Insurance Times explores the relationship between cyber cover and traditional crime policies, looking at how these insurances can work together or where there may be gaps in cover

Cyber risks, such as data theft, have gained a higher profile over recent months as employees and families remain at home, with potentially poorer cyber security than workplaces, to mitigate the spread of Covid-19. But cyber crime was on the agenda for insurers and brokers long before coronavirus struck – the British Crime Survey 2019, for example, reported cyber crime as the most common crime in the UK, equating to 4.6m offences a year.

Furthermore, the Office for National Statistics reported in its Crime in England and Wales: year ending December 2019 figures, published in April 2020, that unauthorised access to personal information, including hacking, had increased by 7%. This amounts to 540,000 offences.

This poses the question of what cover is available for businesses to safeguard against emerging cyber threats, considering that many will already have purchased a form of crime insurance. Are these policies sufficient for tackling cyber crime also, or is there a need for specialised cover?

Available cover

According to Anthony Cordonnier, Swiss Re’s head of cyber product management, property and casualty, a crime insurance policy “typically provides coverage for direct financial loss suffered by the insured as a result of a crime committed by an employee of the insured or a third party”.

“Coverage is normally provided on a named perils basis and would, for example, respond to acts of internal fraud, forgery and theft, on the insured’s premises or in transit,” he said.

However, due to the shift in how crimes are now committed – from physical to digital – Cordonnier added that a modern crime policy would also cover what Lloyd’s calls Electronic and Computer Crime (ECC).

First introduced in the 1980s, Cordonnier said these wordings are “often quite heavily amended to make them more relevant for today’s technology, although the basis of coverage remains the same”.

An ECC policy, he said, responds to direct financial loss suffered as a result of a third party fraudulently accessing the insured’s computer systems, usually leading to an unauthorised funds transfer.

But are ECC wordings enough to cover the range of cyber threats, or should prospective policyholders look to purchase a separate cyber policy?

Lindsey Nelson, cyber development leader at CFC Underwriting, believes cyber crimes require a more specialised incident response to claims, such as forensics, which is typically not readily available under a traditional crime policy – in fact, she described cyber insurance as “a modern-day crime policy”.

She said: “Almost all businesses are reliant on technology to facilitate their operations and recognise that their intangible assets – such as their data, software and networks – far outstrip the value of their tangible assets, such as production equipment and machinery.

“A cyber policy in reality is a modern-day crime policy whereby stealing data, encrypting networks via malicious malware and theft of electronic funds are all essentially new forms of crime.

“The primary distinction between a cyber insurance policy and traditional crime cover is that one is intended to cover electronic crime while the other one addresses physical theft. However, cyber policies cover much more than just electronic funds, and the real value a cyber policy can add is the claims expertise from an incident response perspective.

“Cyber crime incidents often involve business email compromises, whereby criminals linger in an email inbox to intercept a fund transfer at just the right time. Clients greatly benefit from having an insurer that has the expertise to provide initial advisement on whether forensics are required to determine if they exfiltrated any data or work with legal advice around notification obligations.”

Cordonnier agreed that cyber policies can offer additional support, adding: “Crucially it also provides a comprehensive suite of services to help businesses recover from outages or breaches, such as IT forensic experts, crisis communications management and legal experts. Cyber insurance also indemnifies third parties against the consequences of data breaches. Cyber policies sometimes also cover the consequences of non-malicious system failures.”

Combining coverage

But how do these policies work together to ensure policyholders can be covered against all physical and cyber threats? Cordonnier noted that crime and cyber policies have some overlap in terms of the cost of reconstituting any data that the insured has lost. He added that there could also be gaps in cover in respect of social engineering, which he also calls ‘Fake CEO’ losses.

Scott Farley, director of communications at the International Underwriting Association, said that although both crime and cyber policies can be bought as standalone products, consumers can purchase third-party crime cover as an extension to cyber insurance.

He added: “It is unusual to buy cyber as an extension to a crime policy, but a number of companies – for example Aviva, Travellers and others – will allow you to have a combined policy with cyber and crime sections.

“This should have common defined terms, for example for computers, and remove gaps in coverage. Also [policyholders are] only dealing with one insurer for a claim.

“For smaller clients, having one policy covering cyber and crime would cover one of their biggest, and growing, exposures. One factor that stops customers buying both is that the cost of crime insurance is often greater, with higher excesses, then cyber policies, reflecting the greater exposure.”

Nelson agreed: “There is certainly a case to be made that, for most SME clients, they’re looking to have both addressed under one policy to avoid having to purchase multiple policies across different insurers.”

Furthermore, cyber and crime policies can work alongside each other to plug cover gaps, Farley said.

“It is often possible to extend a cyber policy to cover third-party, external cyber crime – theft by a hacker, etc – but not theft by an employee. However, first party theft by an employee is covered by a full crime or fidelity policy,” he added.

PASS NOTES

When is cyber expertise typically needed?

Lindsey Nelson, CFC Underwriting cyber development leader, said theft of money is a key example where policyholders can benefit from the specialist services offered by a cyber policy. This is particularly pertinent as these crimes are increasing, she added.

“Theft of funds is the single most common source of claim that CFC sees on its cyber policies in all territories it operates in. Increasingly, the claims involve the sort of compromise of an insured’s network that require the access to incident response specialists that a cyber policy provides,” she said.

“When we look at the 1,500 cyber notifications the CFC cyber claims team handled last year, the UK is particularly susceptible to theft of funds, accounting for 31% of our cyber claims activity by frequency, versus 26% worldwide.”

What are the typical cyber crimes covered by a cyber policy?

Anthony Cordonnier, Swiss Re head of cyber product management, property and casualty, said cyber policies typically cover the “loss of gross profit resulting from a network interruption, costs of restoring data from back-ups or reimbursement for ransom payments”.

Nelson added: “Since crime has shifted from the physical to the electronic, a robust standalone cyber policy these days will have the ability to cover 90% of a businesses’s exposures where cyber crime is included and where the frequency of loss far outweighs tangible exposures.

“The crime market has slowly started to include elements of electronic crime onto policies, but it doesn’t tend to be as broad as the cover found under cyber policies or necessarily have the technically led claims expertise required to handle these events.”