Crime, Cyber Policies Combine To Address Fraudulent Instruction Risk

Email-based fraudulent instruction schemes are one of the most prevalent schemes affecting businesses today, and crime and cyber-insurance policies are the most common sources of recovery for most businesses affected by such schemes, according to Lockton.

Given the importance of the two lines of coverage in responding to such a frequent source of cyber attacks, it's essential that businesses understand what is and isn't covered under the two policies, a new Lockton report suggests.

In the January 25, 2023, report, Fraudulent Instruction Loss: How Crime and Cyber Insurance Policies Intersect, the report's authors, Paul Lynch, vice president, executive risk insurance and claims counsel at Lockton, and Jessica Klein, senior analyst in Lockton's Cyber & Technology practice, note that for businesses today, business email compromise scams are a source of both great frustration and significant financial loss.

"In a typical scam, the bad actor poses as a known business associate of a company (for example, a supplier, vendor or lender) through either a phony email or the alteration of a once-authentic email," the report says. "The actor instructs an employee with payment responsibilities for the target company to send future payments to a new bank account. Once the funds are transferred, the money is immediately withdrawn from the bad actor's account. By the time the target company realizes the deception, the money, which can sometimes be in the millions of dollars, is long gone."

The report notes that crime policies were originally designed to reimburse the policyholder for losses resulting from criminal actions of employees and third parties such as theft, forgery, and robbery. As information technology evolved, insurers added computer crime coverage, Lockton says.

"More recently, it became apparent that clarity was needed to address whether monetary losses stemming from computer-based social engineering fraud were covered by the traditional crime policy," the report says. "This led to the creation of the specific social engineering and fraudulent instruction coverage that is common in policies today."

In the case of fraudulent instruction-based crimes, the covered loss is typically limited to "money" and "securities," Lockton says. In most crime policies, money typically includes currency, coins, and bank notes, while securities include negotiable and nonnegotiable instruments that represent money or property.

"Notably, most crime coverages do not cover tangible property losses, such as inventory or product transfers, that result from fraudulent instructions," the report says. "Lockton, however, has developed a proprietary crime policy form that does provide this coverage."

Businesses that believe they've suffered a fraudulent instruction loss should examine four crime policy clauses, according to Lockton.

• Fraudulent instruction fraud (sometimes referred to as "social engineering fraud" or "corporate deception fraud")
• Computer fraud/computer hacking
• Funds transfer fraud
• Employee theft

In cyber-insurance policies, some insurers provide fraudulent instruction and funds transfer fraud loss coverage that is very similar to the coverage available under a crime policy, Lockton says. "Some cyber insurers include these coverages by default, while others provide them for an additional premium," the report says.

Many insurers won't provide cyber-crime coverage at all, though, Lockton said, especially if the insurer underwrites both the crime and cyber policies, or if the policyholder is a financial institution. And cyber insurers typically don't offer cyber-crime coverage to large organizations, according to Lockton.

Cyber insurers also often offer "invoice manipulation" coverage, the Lockton report says, which pays for losses resulting from cyber criminals using the insured's computer system to send phony payment instructions to customers, leading the customer to send payment to the cyber criminal.

Together, insurers may refer to the social engineering fraud, funds transfer fraud, and invoice manipulation coverages as "cyber crime" or "e-crime" coverages, Lockton says, with the coverages almost always sublimited at less than $500,000, depending on the size of the policy because of the frequency of such incidents.

"To fill the gap cyber-crime sublimits create, organizations should consider—if they have not already done so—purchasing the coverages described above in their crime policies as well as excess coverage that follows the cyber-crime coverage," the Lockton report says. "Because crime policy limits are sometimes higher than cyber policy e-crime coverages, a crime policy can be the single largest source of recovery for a fraudulent instruction incident."

Cyber-insurance policies will often specify that social engineering/fraudulent instruction coverage is excess of other similar coverage, the report says, which might result in the cyber policy not providing coverage for loss of money or securities until the crime policy is exhausted. In some cases, though, both policies might be deemed primary, in which case the insurers will work out how to split coverage of the policyholder's losses.

"While there is a great deal of overlap between crime policies and some cyber policies in terms of how they respond to social engineering and fraudulent instruction type losses, the cyber policy will go further because it will cover the insured's losses beyond just lost money or securities," the Lockton report says. "For example, if the fraudulent instructions were generated due to a breach of the insured's computer system, the insured may be entitled to reimbursement under a cyber policy for breach response costs (including legal advice, forensic services and notification services), business and dependent business interruption costs, and losses sustained by third parties as a result of the breach."

The Lockton report notes that beyond the crime and cyber policies, the policyholder's incident response planning and rapid action and reporting after an incident is discovered are critical.

"As social engineering schemes proliferate and grow in size and complexity, crime and cyber insurance policies have become an essential part of corporate insurance programs," Lockton says. "While no policy can fully protect policyholders against the universe of catastrophic perils posed by complex social engineering schemes, experience has shown that these policies are a reliable source of recovery for fraud victims."