Skip to main content
main content, press tab to continue

Look up in the sky!

It’s a cyber loss, it’s a crime loss, no, what is it?

By Colleen Kutner and Jason Krauss | January 26, 2021

The resulting damages or “loss” are often the best way to differentiate cyber from crime.
Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)

Cyber losses are sometimes misconstrued as crime losses but more frequently, crime losses are misconstrued as cyber. So, which is it? While the answer is sometimes black and white, it isn’t always that simple.

Both cyber and crime losses are often facilitated through a computer hack. However, the resulting damages or “loss” are often the best way to differentiate cyber from crime. In the most basic terms, cyber policies are covering intangibles while crime policies are covering tangibles.

A crime policy is a first party indemnification contract, covering the insured for loss of funds, money, securities or property caused by dishonest and fraudulent acts committed by covered employees, as well as other various types of theft committed by third parties. Money, securities and property can be defined terms in a crime policy. Crime policies typically contain at least two of the following three cyber related exclusions:

  1. Confidential Information Exclusion – loss resulting directly or indirectly from the theft, disappearance or destruction of confidential information including, but not limited to, trade secrets, customer lists and intellectual property.
  2. Data Security Breach – fees, costs, fines, penalties and other expenses incurred by you which are related to the access to or disclosure of another person’s or organisation’s confidential or personal information, including, but not limited to, patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.
  3. Indirect Loss Exclusion – indirect or consequential loss of any nature including, but not limited to fines, penalties, multiple or punitive damages.

These standard crime exclusions (the exact language may vary from policy to policy) are broad and are meant to eliminate any uncertainty. It is important to review these exclusions closely and work with your broker to soften language, where possible. It is not uncommon to see confidential information stolen and used to initiate a computer hack which results in the fraudulent transfer of funds. To avoid gaps in coverage, we recommend that the confidential information exclusion be amended to state that it will not apply to a loss that is facilitated by the theft, disappearance, damage, destruction or disclosure of such information that would otherwise be covered under the crime policy.

A cyber policy offers both first party and third-party liability coverages. When it comes to first party cyber coverages, a cyber policy will pick up a wide variety of cyber incident response expenses incurred by the insured which arise from a privacy incident, which includes the theft of personal or confidential information. It is important to note that a standard cyber policy will not offer reimbursement coverage to the insured for the loss or theft of funds or for the intellectual property value of confidential information that may be stolen. A cyber policy also provides third-party liability coverage for claims made against an insured alleging that their personal or confidential information was stolen or not adequately protected. While certain cyber policies offer coverage for electronic theft loss, which may include coverage for losses stemming from fraudulent instruction, funds transfer fraud and telephone fraud, these coverages are pretty strictly sub-limited, often relying on the insured’s crime policy to pick up these exposures.

That brings us to the grey area. What if we have a hack that results in stolen confidential information which is later used to initiate a fraudulent transfer of funds?

In this scenario, both the crime and cyber insurers should be put on notice. The crime policy would respond to the direct loss of funds, while the cyber policy would respond to loss resulting from the stealing of confidential information. If there is a situation where the cyber policy is enhanced with certain sub-limited crime coverages, it is best for those coverages to sit in excess of the crime policy. It is also possible that a crime policy could be enhanced to include certain data restoration and extortion coverages that would be best handled on a primary basis by the cyber insurer. It is important to ensure that when there is an overlap in coverages that the retention on the excess policy erodes, as loss is paid on the primary policy. While this loss is certainly easier to settle when the same insurer is writing both policies, it is otherwise a matter of negotiating an allocation between the cyber and crime underwriters.

A combination of proprietary and standardised forms are utilised by insurers to write cyber and crime insurance. The terms and conditions will often differ, so it is important to work with your broker to ensure coverage is tailored to fit your business and meet your risk management objectives.


U.S. Fidelity Thought Leader, FINEX North America

FINEX NA Cyber Thought & Product Coverage Leader


Global Head of FINEX Financial Institutions
email Email

Contact us