As lines blur between digital and real-life risks, here are examples of losses that each policy covers and why organizations should obtain the broadest protection possible.
As companies rely on more and more technology and a growing amount of work is done online, cybercriminals are seeking to take advantage of the opportunities. In the digital work environment, employers may find it hard to understand what types of insurance cover what types of risks.
Employers must get to grips with the difference between two central policies and coverage types: crime insurance and cyber insurance.
What Is Cyber Insurance?
In today's digital world, no organization can avoid doing business online, whether that is through digital payments, email communication, or even registering a domain for your company's website. That same unavoidability means cyberattacks can impact any organization, regardless of size or sector. Cyber insurance helps organizations prepare for and face these digital risks.
A cyber insurance policy most frequently covers economic damages that could arise from a security breach or data breach impacting customers or third parties. These are considered indirect losses. One example is a data breach where customer information is leaked and the customers experience losses, either a loss of personal information or funds. This third-party liability would fall on the company whose systems were breached, resulting in damages paid to the breach victims.
In addition to data breaches, cyber insurance policies also cover cyberattacks, interruptions or stoppage to business, and cyber extortion, like ransomware. If a cyberattack forces an organization's systems offline and a business has to cease operations, indirect financial losses could occur to those who utilize the business. The good news is that any data or information lost would be intangible and thus potentially covered by cyber insurance.
What Is Crime Insurance?
Crime insurance covers similar but adjacent losses to cyber insurance. Today's criminal activity can be carried out by external actors or by an organization's own employees. Due to the impact of technology, they can happen faster, hit harder, and take more varied forms than ever before.
Crime insurance helps protect individuals and businesses from financial losses tied to criminal activity, including theft, forgery and fraud. These policies cover direct losses of funds. These fund losses are typically easier to uncover because crimes committed on a business are more obvious and more direct. As it stands, businesses lost $50 billion due to employee theft, according to the Association of Certified Fraud Examiners (AFCE) study, “Occupational Fraud 2022: A Report to the Nations."
Why An Organization Needs Both
Most cyberattacks are done through social engineering—when a threat actor deceives individuals into divulging confidential or personal information that may not be in their organization's best interests. This information is very often used to conduct fraud.
Fraud is one claim instance where cyber insurance and crime insurance can overlap: Both policy types will usually cover social engineering. And it's a frequently occurring instance. Even as cybercriminals evolve and develop more complex tactics, the tried-and-true social engineering method is still the most popular.
A recent Coalition report analyzed all its claims during the first half of 2022 and found that phishing—a form of social engineering where an attacker will send an email purporting to be from a reputable source to persuade individuals to reveal personal information—triggers the most cyber incidents. In the first half of 2022, phishing accounted for nearly 58% of reported claims.
For example, a charitable organization lost $1 million in connection with a social engineering scheme when a threat actor posing as a recipient of philanthropic funds sent fake invoices to the nonprofit. Because this form of fraud may cause direct and indirect losses and occurs online, a claim could be covered by cyber insurance, crime insurance, or both.
Both insurance policies also cover funds transfer fraud (FTF). FTF is another form of social engineering where a business or individual transfers money or securities in good faith based on transfer instructions fraudulently issued by an impostor criminal. The result is that funds are sent to a bad actor, resulting in a financial loss for the business.
In one example, a computer wholesaler lost more than $600,000 when a threat actor posing as one of its vendors convinced its CEO to approve the payment of certain vendor invoices. This is a significant loss for an organization, especially since the average cost of an FTF claim is $200,000, according to Coalition's report.
These two types of risks are the largest overlap between the two types of insurance policy because both risks involve criminal activity and direct losses but also occur in cyberspace and incur indirect losses.
Outside of instances where the policies overlap, the clearest way to delineate what event will trigger which type of coverage is to define if the loss was direct or indirect, tangible or intangible. But even that isn't 100% accurate.
That's why having both types of coverage is essential. With both policies, an organization has the broadest protection possible. In some instances, double coverage will provide additional protection for those instances of overlap, like with social engineering and FTF.
The Future of Cybercrime Insurance
As more work is done online, the types of risks employers and employees face will continue to expand and evolve. As the lines blur between digital and real-life risks, the best practice for establishing all-around protection and limiting losses is building a robust coverage model that includes both crime insurance and cyber insurance policies.
Small businesses, in particular, are hit especially hard by crime every year. And despite this, a staggering 36% of small businesses said they did not intend to purchase crime insurance coverage in 2021, according to a separate Coalition report. No matter industry or size, every organization is at risk for cybercrime and needs to consider adding further protections.
Patrick Mitchell is executive risks lead at Coalition Inc.