One of the challenges in designing a comprehensive cyber insurance program lies in the fact that cyber risks are not easily contained within the insurance industry’s pre-defined “boxes.” Cyber risks can affect virtually all lines of insurance, and, yet, most of these insurance policies were never designed to cover such risks. There can often be a sizable grey-area between insurance policies when trying to piece them together. One area that is particularly fraught with peril (pun intended) is cyber crime.
Theft of money has historically been addressed by a crime insurance policy. However, crime policies have historically not offered any coverage for certain cyber crimes. Two new (ISO) endorsements are now available (as of Nov 2015) and seek to address some of these issues.
We would like to thank Stuart Powell and the IIANC for allowing us to duplicate their post on these new endorsements.
Internet crime is not just about data breach losses. While data breach losses are significant and can result in considerable financial damage to businesses and individuals, the internet can be used to commit old fashioned crimes such as the theft of money. Two new ISO Crime Insurance endorsements became available in November of 2015 of which agents should take note.
Fraudulent Impersonation – CR 04 17 11 15 is designed to be used with the Commercial Crime Coverage Policy or Form. (It can also be used with the Government Crime Coverage Policy or Form.) It fills a gap between the traditional crime coverages and newer cyber or data breach coverages.
Traditional crime insurance coverages have not had an Insuring Agreement that would recognize this exposure. The endorsement addresses two groups of people who could be fraudulently impersonated, i.e., “employees” and/or “customers” and “vendors.” The exposure, however, is the same. There would be coverage if the “named insured” receives, in good faith, an instruction to transfer “money”, “securities” or “other property” from a scheduled persons described above ‘but which “transfer instruction” proves to have been fraudulently issued by an imposter without the knowledge or consent’ of the scheduled person(s).
An example of this exposure would be an email purporting to be from the scheduled person authorizing a transfer of money. The transfer is made and, later it is discovered that the email was not from the person from whom it purported to be. The endorsement is not media specific so the “transfer instruction” could be in any form, electronic or otherwise.
One obvious loss control for this type of exposure is “verification.” This would entail a confirmation of the instruction before the transfer would be made. The endorsement has three options that may be selected.
- Verification is Required For All “Transfer Instructions”
- Verification is Required For All “Transfer Instructions” in Excess of a Specific Dollar Amount
- Verification Of “Transfer Instructions” Is Not Required
The degree of verification would have an impact on underwriting and pricing.
It is not difficult to see the value that this coverage could have to a business. Not only would it provide indemnification in the event of a loss, it highlights the value of verification and the potential for loss avoidance.
Include Virtual Currency as Money – CR 25 45 11 15 is designed to incorporate virtual money into the definition of “money” for coverage purposes. This endorsement is also designed to be used with the Commercial Crime Coverage Policy or Form. (It can also be used with the Government Crime Coverage Policy or Form.)
The current ISO Crime Insurance Coverage Policy or Form has an exclusion for virtual money. This endorsement amends the exclusion to except, and therefore provide coverage for, virtual currency to the extent scheduled on the endorsement. The endorsement schedule provided the option to select Employee Theft and/or Computer and Funds Transfer Fraud Insuring Agreement. It provides for a sublimit of insurance for each of the insuring agreements and requires a declaration of the name of the virtual currency and the exchange on which the virtual money is negotiable.
The endorsement describes virtual currency to include, but is not limited to, digital currency, crypto currency, or any type of electronic currency. An example of this type of currency would be “bitcoin.” Wikipedic refers to bitcoin as a “digital asset.” It is a peer-to-peer internet exchange of value. It does not require a governmental medium of exchange such as a central bank currency. Some use the term crypto currency. Bitcoin is a unit of value held in an account which can also be used to purchase item much like a debit card.
Since the value of a bitcoin is not backed by a governmental central bank, the determination of its value is not the subject of public exchange rates. Therefore, the endorsement requires the exchange to be used for valuation in the event of a loss be scheduled on the endorsement.
Both of these endorsements indicate an incremental movement towards addressing cyber exposures beyond data breach that are emerging from the “internet of things.” Stay tuned for there is surely more to come.
Post Originally Appeared on IIANC’s Blog. Reproduced with Author’s Permission.
Stuart Powell, CPCU, CIC, CLU, ARM, ChFC, AAI, ARe, CRIS, has over 40 years experience in the industry, both as an independent agent and as IIANC’s resident insurance guru for the last 20 years. A valuable resource for IIANC members providing technical information, Stuart is well-known across the country for his vast insurance knowledge. He regularly teaches for numerous insurance organizations and is on the national faculty for the Society of Certified Insurance Counselors.
Questions? Contact Stuart at firstname.lastname@example.org or 888-275-8914.