Skip to main content
Article

When is a cyber loss a crime loss and why it matters

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

By Colleen Kutner and Jason Krauss | January 20, 2021

The resulting damages or “loss” are often the best way to differentiate cyber from crime.

Cyber losses are sometimes misconstrued as crime losses but more frequently, crime losses are misconstrued as cyber. So, which is it? While the answer is sometimes black and white, it isn’t always that simple.

Both cyber and crime losses are often facilitated through a computer hack. However, the resulting damages or “loss” are often the best way to differentiate cyber from crime. In the most basic terms, cyber policies are covering intangibles while crime policies are covering tangibles.

A crime bond is a first party indemnification contract, covering the insured for loss of money, securities or property caused by dishonest and fraudulent acts committed by covered employees, as well as other various types of theft committed by third parties. Money, securities and property are each a defined term in the policy. Crime policies typically contain at least two of the following three cyber related exclusions:

  1. Confidential Information Exclusion – loss resulting directly or indirectly from the theft, disappearance or destruction of confidential information including, but not limited to, trade secrets, customer lists and intellectual property.
  2. Data Security Breach – fees, costs, fines, penalties and other expenses incurred by you which are related to the access to or disclosure of another person’s or organization’s confidential or personal information, including, but not limited to, patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.
  3. Indirect Loss Exclusion – indirect or consequential loss of any nature including, but not limited to fines, penalties, multiple or punitive damages.

These standard crime exclusions are broad and are meant to eliminate any uncertainty. It is important to review these exclusions closely and work with your broker to soften language, where possible. It is not uncommon to see confidential information stolen and used to initiate a computer hack which results in the fraudulent transfer of funds. To avoid gaps in coverage, we recommend that the confidential information exclusion be amended to state that it will not apply to a loss that is facilitated by the theft, disappearance, damage, destruction or disclosure of such information that would otherwise be covered under the crime policy.

A cyber policy offers both first party and third-party liability coverages. When it comes to first party cyber coverages, a cyber policy will pick up a wide variety of cyber incident response expenses incurred by the insured which arise from a privacy incident, which includes the theft of personal or confidential information. It is important to note that a standard cyber policy will not offer reimbursement coverage to the insured for the loss or theft of funds or for the intellectual property value of confidential information that may be stolen. A cyber policy also provides third-party liability coverage for claims made against an insured alleging that their personal or confidential information was stolen or not adequately protected. While certain cyber policies offer coverage for electronic theft loss, which may include coverage for losses stemming from fraudulent instruction, funds transfer fraud and telephone fraud, these coverages are pretty strictly sub-limited, often relying on the insured’s crime policy to pick up these exposures.

That brings us to the gray area. What if we have a hack that results in stolen confidential information which is later used to initiate a fraudulent transfer of funds?

In this scenario, both the crime and cyber insurers should be put on notice. The crime policy would respond to the direct loss of funds, while the cyber policy would respond to loss resulting from the stealing of confidential information. If there is a situation where the cyber policy is enhanced with certain sub-limited crime coverages, it is best for those coverages to sit in excess of the crime policy. It is also possible that a crime policy could be enhanced to include certain data restoration and extortion coverages that would be best handled on a primary basis by the cyber carrier. It is important to ensure that when there is an overlap in coverages that the retention on the excess policy erodes, as loss is paid on the primary policy. While this loss is certainly easier to settle when the same insurer is writing both policies, it is otherwise a matter of negotiating an allocation between the cyber and crime underwriters.

A combination of proprietary and standardized forms are utilized by insurers to write cyber and crime insurance. The terms and conditions will often differ, so it is important to work with your broker to ensure coverage is tailored to fit your business and meet your risk management objectives.

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.

Authors

US Fidelity Thought Leader, FINEX North America

FINEX Cyber/E&O Thought and Product Leader

Contact Us