HOW USEFUL WAS THIS POST? RATE, LEAVE A COMMENT REQUESTING CHANGES, AND WE’LL AMEND ACCORDINGLY.
From cannabis rescheduling to AI law, this edition of Risk Wrap highlights six developments shaping compliance, governance, and insurance exposure across high‑risk industries.
Medical Cannabis Rescheduling Finally Arrives, Opening a New Chapter for the Industry
On April 23, 2026, the Department of Justice and the DEA announced the issuance of an order to reclassify FDA-approved products containing marijuana and marijuana products regulated by a state medical marijuana license as Schedule III. It came into effect immediately.
They also initiated an expedited process to review the broader rescheduling of cannabis. The hearing will start on June 29, 2026.
In the words of Acting Attorney General Todd Blanche: “This rescheduling action allows for research on the safety and efficacy of this substance, ultimately providing patients with better care and doctors with more reliable information.”
Implications for brokers and their clients:
- Consider strengthening D&O liability insurance as regulatory changes may affect governance and investor risks.
- Review product liability cover as rescheduling could expand medical use, distribution, and exposure to claims.
- Investigate dedicated cannabis insurance that’s tailored to the sector’s risks.
Source: US Department of Justice (April 23, 2026). Justice Department Places FDA-Approved Marijuana Products and Products Containing Marijuana Subject to a Qualifying State-issued License in Schedule III, Strengthening Medical Research While Maintaining Strict Federal Controls.
Emerging insurance industries mentioned: Cannabis Insurance.
Lines of business mentioned: Directors and Officers Liability Insurance, Product Liability Insurance.
DeFi Exploits and Liquidity Runs Become a Key Risk for Crypto Markets
On April 18, 2026, hackers exploited vulnerability in KelpDAO, a liquid restaking protocol, to create large amounts of rsETH tokens without backing collateral. They then used the fraudulently created rsETH to borrow legitimate ETH tokens through major DeFi lending platforms including Aave, where it was accepted as collateral for loans. $290 million was stolen in total, and funds were moved through Tornado Cash to obscure transaction trails.
The exploit triggered wider market stress. Users rushed to withdraw assets from Aave after confidence in the protocol was shaken, leading to a run dynamic in which some lenders were unable to access their funds. Lenders of other cryptocurrencies also withdrew their assets.
Aave lets lenders borrow other tokens if they can’t recall their loans and get their tokens back. As a result, lenders of ETH and other assets started borrowing stablecoins at scale. Stablecoin lenders then withdrew a total of $5 billion, pre-empting a scenario where all stablecoins were lent out and liquidity pools were emptied. The incident shows how weaknesses in one protocol can have far-reaching consequences.
Implications for brokers and their clients:
- Traditional cyber policies may not fully respond to smart contract exploits or token theft. Consider obtaining specialist crypto asset coverage and smart contract failure insurance with bespoke wording.
- Review errors and emissions policies to ensure adequate coverage as developers, custodians, and infrastructure providers may face negligence claims after a protocol failure.
- Ensure adequate D&O coverage in case exploits lead to claims from investors or users alleging inadequate controls or weak oversight.
Source: Bank Policy Institute (April 23, 2026). Crypto Hacks and DeFi Runs.
Emerging insurance industries mentioned: Digital Asset and Web3 Insurance.
Lines of business mentioned: Smart Contract Failure Insurance, Errors and Omissions Insurance.
Gambling Ad Targeting Faces Intensifying Scrutiny in Ireland
In Risk Wrap 038, we discussed Ireland’s new gambling licensing framework, which includes new consumer protection requirements. Recent research by the University of Cambridge could potentially prompt further policy review.
Researchers analyzed the Meta ads of 88 operators licensed in Ireland. The sample included 411 ads displayed from March 2024 – February 2025 that targeted users age 18-65+. The findings showed that these ads were displayed to more than twice as many men than women (12,690,245 male accounts versus to 5,458,438 female). 22% of the ads targeted men only (no ads targeted only women).
As young men are the group most vulnerable to gambling-related harm, the findings may intensify scrutiny of whether ad-delivery systems indirectly concentrate gambling promotions on higher-risk audiences. Of course, operators aren’t responsible for Meta’s algorithm, but advertisers may still be expected to monitor and mitigate the real-world outcomes of campaigns placed on third-party platforms.
The data was collected before the full implementation of the Gambling Regulation Act, which mandates stricter advertising limits. However, researchers suggest the Act requires further review in light of the study and recommends close surveillance of enforcement to prevent circumvention of advertising restrictions. The study may also influence policy in the UK and across the EU.
Implications for brokers and their clients:
- Investigate specialized gambling insurance that includes cover for regulatory, fraud, and player liability risks.
- Investigate media errors and omissions insurance to protect against claims of advertising harm.
- Investigate E&O insurance to protect individuals involved in campaign design or audience targeting.
Source: iGaming Business (April 28, 2026). Gambling ads reach twice as many men as women in Ireland, report reveals.
