It’s a cyber loss, it’s a crime loss, no, what is it?
Cyber losses are sometimes misconstrued as crime losses but more frequently, crime losses are misconstrued as cyber. So, which is it? While the answer is sometimes black and white, it isn’t always that simple.
Both cyber and crime losses are often facilitated through a computer hack. However, the resulting damages or “loss” are often the best way to differentiate cyber from crime. In the most basic terms, cyber policies are covering intangibles while crime policies are covering tangibles.
A crime policy is a first party indemnification contract, covering the insured for loss of funds, money, securities or property caused by dishonest and fraudulent acts committed by covered employees, as well as other various types of theft committed by third parties. Money, securities and property can be defined terms in a crime policy. Crime policies typically contain at least two of the following three cyber related exclusions:
These standard crime exclusions (the exact language may vary from policy to policy) are broad and are meant to eliminate any uncertainty. It is important to review these exclusions closely and work with your broker to soften language, where possible. It is not uncommon to see confidential information stolen and used to initiate a computer hack which results in the fraudulent transfer of funds. To avoid gaps in coverage, we recommend that the confidential information exclusion be amended to state that it will not apply to a loss that is facilitated by the theft, disappearance, damage, destruction or disclosure of such information that would otherwise be covered under the crime policy.
A cyber policy offers both first party and third-party liability coverages. When it comes to first party cyber coverages, a cyber policy will pick up a wide variety of cyber incident response expenses incurred by the insured which arise from a privacy incident, which includes the theft of personal or confidential information. It is important to note that a standard cyber policy will not offer reimbursement coverage to the insured for the loss or theft of funds or for the intellectual property value of confidential information that may be stolen. A cyber policy also provides third-party liability coverage for claims made against an insured alleging that their personal or confidential information was stolen or not adequately protected. While certain cyber policies offer coverage for electronic theft loss, which may include coverage for losses stemming from fraudulent instruction, funds transfer fraud and telephone fraud, these coverages are pretty strictly sub-limited, often relying on the insured’s crime policy to pick up these exposures.
That brings us to the grey area. What if we have a hack that results in stolen confidential information which is later used to initiate a fraudulent transfer of funds?
In this scenario, both the crime and cyber insurers should be put on notice. The crime policy would respond to the direct loss of funds, while the cyber policy would respond to loss resulting from the stealing of confidential information. If there is a situation where the cyber policy is enhanced with certain sub-limited crime coverages, it is best for those coverages to sit in excess of the crime policy. It is also possible that a crime policy could be enhanced to include certain data restoration and extortion coverages that would be best handled on a primary basis by the cyber insurer. It is important to ensure that when there is an overlap in coverages that the retention on the excess policy erodes, as loss is paid on the primary policy. While this loss is certainly easier to settle when the same insurer is writing both policies, it is otherwise a matter of negotiating an allocation between the cyber and crime underwriters.
A combination of proprietary and standardised forms are utilised by insurers to write cyber and crime insurance. The terms and conditions will often differ, so it is important to work with your broker to ensure coverage is tailored to fit your business and meet your risk management objectives.
