Do elements of cybercrime, such as social engineering fraud and phishing scams, belong on a traditional crime insurance policy or should they be part of a cyber policy? The answer to that question depends on which carrier you ask.
“There’s some debate in the market between carriers as to whether they still belong on a traditional crime policy, rather than a cyber form,” Lindsey Nelson, international cyber team leader with CFC Underwriting, told Canadian Underwriter Monday. “Many Canadian insurers still aren’t offering crime in a cyber policy,” or do so with certain warranty provisions in place pertaining to call-back procedures to verify the recipient. While others are making the switch and offering elements of crime on cyber policies, “it’s still a somewhat controversial stance,” Nelson reported.
Crime policies typically cover situations where there has been employee dishonesty, and can contain exclusions pertaining to authorized fund transfer activity where social manipulation techniques have resulted in company funds being sent to a fraudulent recipient.
Nelson said that crime coverage on cyber policies was borne out of the fact that traditional crime policies often have this authorized fund transfer exclusion within them. “So, what they are intended to cover is employee dishonesty and employees maliciously transferring funds or stealing money from the company,” she explained. “What it doesn’t intend to cover is employees being socially manipulated into sending money to an unintended recipient.”
Social engineering fraud, such as a “fake CEO, vendor or supplier” email that demands funds to be transferred immediately to a fake account for a vendor payment, is usually not covered on a crime policy. The reason that there is a discrepancy in the market, Nelson added, is that a lot of insurers believe that cyber policies should just stick to theft of data and not cover theft of cash.
However, a broker speaking to a client purely about privacy liability or how many records they hold, often doesn’t resonate. On the other hand, “everybody has a fund transfer exposure if you are dealing with vendors or suppliers or your [chief financial officer] who needs to pay people at a certain point.”
For CFC, cyber has always been a form of crime. The insurer offers cybercrime coverage on both a traditional crime policy and cyber policies and leaves it up to consumers to decide which coverage they prefer. “It’s a good way of being able to connect with your clients and look at their electronic fund transfer exposures in addition to any data exposures that they have as well,” Nelson added.
Cybercrime accounts for the largest source of claims activity out of all cyber coverages at CFC, followed by ransomware, which is expected to surpass cybercrime. Ransomware and cybercrime together account for more than half of the insurer’s cyber claims, with data breaches accounting for less than one-third.