I hear this term everywhere these days and I have to say, as an insurance broker, it concerns me a great deal. It falls into that catch-all category of insurance terminology, like “All Risks” and “Legal Expenses”, which without very careful explanation can over-promise and under-perform.
It is important to understand that when you consider covering these risks for your business, ‘Cyber’ and ‘Crime’ insurance policies are different. The term “Cyber Crime” refers to some form of computer or IT dependent criminal activity. This could be phishing, spyware, malware, hacking and social engineering. It can be a confusing term when applied to insurance.
- Crime Insurance covers you for a criminal taking or misappropriating your money, securities or property.
- Cyber Liability cover you for losses arising from the theft of data, such as employee or customer records.
Unless you discuss what it is you are actually trying to achieve with an insurance professional who fully understands these complex areas, you can still end with a claim falling between the gaps. For instance an employee who bypasses controls, believing a fraudulent request to be genuine, may unknowingly create a loss that standard crime and cyber policies will not cover.
In my experience when you actually get down to it, what most clients want cover for is fraud and misappropriation of funds caused by “Social Engineering” which of course muddies the water even further as this often results in the voluntary transfer of funds or data to a third party.
What is Social Engineering?
This is where a criminal obtains money, or confidential information, from unsuspecting and thus cooperative victims. It is now an endemic risk experienced by UK businesses. Perpetrators play on peoples’ emotions and rely on the human tendency to offer assistance when asked or in response to authority figures. Their methods have become increasingly sophisticated, convincing people to bypass security controls or divulge information.
Cover can be purchased to include acts where employees ‘voluntarily’ transfer funds or data, but it is important to note that insurance policies presuppose the existence of internal controls to mitigate loss and therefore insurance is not designed to be a substitute for a lack of such controls. These areas of cover and risk are new and fast moving; unless you speak to a broker who knows this subject inside out you could end up with an insurance policy that is simply not fit for purpose.
However, with a thorough understanding of your business and a little time, a robust safety net can be erected to protect you and your business from these exposures. Please contact us for more information.