Does commercial crime insurance deserve to be the poor relation of cyber and D&O insurance?

By Francis Kean, Partner – Financial Lines, McGill and Partners

Introduction

Over the last twenty years, the growth of cybercrime (dishonest or malicious activity by means of computer networks and systems) has been exponential. Nor is the growth in cybercrime predicted to slow down. The cost to the global economy of cybercrime is estimated to grow from $9.22 trillion in 2024 to $13.8 trillion by 2028 (source: Statista Market Insights).  Over the same period, the ever-increasing reliance by business on (and therefore vulnerability to) computer systems has led to a significant increase in demand for cyber insurance. Why is the same not true for commercial crime insurance which also covers aspects of cyber- crime typically excluded under cyber insurance policies?

Background

Many large companies now place cyber insurance in the same non-discretionary spend bracket as Directors & Officers liability insurance (D&O) with limits of up to $800 million available in the market although it should be noted that cyber policies cover a broad range of risks and losses of which cybercrime is only one. By contrast commercial crime policy limits which also include cover for the consequences of cybercrime rarely exceed $50 million and are typically far smaller than that. Commercial crime insurance remains a discretionary spend with many companies choosing to retain this aspect of cybercrime risk on their balance sheets.

Identifying the overlap

The scope for overlap between cyber and crime insurance can cause confusion and obscure the different roles which these classes of insurance are supposed to play in a company’s risk mitigation strategy. To make matters worse, no two crime or cyber policies are the same and, at the margins, there is little consistency between the two classes. It is also true that (although much smaller than its cyber market cousin) the commercial crime market has suffered significant losses which has resulted in a loss of appetite among insurers for this class of risk although there are signs that this is changing.

The D&O insurance market may also have played a part, at least indirectly, in dampening enthusiasm for commercial crime insurance among buyers. The spike in premiums resulting from the recent hard market in D&O may have reduced available budgets for commercial crime. And, although the primary purpose of D&O is to protect company directors from personal liability, risk managers may understandably regard D&O as also playing a useful part in protecting a company’s balance sheet as a policy of last resort in cases of serious cybercrime related loss or damage which are alleged to result from failings in board oversight. 

So, which aspects and consequences of cybercrime are effectively only ever covered under a commercial crime policy?  This question is addressed below.

How did we get here?

A useful starting point is to contrast the original intent behind commercial crime and cyber insurance. Commercial crime insurance which evolved from the traditional fidelity bond market some forty years ago is intended to cover “direct financial loss” suffered by a company resulting from theft of its property either by its own employees or by third parties. Although there is no reliable definition of “direct financial loss”, the intention was and remains to cover the loss of property by theft but not the indirect consequences of such theft.

By contrast, cyber insurance has evolved more recently to cover companies for certain specific categories of loss and damage based on their use of and reliance on computers and other electronic activities. These include:

• The cost of responding to a cyber incident, such as IT forensic, legal and customer notification expenses.
• The cost of restoration of lost or corrupted data
• The recovery of computer systems as a result of targeted attacks or otherwise.
• Liability to third parties for breach of data privacy legislation.
• The payment of cyber breach related fines and penalties.
• Business interruption caused by hacked systems.
• The payment of ransom demands to avoid damage to computer systems.

Noticeable by its absence from this summary, is any reference to cover for the actual property (tangible or otherwise) lost as a result of cybercrime. This risk (usually referred to as “theft of funds” by cyber insurers) is almost always excluded in cyber policies except for smaller companies where modest sub-limits may be offered. 

Compare and contrast?

Given the range and variety of available cyber and crime coverages, a detailed compare and contrast exercise of the two classes of insurance is challenging. (As for D&O insurance, its limited relevance here (as stated above) is as an insurance of last resort dependent on findings of management liability.) So, it is perhaps more helpful to identify specific examples of cyber payment frauds which would or should be covered under good market standard commercial crime policies where the “direct loss” of the insured’s property would almost certainly not be covered under a cyber policy.

Cyber payment fraud is a deliberately wide umbrella description for a variety of fraudulent computer-based schemes which may be carried out either by employees or by third parties or a combination of both. It includes (but is by no means limited to):

Social engineering fraud

• The well-publicised phenomenon known as “social engineering fraud” is where one or more employee is tricked into remitting company funds to fraudsters in the belief that the request is legitimate. This may be as a result of impersonation of a senior executive in a phone call or through online contact or a combination of both. Methods are becoming increasingly sophisticated.

