Let’s say an employee of a company receives an email that appears normal but isn't. By clicking a seemingly routine link, the employee has opened his company’s systems to a hacker.
The hacker watches emails go by and notices invoices coming and going. The hacker then creates a realistic-looking invoice, except that the payment instructions are altered to direct funds not to the legitimate vendor but to the hacker.
Would the company’s cyber policy respond to the losses? Or the crime policy?
In this example, it would be both. The cyber policy would cover, say, the costs of a forensic examination of the company’s systems to see where else the hacker intruded. The crime policy would cover the diverted funds.
But the delineation between cyber policies and crime policies is not always clear and has evolved, as courts have settled disputes and cybercriminals have deployed new attack methods.
Panelists on a recent Lockton webcast explored the evolution of cyber policies over the last decade, how court decisions have shaped what policies cover and what they don’t, and how insureds can better design insurance programs to protect themselves from the widening cyber threat landscape.
In general, cyber policies cover costs incurred by the company to respond to cyber attacks, as well as losses resulting from the disruption the attacks cause to the business. Cyber policies also cover litigation and regulatory investigations arising from an attack.
Meanwhile, crime coverage covers theft of money or property, including losses from fraudulent fund transfers, social engineering, and computer fraud.
Until about 2016, insurance policies generally viewed cyber threats through the relatively narrow prism of computer fraud, which is to say brute-force hacking and direct system intrusions by cybercriminals.
As hackers became more sophisticated and deployed new attack mechanisms, such as business email compromise, invoice spoofing, and deepfakes, policyholders and insurance companies have gone to court to argue about what cyber and crime policies do and do not cover. In many cases, decisions turned on definitions in policies and what caused the cyber attack.
Advancements in artificial intelligence raise intriguing questions about how crime and cyber policies affect insureds.
“I don’t want to say a doomsday scenario,” said Matt Klein, Lockton’s U.S. Fidelity and Crime Product Leader. “But I do find that the criminals are often ahead of us in responding. What we can do here is do our best to use AI technology to try to capture ways that we believe criminals are going to be causing loss. But a lot of it is going to be, unfortunately, reactionary.”
Watch a replay (opens a new window) of the webcast for more insights.