Chief financial officers and risk managers should carefully and fully explain their financial and computer operations to competent insurance agents so that cyber and crime package policies are tailored to insure their operations in the event of an attack or theft. The financial consequences of not doing so cannot be overstated. For example, The CPA Journal noted in an article:

Sometimes the highest and best value that CPAs can provide to their clients and employers is to prevent problems from occurring or to recognize events that could have a negative impact. Accountants do not have to be information technology experts to help organizations recognize the risks from criminal uses of cyber tools, and probably understand better than anyone else the huge financial costs of technology risks. As an example, based on reports from multiple sources, the Equifax breach could cost the company up to $700 million….1

In a 2020 report, The Hidden Costs of Cybercrime, McAfee provided an executive summary of the rising financial concerns caused by cybercrime:

Since 2018, we estimated that the cost of global cybercrime reached over $1 trillion. We estimated the monetary loss from cybercrime at approximately $945 billion. Added to this was global spending on cybersecurity, which was expected to exceed $145 billion in 2020. Today, this is $1 trillion dollar drag on the global economy. This is our fourth report on the cost of cybercrime. Our reports surveyed publicly available information on national losses, and, in a few cases, we used data from not-for-attribution interviews with cybersecurity officials. Our 2018 report found that cybercrime cost the global economy more than $600 billion. Our new estimate suggests a more than 50% increase in two years.

The problem is that many businesses hold crime, cyber, and computer package policies that are full of insurance gaps. For instance, review the AIG website regarding its computer and cyber loss coverage. Many businesses would think AIG offers great coverage in the event some cybercrooks targeted and stole money. But what AIG promises in its underwriting may not be what its computer claims managers will say is covered after a loss occurs.

A recent example is RealPage v. National Union Fire Ins. Co. of Pittsburgh.2 The court framed the legal case as follows:

This case results from a successful phishing expedition. After a RealPage, Inc. employee clicked a fake link in a seemingly innocuous email and provided login information for RealPage’s account with Stripe, Inc., a third party payment processor, phishers stole the login credentials. They then used them to divert millions of dollars in rent payments from tenants intended for RealPage’s property manager clients. RealPage and Stripe recovered some of the stolen funds but lost about $6 million to the phishing crooks. RealPage reimbursed its clients and filed claims under its commercial crime insurance policies for the stolen funds. But its primary insurer denied coverage, determining the pfished funds were not covered losses because RealPage never “held” them. RealPage then filed this action challenging the denial of coverage.

In its legal briefing, AIG’s policyholder framed the issue of coverage in this manner:

This insurance recovery case involves a novel issue that is fundamental to how companies are doing business in the 21st century and is likely to recur in future cases involving software applications used to manage funds….

The key legal issue turns on the interpretation and application of a policy provision stating that the policy covers property that the policyholder ‘holds for others.’ In this case the policyholder collects funds from residents in rental housing units and then transfers those funds to the owners of the units, who are the policyholder’s clients. The policyholder uses an electronic payment application provided by a third-party to implement the policyholder’s collection of funds on behalf of, and subsequent transfer of funds to, its clients. The insurer has argued the funds were not covered property under the policy because the policyholder did not physically ‘hold’ the funds for its clients when the funds were stolen. However, the policyholder managed, directed, and controlled the funds, using the third-party software application for that purpose, and to limit the word ‘hold’ only to instances where a corporate policyholder conducts business through its own personal bank account ignores the reality of how modern businesses engage in digital payment processing, and is inconsistent with the terms of the policy.

To avoid this scenario, it is strongly suggested that company CFO’s, risk managers, IT Support, and operations all explain how all monies they hold for themselves, others and direct are explained in detail so that proper coverage can be obtained, and a bad coverage result does not happen. Here, the court held for the insurer finding:

To recap, RealPage never possessed its property manager clients’ funds that got caught in the phishers’ net. And, crediting RealPage’s argument that it could nonetheless ‘hold’ the funds without ‘possessing’ them, RealPage did not control the lost funds either, notwithstanding the routing instructions it provided to Stripe. We thus agree with the district court that RealPage never held the funds, as ‘hold’ is used in the National Union policy.

An endorsement may need to be added to policy language so that coverage is provided for how real-world businesses are conducting their operations. Asking an insurer and explaining how its operations work before the loss happens is crucial to the high-risk scenarios facing almost all businesses against cybercrime.

Thought For The Day

Hackers are breaking the systems for profit. Before, it was about intellectual curiosity and pursuit of knowledge and thrill, and now hacking is big business.
—Kevin Mitnick
1 Susan B. Anders,PhD, CPA. Cybersecurity Tools for CPAs. The CPA Journal, Aug. 2019. Available at:
2 RealPage v. National Union Fire Ins. Co. of Pittsburgh, — F.4th —, 2021 WL 6060972 (5th Cir. Dec. 22, 2021) (the insurer is an AIG subsidiary).