Cyber risk impacts practically every line of commercial insurance, yet the extent of coverage provided remains unclear in many lines of insurance.
With respect to Crime insurance, according to the LMA website, it is understood that “cyber” coverage is affirmed under the computer crime section. As all covered cyber loss falls within the computer crime section, the other sections will not trigger and therefore do not require the addition of affirmative language in order to be compliant with any mandate to address silent cyber.
However, noting the bespoke nature of some policies, where an underwriter considers that a specific policy does include a cyber trigger of loss then specific policy language to affirm or exclude coverage will be required. To that end, the LMA offers to model clauses:
-
-
- the LMA5428 to exclude and write back specific cyber coverage.
- the LMA5429 to affirm cover as follows:
This Policy does not contain a specific Cyber Act or Cyber Incident exclusion, therefore a loss (which is otherwise covered by an insuring clause herein) due to a Cyber Act or a Cyber Incident will be payable subject to all of the terms, conditions, warranties and exclusions of this Policy.
-
Any language added to any policy should be carefully reviewed. The above affirmative language is very clear.
Social Engineering
Social engineering losses frequently test insurance coverage; when a fraudster manipulates an insured, likely via impersonation, into transferring money to the fraudster. To assess potential coverage, we start with the insuring clause to consider three things – the coverage trigger, the injury or harm insured and the proximate cause of the loss.
Let’s have a look at Crime insurance:
Commercial Crime (fidelity bond)
- The coverage trigger is the discovery of the Loss of money / securities.
- The injury or harm insured is the Insured’s own money/securities.
- The proximate cause of the loss is a fraudulent act, typically providing coverage only for loss caused by the perils specifically listed as covered. Voluntary payment of 3rd party loss will not trigger a Crime policy.
The key questions then are – has money been lost? Whose money has been lost? And how, specifically, has it been lost?
In a recent Supreme Court decision, Van Buren v. U.S. (June 3, 2021), the Court found that unauthorized access is required for there to be computer fraud under a fidelity bond. This federal decision follows several District Court level findings over coverage disputes, summarized as follows:
- A named perils Commercial Crime policy offering “Computer Crime” cover should respond to the Direct Loss of the Insured’s own money caused by a hacker, if the hacker had “direct access” to the computer system and this access is the proximate cause of the loss (e.g. the hacker changes payee address or other instruction etc.)
- This Receipt of an email does not = “direct access” to the system.
- If an employee receives an email & then changes payment details, the proximate cause of the loss was the employee’s act. Employee acts will not trigger coverage under a named perils Commercial Crime policy unless the employee was acting dishonestly.
- A named perils Commercial Crime policy offering “Forgery” coverage will not be triggered by Email Impersonation fraud. Coverage for Forgery under Commercial Crime insurance is typically tied to a forged financial instrument – money, checks etc., and not the forgery of an email or other instructions.
- A named perils Commercial Crime policy offering “Funds Transfer Fraud” will not be triggered by a bad actor that has impersonated the insured and sent fraudulent instructions to the Insured; however, it should respond where the recipient of the fraudulent instruction is the Insured’s financial institution and the financial institution acts upon this instruction.
Some Potential Crime / Cyber Risk Coverage Gaps
- Cyber insurance will trigger on the unauthorised access to data or systems. There is no default cover for the direct loss of money. Many policies will clarify this further and exclude theft of money or securities, or other tangible property. Social engineering loss can be covered only when it is specifically listed as an insuring clause.
- Commercial Crime insurance will typically exclude liability to others, but may cover defense costs by extension. To understand the potential coverage available for liability arising out of the loss of money or securities, consider:- Liability coverages and review for silent cyber exclusions. Also note, some Liability coverages respond to client loss arising out of an alleged employee Act. What is deemed an “Act” will be defined in the policy (negligent, intentional) and whether the underlying cause of the loss meets “Act” may ultimately be for the courts to decide.
– Cyber Insurance and review for exclusions for theft of money; and/or exclusions for the loss or damage to physical property. - Commercial Crime insurance will trigger for theft when there has been cybersecurity incident/intrusion. The social engineering fraudster typically does not have any access to the insured’s network or system. This is a gap in coverage to which there is no universal solution, however…
– Some Crime insurers, as well as some Cyber insurers, have included coverage for social engineering.
– Please note there is no market standard for this coverage, and so can vary wildly between insurers. some forms require system access (akin to the crime policies), some forms only cover the Insured’s own loss, while others only cover the Insured’s liability.
For more information, or for a copy of our review of the Commercial Crime coverage dispute cases, please contact:
Lyndsey Bauer
Partner
Direct Dial: 020 7280 8228 | Mobile: 07792306783
Email: lbauer@paragonbrokers.com
Spenser Lee
Partner & Director
Direct Dial: 020 7280 8205 | Mobile: 0779 230 7386
Email: slee@paragonbrokers.com