The Grey Area Between Fraud and Cyber Policies

Crime policies have been around for decades. Also known as fidelity policies, they’re geared toward protecting a business from fraud, theft, forgery and counterfeit money, typically covering exposures like employee theft, vendor theft, forgery of checks, and theft from financial institutions.

In a crime policy, the main focus of theft and fraud coverages are employees and vendors, such as employees who had malicious intent and used their privileged access to the company’s assets to commit theft or fraud.

Cyber policies, by contrast, are geared toward protecting a business from damages that result specifically from a cyberattack. The first cyber policies covered actions an organization must take after a breach, such as customer notification, public relations, credit monitoring and other related services, as well as third-party liability.

As cyber triggers were slowly pushed out of traditional coverages like general liability, property, media and crime, standalone cyber policies have become an umbrella for many coverages, with the cyber trigger the only thing connecting them. Today’s typical cyber policy includes coverage for private data breach, systems and data restoration, social engineering, cyber extortion and even media coverage.

Blurred Lines

In the recent case of Medidata Solutions vs. Chubb Insurance, Medidata was awarded $4.8 million in losses over computer fraud that resulted from the company being tricked into wiring money overseas. The case demonstrates the overlap that exists when the wording in a fraud policy is wide enough to cover cyber-triggered events, or where cyber policies cover “social engineering” with a fraud element.

In the Medidata case, Federal Insurance Company had to pay out a social engineering claim under the fraud provision. The insurer did not anticipate the cyberattack vector—in this case, social engineering through email—under its fraud provision, either in drafting the wording of the coverage or underwriting and rating the premium.

Underwriters in the crime world do not currently have the models or ability to price cyber risk. The tools traditional crime underwriters use analyze internal procedures and often don’t consider enablers of social engineering as an attack vector—enablers like email security, abundance of attacker infrastructure for phishing attacks, or the availability of senior employee emails in the dark web.

The solution is a combined approach, which is severely lacking in today’s market. Crime carriers are still trying to cope with social engineering as a coverage and offer relatively low sublimits, according to a recent A.J Gallagher report.

In August, Travelers won a computer fraud claim case against policyholder American Tooling Center Inc. The judge ruled that Travelers was not liable for losses from an email-based theft scheme. In this case, Travelers covered loss of money “directly caused by computer fraud.” “Computer fraud” encompasses a digital attack vector that causes loss, not a case where a digital vector was used to defraud the organization through the behavior of an employee.

Because Travelers’ coverage was much more narrowly drafted, and because the spirit of the coverage was very clearly geared towards computer crime, coverage was not granted.

Insurance Implications

The comparison between these cases clearly demonstrates two trends. First, there’s lack of general understanding of what is and what is not covered under cyber-related policies. The many variations of cyber coverage wording in the market, combined with the relatively small amount of case law in this space, doesn’t help. Furthermore, explicit exclusions of cyber triggers are not common in many policies.

Second, cyberattack vectors are increasingly permeating more lines of traditional, non-technological insurance. This demands either obtaining capabilities to quantify cyber risk in connection to these lines of insurance, or carving them out. So far, the market has been carving out cyber-related coverage from traditional policies and moving it to dedicated cyber policies.

After a few cases that force insurers to provide coverage where they did not intend to do so, insurers will start pulling back. In the future, social engineering may be carved out from general crime and fraud policies and transferred to either standalone endorsements or pushed into standalone cyber insurance coverage.

In the longer term, when underwriters become comfortable with cyber triggers for these types of coverage, we anticipate a reversion back to topical policies that cover cyber-related triggers as well.

Businesses need to seek policies that specifically include social engineering coverage, more commonly known as “fraudulent transfer inducement” coverage. This coverage currently exists in the grey area between crime and cyber policies, but is increasingly covered by the latter.

For full protection from cybercriminals in the financial fraud arena, businesses should also seek coverage for events when an attacker directly alters data in the company’s system, or in the communication with the financial institution. This separate type of coverage is typically called “computer crime.”

As cyber fraud advances in its sophistication and scope, fraud and cyber policies will continue to advance alongside it. It’s more important than ever to educate yourself on the differences and be able to confirm coverages for your clients.

Roman Itskovich is a co-founder and chief risk officer at At-Bay, a newly launched startup specializing in cyber risk insurance.