Does the cover overlap?
In some instances, coverage between a cyber policy and a crime policy may overlap. For example, extortion (e.g. Ransomware), computer-related events, and in some instances, socially engineered losses. Generally, cyber policies are liability policies, i.e. third party losses, however they can provide cover for first party losses, i.e. costs associated with cyber events, and of course business interruption losses. Both policies are there to protect the company, however the outcome of an event will determine whether either or indeed both policies may be triggered.
What do the policies cover?
Crime policies (also known historically as Bankers Blanket Bond (BBB) policies) provide coverage for an FIs’ direct financial loss arising from various internal and external frauds such as:
Over the last few decades, crime policies have extended to include other perils such as, amongst others, extortion (including cyber-related extortion and ransomware) and erroneous transfer. There is typically also coverage for costs incurred in dealing with internal and external frauds, such as claims preparation costs and forensic costs.
It has been quite some time since computer crime coverage was introduced, however the scope of the coverage has broadened significantly as technology has developed to ensure it aligns with how FIs operate and their risk exposures.
Cyber policies however provide coverage for third party claims (and associated costs) against the FI relating to certain cyber-related events, such as:
In addition, cyber policies generally also provide coverage for:
It is worth remembering that coverage for both crime and cyber policies can vary from geography to geography and can also vary on the type of FI, as well as the state of the FI and/or cyber insurance market.
When can this get confusing?
One thing to consider is that typically cyber policies do not provide cover for loss of funds / securities or theft of goods – this would be covered (subject to terms and conditions) under a crime policy. This is indeed still the case even if the causation of the loss is cyber-related i.e. an FI’s computer network is hacked into and its funds are stolen.
However, in terms of an extortion event, it is often found that crime and cyber policies provide very similar coverage, particularly in relation to cyber extortion. As ransomware attacks began to increase over the last decade, and certain cyber-related perils were already included in a crime’s extortion coverage, this coverage was expanded further to include ransomware. Over time, some FI insurers (who underwrite crime policies) began to see large ransomware losses being presented to them, which resulted in some insurers negotiating the removal of ransomware coverage under a crime policy, with a signpost for ransomware coverage pointed at a cyber policy.
Cyber insurance is a more recent solution however the scope of coverage has also expanded a great deal over a short period of time, driven by a competitive insurance marketplace, as well as trends in claims. This is indeed the case when it comes to socially engineered losses, also known as “Fake CEO/President Fraud” – where a fraudster exploits human psychology, rather than hacking via technological methods. Some cyber policies now extend to include this coverage, particularly for small to mid-size FIs and generally coverage is sub-limited. However, for large corporate insureds, social engineering coverage within a cyber policy is not generally available in the London market, and wordings regularly contain a ‘theft of funds’ exclusion.
We are often asked which policy is intended to be the first port of call when it comes to these types of events. On the basis that the fallout from a socially engineered event is a direct financial one for the FI, the most likely place to look for coverage would be a crime policy. So why has this coverage not been removed from cyber policies on the same basis that ransomware has been removed from crime policies?
Can both policies be engaged at the same time?
Arguably yes. The scope of coverage will be dependent on the policy wording itself, and of course the level of Retentions/Deductibles and policy limits under each policy. FIs are encouraged to speak to their insurance broker on the breadth of their coverage for the types of events mentioned above, as well as notification considerations. There are options becoming available in the insurance market for a combined solution which FIs may want to consider as part of their risk strategy discussions.