COMMERCIAL CRIME COVERAGE—PART TWO
Look and you can find
[B]e sure to reach out to your favorite broker or MGA if you can’t find
a specific type of crime coverage in the standard market.
By Marc McNulty, CIC, CRM
The first installment of this two-part mini-series explored most of the coverages listed on the ACORD 141 Crime Section application. However, we still have one coverage to examine before we dive into the “new” crime coverages that have been developed in recent years and don’t yet appear on the ACORD 141.
Money orders and counterfeit money. Although some businesses became “cashless” during the COVID-19 pandemic, a 2019 report on the economic well-being of U.S. households by the federal reserve stated that 22% of Americans are unbanked or underbanked, meaning they use alternative banking products such as check cashing services, pawn shop loans, or money orders to pay for goods and services.
Of course, there are those who try to scam the financial system by various means, and that is where this coverage can come into play. The Money Orders and Counterfeit Money insuring agreement found in the 11 15 editions of the ISO commercial crime coverage forms and policies reads as follows:
We will pay for loss resulting directly from your having, in good faith, accepted in exchange for merchandise, “money” or services:
- Money orders issued by any post office, express company or “financial institution” that are not paid upon presentation; or
- “Counterfeit money” that is acquired during the regular course of business.
An interesting item to note is that the 2016 version of the ACORD 141 still lists this coverage as “Money Orders and Counterfeit Paper Currency,” but the aforementioned ISO forms include coins, bank notes, and travelers checks in the definition of “money.”
Social engineering. Now, let’s begin to explore the coverages that have been developed over the years in response to the increasingly sophisticated efforts of criminals.
Social engineering is perhaps the most prevalent crime exposure that has arisen over the past decade and is “a manipulation technique that exploits human error to gain private information, access, or valuables,” as defined by Kaspersky, a cybersecurity firm. In terms of crime insurance coverage, it is a way to deceive your clients into paying for a good or service that wasn’t actually purchased.
At this point, you’re probably familiar with some of the techniques that are used to obtain money via social engineering but, if not, here’s an example: Your insured’s bookkeeper receives an email that appears to be from a vendor with whom the insured regularly conducts business, but she didn’t notice the slight difference in the email address that sent her the communication. The email advises your insured that the vendor’s banking information has changed, and that the insured should send the current balance due to a new financial institution, so the bookkeeper proceeds to transfer the payment to the “new bank.”
If your insured doesn’t contact the vendor, learn of the fraud, and keep from initiating the payment to the “new bank,” they will have fallen victim to social engineering fraud. Additional insurance coverage is needed to combat this and can typically be purchased in two ways: through a crime policy endorsement (such as the CR 04 17 11 15 Fraudulent Impersonation form) or as part of a cyber insurance policy.
Invoice manipulation. Let’s take the social engineering example and flip it. If a hacker successfully infiltrates the email system of your insured’s bookkeeper, they can send out emails on her behalf that appear to be legitimate. The same type of “new bank” situation can occur, only this time your insured’s customers are receiving emails directing them to pay for your insured’s goods or services by sending the funds to a new financial institution.
If your insured is unable to collect on invoices due to situations like this where their customers mailed payment or transferred funds to a different account because of fraudulent invoice instructions, the insured would need invoice manipulation coverage to cover the loss. As you might expect, this coverage can be found through a variety of cyber insurance carriers.
Clients’ property/customer’s capital. We’ve addressed examples where your client loses money due to fraudulent instructions along with where your insured’s customer loses money due to fraudulent invoices. What about situations where your insured controls their customers’ money or property?
That can be stolen as well! But the good news is that it can also be insured.
Obviously, this type of crime coverage doesn’t apply to all businesses. But for title agencies, investment advisory firms, and other businesses that handle their clients’ money, this is a very large exposure. In fact, the exposure is twofold: Employees could potentially steal their customer’s money or a third party could fraudulently instruct an employee to transfer funds to an external account where they don’t belong.
Like the last two coverages we examined, these types of insuring agreements can be found in either a crime policy or a cyber policy. For instance, Chubb’s Financial Institution Bond for Asset Managers offers customer’s capital coverage that addresses losses stemming from dishonest acts of an insured’s employee. The form then offers a separate insuring agreement titled Customer’s Funds Transfer and Social Engineering Fraud that addresses external exposures.
On the other hand, cyber insurance policies may address this exposure through enhanced funds transfer coverage or via an insuring agreement for theft of funds held in escrow.
An ISO-based solution?
The aforementioned CR 04 17 11 15 Fraudulent Impersonation endorsement was ISO’s first attempt to offer coverage for losses stemming from the fraudulent impersonation of employees as well as customers and/or vendors. The 06 22 versions of the ISO commercial crime coverage forms and policies have modified this language and have incorporated it into their base coverage forms.
One thing to note is that the CR 04 17 11 15 endorsement provides three options for both fraudulent impersonation of employees as well as fraudulent impersonation of customers and vendors. The 06 22 ISO crime base forms do not have these options built into the form:
- Option A requires verification for all transfer instructions
- Option B requires verification for all transfer instructions in excess of an amount specified on the endorsement
- Option C does not require any verification when transfer instructions are provided
The verification process is either a pre-arranged callback or another established verification procedure that can confirm that the instructions are legitimate.
Whether you address your clients’ exposures via ISO crime forms, insurance company proprietary crime forms, or a combination of a crime form plus a cyber form, it’s important to know that any business is susceptible to fraud. It’s also important to know that plenty of solutions are available in the marketplace to properly cover your clients, so be sure to reach out to your favorite broker or MGA if you can’t find a specific type of crime coverage in the standard market.
The author
Marc McNulty, CIC, CRM, is a principal at The Uhl Agency in Dayton, Ohio, and has been with the agency since 2001. He divides his time among sales, marketing, technology and operational duties. You can reach Marc at marcmcnulty@uhlagency.com