Artificial intelligence  

• In a worrying recent development, a social engineering fraud was successfully carried out to the tune of $25 million on a company based in Hong Kong using AI generated images and speech on a video conference call to imitate the chief financial officer and others in a simulated video conference call.

Cover for this type of cyber payment fraud is available in the market for companies with appropriate fraud mitigation controls but rates and limits will need to be rigorously negotiated.

Payroll and other accounting frauds

• Other examples of cyber payment fraud include the creation of false customer accounts in order to generate false payments and the collusion with other entities to process false claims or to alter payee details on payrolls. They also extend to fraudulent schemes involving vendors , suppliers and procurement functions and are almost infinitely variable. Amounts misappropriated will vary considerably depending on the size of the company and the length of time the crimes go undetected. These types of crime are certainly not new but given the trend towards increasing automation of process will almost certainly always fall within the category of cybercrime as defined above.

Computer hacking

• A more direct form cyber payment fraud is the fraudulent manipulation of the insured's computer system by, for example, hackers transferring funds to an outside account. While the indirect consequences of such incursions including potential liabilities to third parties and the costs of repair to the system of the computer breach could be covered under a cyber policy, the actual loss of money or other property would not be. 

In effect, these are all examples of “theft” in the general sense of the word although perhaps not in its strictly legal sense. Developments in common law and legislation such as the UK Fraud Act 2006 have created a variety of additional offences such as “fraud by false representation” and “fraud by abuse of position” to fill these gaps.  As such, good commercial crime policies should provide cover for what is actually lost or “stolen” as a result of computer fraud regardless of which specific legal sub-category the fraud falls into.  But it is important to check (and, where appropriate, receive expert assurance) that the relevant insuring clauses and exclusions in any given crime policy will operate to trigger cover as they should regardless of the particular type of cyber payment fraud involved.

Another reason to revisit buying commercial crime insurance?    

Apart from the clear and obvious benefit of protecting a company’s balance sheet from exposure to direct losses suffered from cybercrime (assuming appropriate limits, retentions and premiums can be negotiated), the recent creation of a new UK corporate offence of failing to prevent fraud may provide another incentive for buyers to revisit this class of insurance.

Section 199 of the Economic Crime and Corporate Transparency Act 2023 introduces a new criminal offence for large organisations of “failure to prevent fraud”. It is modelled on the equivalent offence created under Section 7 of The Bribery Act 2010 and applies to “relevant bodies” who are guilty of an offence when “a person associated with that body commits a fraud offence intending to benefit the relevant body.”

As with the Bribery Act offence, a defence is available if the relevant body can demonstrate that it had in place fraud prevention measures that were reasonable in all the circumstances. The Government will imminently publish guidance on what it considers constitutes “reasonable fraud prevention measures” (it has promised to do so in “early 2024”) and the new offence will come into force after that. Systems and controls to prevent fraud will inevitably come under renewed internal scrutiny by large organisations since they will form the basis of the company’s defence to the new offence. These same systems, if robust and up to date, can be deployed to negotiate more favourable terms from commercial crime insurers.

Conclusion

A recent survey carried out by CIFAS (the UK’s credit industry fraud avoidance system) found that one in eight adults admitted to committing fraud in the last 12 months. PWC’s global 2022 Global Economic Crime Survey found that 64% of UK businesses have experienced fraud, corruption or other economic or financial crime within the past 24 months. We do not know what proportion of such frauds constitute “cybercrime” although it is likely to be a substantial. (It is worth reminding ourselves here that commercial crime polices are (or should be triggered) by all types of fraud irrespective of the cyber element.) So, both in terms of frequency and severity, there is a significant insurable risk – indeed arguably a greater risk than exists either for D&O or for cyber insurance.

Why then does demand for commercial crime insurance remain so tepid? Part of the answer probably lies in confusion and lack of clarity as to the cover available under these policies and as to the interplay between cyber and crime insurance. Perhaps, part also lies in the terms (both as the limits and retentions and as to premiums) which a relatively small commercial crime market has been willing to offer. Yet recent experience shows that fresh and imaginative approaches to this cover can deliver attractive solutions even to large organisations which have previously dismissed this well-established class of cover as either too expensive or too restrictive or both.   

This article is intended to highlight general issues and benefits relating to its subject matter and does not take into account the individual circumstances or requirements of individual recipients. Specific advice about your particular circumstances should always be sought separately before taking any action based on this publication.