De-mystifying Insurance ' Crime And Cyber Policies For Financial Institutions (FIs)

• Published date: 24 August 2023
• Subject Matter: Insurance, Criminal Law, Technology, Insurance Laws and Products, Crime, Security
• Law Firm: WTW
• Author: Hollie Mortlock

In this second article of the De-Mystifying Insurance series (D&O/PI), here we discuss the differences between cyber and crime insurance for FIs.

Does the cover overlap?

In some instances, coverage between a cyber policy and a crime policy may overlap. For example, extortion (e.g. Ransomware), computer-related events, and in some instances, socially engineered losses. Generally, cyber policies are liability policies, i.e. third party losses, however they can provide cover for first party losses, i.e. costs associated with cyber events, and of course business interruption losses. Both policies are there to protect the company, however the outcome of an event will determine whether either or indeed both policies may be triggered.

What do the policies cover?

Crime policies (also known historically as Bankers Blanket Bond (BBB) policies) provide coverage for an FIs' direct financial loss arising from various internal and external frauds such as:

• Employee infidelity
• Forged or altered documents / securities
• Social engineering
  
  

Crime policies (also known historically as Bankers Blanket Bond (BBB) policies)

Over the last few decades, crime policies have extended to include other perils such as, amongst others, extortion (including cyber-related extortion and ransomware) and erroneous transfer. There is typically also coverage for costs incurred in dealing with internal and external frauds, such as claims preparation costs and forensic costs.

It has been quite some time since computer crime coverage was introduced, however the scope of the coverage has broadened significantly as technology has developed to ensure it aligns with how FIs operate and their risk exposures.

Cyber policies however provide coverage for third party claims (and associated costs) against the FI relating to certain cyber-related events, such as:

• privacy breach (corporate or personal)
• hacking, intrusion or use or operation of, or compromise of the security of the FI's computer system, and in some cases, that of a third-party service provider
• media infringement

In addition, cyber policies generally also provide coverage for:

• cyber-incident response costs
• cyber business interruption and associated costs
• costs associated with regulatory investigations
• data protection regulatory fines
• cyber extortion

It is worth remembering that coverage for both crime and cyber policies can vary from geography to geography and can also vary on the type of FI, as well as the state of the FI and/or...