A comprehensive crime policy likely has computer fraud and funds transfer coverages for direct financial losses associated with electronic transactions, as well as coverage that offers relief under social engineering/fraudulent impersonation insuring agreements. Often, this extension of coverage is sublimited, meaning the coverage is less than the main limit of the policy.

Specifically, the language might stipulate that the insurer agrees to pay for a loss “resulting directly from the transferring, paying or delivering covered property (typically money, securities and, if negotiated, physical property) as a result of social engineering fraud committed by a person or entity, who is not, but who purports to be, a vendor, a client, or an employee.” This typical sublimited amount is in the $100,000 to $500,000 range. To have access to the sublimit, these policies may have verification requirements (discussed later in this article).

This policy typically covers fraudulent instruction/social engineering loss in its cybercrime portion of coverage. Beware of carve-out language and ensure you have the appropriate verification procedures in place (discussed later in this article). If both crime and cyber coverages are in place, the crime policy typically is the primary responding policy, with the cybercrime portion of the cyber policy being excess. Consult with USI Insurance Services’ crime and cyber insurance experts to clarify how the policies are intended to interplay and what the policies do and do not cover.

It’s important to note that cybercrime is a sublimit in a cyber policy, so that the financial coverage provided for incidents classified as cybercrimes (such as hacking or phishing attacks) is limited to a certain value within the overall policy limit. For instance, if you have a cyber policy with a coverage limit of $1 million and a $200,000 sublimit for cybercrimes, the insurer will cover up to $200,000 of losses resulting from cybercrimes, even though the total policy limit is $1 million. This distinction is important, as it helps insured organizations understand the specific amounts that can be claimed for different types of cyber-related incidents. The specifics of what’s covered under a cybercrime sublimit can vary depending on the policy, so it's important to understand the details of your coverage.

E&O and D&O polices could be sought to cover third-party claims related to a cybercrime event. For E&O coverage to be considered, generally an insured must demonstrate there is a “negligent act, error or omission” arising out of the rendering or failure to render professional services. If a loss is significant enough, the executives (the directors and officers) of a company may be sued for failing to provide adequate oversight on this risk (this is a typical D&O liability claim). Organizations whose business model involves facilitating payments or the movement of money on a regular basis are more likely than others to be a target for these third-party losses, according to the International Monetary Fund. Law firms involved in real estate transactions have also been targeted.