurtech of this generation is typically three legal entities stacked together. There is a producer, a licensed agency or brokerage that sells the policy to the customer. There is a carrier, a licensed insurance company that issues the policy and is named on the declarations page. And there is a claims operation, often a third-party administrator, that handles claims after a loss.
In the AI-native model, all three entities are affiliates of the same parent company. The pitch is that owning the entire stack removes friction, accelerates decisions, and lets the company control the customer experience end to end. That is true. It also means the financial strength behind the policy depends on a single carrier entity and whatever reinsurance program backs it, neither of which has been tested by a meaningful loss.
Some full-stack insurtechs acquire dormant shell carriers to get licensed quickly. Others build their own carrier entities from scratch, which takes longer and requires more capital but gives them a clean start. Either path produces the same result: a carrier entity with no meaningful loss history on the lines it is now writing. The brand is new. The technology is new. The claims track record is blank.
Most of the first generation of insurtechs, the companies that raised billions between 2015 and 2021 to sell auto, renters, and homeowners insurance, have lost 80 to 95% of their market value. The loss curves caught up. And those were short-tail lines, where claims resolve in months, not years.
This new generation is writing long-tail commercial lines. The actuarial math is slower and less forgiving.
The economics that do not show up in year one
The lines of business these new carriers write are not collision damage or stolen smartphones. They are long-tail commercial lines: cyber, tech errors and omissions, directors and officers, fiduciary, and most recently a product marketed as AI liability.
Long-tail means the gap between when the premium is collected and when the ultimate loss is known is measured in years, not months. A cyber breach reported in 2026 may produce a regulatory action in 2027, a class action in 2028, and a settlement in 2030. A wrongful collection claim filed in year three may not reach final indemnity until year six. A securities class action against an insured directors and officers tower can take four to seven years to resolve.
For an established carrier with 20 or 30 years of loss data on a given class, this is manageable. The actuarial team builds reserves into the financials. The reinsurance treaties are structured to absorb shock losses. The capital is sized to a realistic worst case.
For a carrier writing the same classes for the first time, with an AI underwriting model that has never seen a full market cycle of losses, the reserving assumptions are unavoidably speculative. The capital required to hold the risk net is far larger than the equity these companies raise. Which means the risk is not really being held on the carrier’s own balance sheet. It is being ceded to reinsurance.
Reinsurance cession is normal. Established carriers do it too, and for good reason. The difference is the quality and structure of the program. An established carrier with a 20-year relationship with rated reinsurers and a demonstrated ability to collect on recoveries is in a different position than an 18-month-old carrier whose reinsurance program has never been tested by a meaningful loss event. A cyber policy with $5 million in limits looks like $5 million in protection when it is sold. If the carrier fails, the realized protection can be a fraction of that.
Why this matters more for community banks than for other buyers
A startup that loses its cyber coverage in a carrier failure has a bad day. A community bank that loses its cyber coverage in a carrier failure has a regulatory event.
Federal examiners are looking more closely at vendor and counterparty risk every cycle. Your cyber insurance carrier is your vendor. That means the bank is expected to run due diligence on the carrier’s financial condition, not just accept the broker’s recommendation. If the carrier turns out to be inadequate, the bank owns the regulatory consequences.
There is also a reputational dimension. A community bank that suffers a covered cyber loss and discovers, in the middle of incident response, that its insurance carrier is an 18-month-old startup whose claims operation has never processed a loss of this size, has problems beyond the dollar amount. Customers, depositors, and the local press will all reach the same conclusion: the bank chose poorly. The bank’s board, not the broker, owns that conclusion.
Most community bank cyber policies in 2026 are being placed by generalist brokers. Most of those brokers evaluate the placement on price, breadth of coverage, and turnaround time. Few run a structured analysis of the issuing carrier’s balance sheet, reinsurance program, claims track record, and counterparty rating. That gap is the audit work.
The seven questions to put on your audit
A community bank insurance audit that does not address counterparty risk is incomplete. These are the seven questions I now include in every audit I deliver, applied to every carrier on the program: cyber, fidelity bond, and D&O.
These seven questions are not exotic. They are the questions any sophisticated commercial insurance buyer should be asking. The reason most community banks are not asking them is that no one has framed cyber insurance procurement as a counterparty risk decision yet.
A note for the insurance industry
There is a generational disagreement underway in commercial insurance about what artificial intelligence is for.
One view, well represented by the most-funded AI-native carriers, is that AI replaces the broker and the underwriter. Speed, scale, and unit economics improve when the human is removed from the workflow.
The other view, and the one I work from, is that AI accelerates the routine and frees the human for the judgment calls. The routine work in insurance (pulling data, comparing forms, running first-pass risk scores, structuring renewal exhibits, drafting policy language summaries) is enormous, and it is exactly what AI does well. The judgment work (pricing a novel exposure, deciding when a submission needs a phone call rather than a quote, sizing a reinsurance program against a realistic worst case, recognizing when a customer’s risk profile has changed in a way the data does not yet show) is exactly what AI does badly, and what experienced humans do well.
Community bank boards do not need to take a position on which model is correct. They do need to know which model they have bought, and from whom. The audit is how that gets surfaced.
If your community bank’s cyber insurance has not been audited against the seven questions above, get in touch.