Emerging insurance industries mentioned: Gambling Insurance.
Lines of business mentioned: Media Errors and Emissions Insurance, Errors and Omissions Insurance.
Litecoin Network Disruption Exposes Growing Cross-Chain Risks
On April 25, 2026, the Litecoin Foundation suffered a deep chain reorganization after attackers exploited a zero-day vulnerability linked to its MWEB privacy layer. The vulnerability also enabled a denial-of-service attack against major mining pools.
Attackers attempted to execute double-spends against cross-chain swap protocols and losses have been reported.
This incident follows a broader trend, as most DeFi exploits that have occurred so far this year involved cross-chain infrastructure.
The Foundation has since confirmed that the vulnerability has been patched.
Implications for brokers and their clients:
- Protocols and exchanges can benefit from dedicated digital asset insurance that addresses the sector’s unique vulnerabilities.
- Review cyber liability and crime insurance policies to ensure they respond to the threat vectors affecting crypto firms.
- Consider business interruption insurance that covers losses associated with security incidents.
Source: The Block (April 25, 2026). Litecoin rewrites three hours of history to undo its first major privacy-layer exploit.
Emerging insurance industries mentioned: Digital Asset and Web3 Insurance.
Lines of business mentioned: Cyber Liability Insurance, Crime Insurance, Business Interruption Insurance.
Anthropic’s Mythos Pushes Crypto Security Beyond Smart Contract Audits
Mythos, Anthropic’s new AI model, is prompting the crypto sector to redirect its focus when it comes to cybersecurity. Smart-contract vulnerabilities were often the key focus, but attention is now widening to operational risks that are beyond the scope of traditional audits, like key management, oracles, bridge infrastructure, and signing services.
Mythos is designed to simulate adversaries, and it detects new weaknesses by examining how protocols interact and how flaws can turn into cascading failures. Without AI, it can be difficult to map all the dependencies. Crypto firms and traditional financial institutions are looking to stress test their systems with tools like Mythos.
In future, continuous monitoring using AI may be necessary if firms are to keep up with the pace of adversaries.
Implications for brokers and their clients:
- Investigate specialized digital asset crime and cyber insurance that explicitly addresses infrastructure failures.
- Review policy wordings to confirm whether losses arising from third-party services are excluded and investigate third-party cyber liability insurance.
- Consider obtaining specialized financial institutions professional liability cover as scrutiny increases in novel markets like crypto and DeFi.
Source: CoinDesk (April 26, 2026). How Anthropic’s Mythos model is forcing the crypto industry to rethink everything about security.
Lines of business mentioned: Cyber Liability Insurance, Third Party Cyber Liability Insurance, Digital Asset Crime Insurancehttps://relminsurance.com/lines-of-business/crime-insurance/, Financial Institutions Professional Indemnity Insurance.
Will the English AI Law Review Clarify Existing Liability Rules?
The UK Jurisdiction Taskforce (UKJT) is consulting on a Legal Statement examining how harms caused by AI systems may be addressed under English private law. Its aim is to give businesses and the technology sector greater clarity by outlining how existing legal principles are likely to apply to issues involving this fast-evolving technology.
The consultation focuses on non-deliberate AI harms encompassing negligence, product liability, professional duties, vicarious liability, and responsibility for false statements generated by chatbots. Criminal law, public law, and IP are not within scope. Liability is often determined by contractual terms, so the consultation focuses on non-contractual duties.
The negligence analysis is the same whether the harm is physical or economic.
Here are some key principles addressed in the statement:
- Foundation model developers are unlikely to owe a duty for unforeseeable misuse of their systems where downstream users failed to test or supervise the tool properly.
- In terms of causation, AI opacity may make it hard to prove why a system produced a result. Courts may respond by being more flexible on evidence, including shifting burdens of proof in some cases. Where the science is uncertain, courts could use a “material increase in risk” test instead of strict “but for” causation.
- Liability for creating a dangerous AI system without safeguards or otherwise failing to control it (when the entity has the “special powers” to do so) is possible but likely rare, especially for general-purpose models.
- False or harmful chatbot outputs may still trigger liability. English law could apply negligent misstatement principles where there is a false statement, duty of care, reliance, and resulting loss.
- In terms of strict product liability, the Consumer Protection Act 1987 may apply where AI is built into a physical product that causes injury or property damage. Claimants must show the product was defective and caused the loss, though not the exact technical fault. Standalone software and cloud-based AI services usually fall outside this regime.
Implications for brokers and their clients:
- Investigate specialized AI insurance tailored to the regulatory requirements of your client’s jurisdiction.
- Consider product liability insurance where AI is embedded in physical products, devices, vehicles, or machinery that could cause bodily injury or property damage.
- Review tech E&O insurance in case harmful outputs result from technical faults.
Source: Bristows (April 28, 2026). Can AI be sued?
Emerging insurance industries mentioned: Artificial Intelligence Insurance.
Lines of business mentioned: Product Liability Insurance, Tech E&O Insurance.
