Insight

The value of commercial crime insurance in an evolving risk landscape

Published

Written by

Read time

Why do I need crime insurance if my security processes are thorough and up-to-date?

Doesn’t my cyber insurance policy cover me for those types of things?  

What is the value of crime insurance?

These are some questions clients ask when commercial crime insurance is first proposed. The value of commercial crime insurance, and the coverage that it provides clients in times of distress, can in fact be immense. This is because criminality, via third parties or emanating internally via employees, is constantly evolving. For instance, in recent months there have been examples of well-known UK chefs and restaurants – Heston Blumenthal, the Ritz, and Yotam Ottolenghi to name a few – being targeted by an identity theft scam where third party fraudsters have cloned their businesses on Companies House, used acCompany director’s name found on social media, and subsequently taken out bad credit in their names, thus riddling businesses with debt,worry and reputational damage.[1]

Not all instances of fraud are so straightforward though. As artificial intelligence (AI) continues to improve so do the opportunities for criminals to misuse it. Earlier this year this was evidenced when employees at UK engineering firm Arup were duped into sending around £20m to criminals after an AI-generated video call. The fraudsters utilised deepfake technology that enabled them to pose as a senior company director on a live video call that was sophisticated enough to convince staff to hand over funds.[2] Couple such examples of sophisticated AI deepfakes with criminal ingenuity and the continued high frequency of traditional phishing scams and it is clear that businesses need to be more vigilant than ever to protect themselves.

This is where the value of commercial crime insurance comes to the fore. Depending on the scope of the commercial crime policy in place, each of the above examples could have been covered for direct financial loss via such a policy. Crime insurance coverage is therefore designed to ensure that in the event of instances such as social engineering scams or employee theft that the financial stability of your firm is not threatened, and instead you have peace of mind to focus on the running of your business.

Commercial crime exposure is twofold, comprising of internal and external risks.

The large social engineering events which make the news tend to be perpetrated by external actors, including criminal gangs who direct their time and energy into finding a chink in a firm’s security. This means that whilst you may think your security processes are watertight, if you rely on this alone, without commercial crime cover to provide a secondary layer of protection, you are leaving yourself potentially exposed.

Most instances of commercial crime derive from inside a business, via individual employees. Employees often have the means to perpetrate theft or fraud, since they may have access to bank accounts and knowledge of business processes and systems, along with motivation – be that greed, disgruntlement, addiction, or desperation. It is therefore important not to underestimate the underlying commercial crime risk from within your own business.

So, who exactly is insured and what are they insured for?

A commercial crime policy will typically cover internal and external crime and will insure the corporate policyholder, its subsidiaries, and often any employee pension plans. It will work on a ‘loss discovered basis’, meaning when the loss as a result of an insured crime instance is first discovered during the policy period. Internal crime is typically acts of theft or fraud or dishonesty committed by your employees with the intent to cause your firm a direct financial loss; whilst an external crime tends to be acts of theft, fraud or dishonesty committed by a third party. However, the extent of coverage afforded for internal and external crime depends on the specifics of the crime policy purchased.

The costs and expenses associated with the loss, such as replacing lost goods and the cost of accountant fees to calculate the loss, will be covered, and the loss must relate to a direct financial loss to your business. This means that a crime policy would not typically cover theft of any client funds with crime policies traditionally limited to the theft of a firm’s own funds.

This deviates from a cyber insurance policy, which typically covers aspects such as the business interruption associated with criminal activity, but will typically not address the costs of the initial direct financial loss itself, such as paying out on the value of lost inventory or funds.

Will a crime policy cover the deepfake scams seen in the news and the regular phishing scams that clog my inbox?

In many instances, yes, although this is dependent on the scope of the policy purchased. The specific terms and conditions of your crime policy will detail further extensions or restrictions, so it is always important to understand the composition of your own policy. However, insuring clauses in crime policies typically include, but are not limited to, employee and third-party fidelity; fraud and forgery; extortion; misdirected payments; social engineering; and property loss or damage from criminal activity; and even data restoration.

Value in an evolving risk landscape

Clients often assess a commercial crime policy as a ‘nice to have’, such as when premium savings have been made on their directors & officers policy or on their cyber coverage. Only when a financial loss occurs, and a commercial crime policy kicks in to cover otherwise significant losses is it truly valued.

However, in a world where artificial intelligence is rapidly advancing, technology continues to progress, international unrest intensifies, and a cost-of-living crisis persists, a perfect storm is brewing for the means and motivation for would-be fraudsters to commit internal or external fraud. In this rapidly evolving risk landscape, it is advisable to shift perceptions of the value of commercial crime insurance and begin to observe it as a ‘must have’.

 

[1] BBC News (2024) - Heston Blumenthal restaurant among those targeted in cloning scam.

[2] The Guardian (2024) - UK engineering firm Arup falls victim to £20m deepfake scam.