Cyber Underwriting 101 - Vol. 5: What is "The Cyber"?
Emy R. Donavan (she/her)
Consultant, FinTech Investor, Board Member, Fractional Chief Underwriting Officer
So, friends... "Cyber Insurance" sure does seem to be in the news a lot. For example, earlier today, my boss called me. He'd read an article about a recent denial of coverage relating to a fraudulent funds transfer event. He'd called to get a better understanding of how a "Cyber Policy" would respond to a funds transfer loss... In short, it wouldn't.
A few recent articles have announced a "Cyber Policy" denied a claim wherein an accounting director was tricked by a phony email using the CEO's email address, which resulted in the accounting director wiring nearly half a million dollars into an offshore account. The article came out a month ago. When I read it, the first thing I thought was "obviously they denied the claim... cyber policies don't cover that."
Why, you may ask, did I think that? You may say, "Emy, that's crazy. Were it not for some sort of network breach (aka cyber event) the poor accounting director could not have been duped. So isn't that a cyber loss?" Sort of, but not in the way you might assume.
When insurance people talk about "Cyber Insurance" they are usually referring to Cyber Liability policies (which are much more accurately called network security and privacy liability policies), which respond to network breaches that result in LIABILITY (i.e. your network breach causing harm to someone else). Sending your own money to someone else, regardless of whether or how you were fraudulently induced to do so, has nothing to do with liability you have to a third party. You're the only one that's screwed as a result, so there's no liability.
Such an incident is much more akin to falling victim to an old-fashioned mail scam. Based on that fact, crime policies - which have been around forever, and are generally not referred to as "Cyber Policies" in "the biz" - are the policies that would be most likely to respond to cyber crime events involving fraudulent transfer of cash or securities. The funny thing is, the policy that the articles are referring to as a "Cyber Policy" is actually a commercial crime policy, so why the claim was denied goes well outside my area of expertise.
Could you cover email scams under a policy for network security and privacy liability (aka - a "Cyber Policy")? Sure you COULD, but most "Cyber Policies" don't. That's simply because there's already another insurance product for that sort of thing: crime insurance. The fact that now scams are coming through your computer instead of the post doesn't mean the loss is any different.
Until next time, choose your coverage (and words) carefully, friends.
Consultant, speaker & coach. Founder of The Insurance Breakfast Club
8yGreat explanation Emy. Thanks for sharing!
Editor of The Political Risk Podcast, Editor of Global Reinsurance, Freelance Journalist
8ySome good clarity for what can be hazy understanding!
Managing Director, Product Leader, Cyber Insurance - Professional Services Practice
8yI have seen several articles decrying cyber insurance because it doesn't cover these incidents, including one that called cyber insurance a "rip off" because the insurer in question declined such a claim - the tiny details that the claim was (correctly) submitted to the client's Crime insurer, who had (correctly) declined it because of a very specific exclusion, had somehow escaped the razor-sharp gaze of the fearless investigative reporter. These incidents can be covered under a crime policy by including a "Social Engineering Endorsement" - as you so rightly state, like the Nigerian Prince scams, it is an old scam being communicated by 21st century methods and that does not make it a Cyber coverage issue.