We're going to embark now on an exploration of standard crime exposures and coverages versus cyber crime exposures and coverages. As mentioned in a previous Knugget, cyber crime is just now being recognized as having different needs, and is addressed by only a small handful of markets.
But before we get into our exploration, I'm going to flip the tables on you and ask you to put on your thinking caps and provide some feedback on a very interesting question that has come across my desk.
An agent and I were recently discussing the EMV (chip and pin) technology of newer credit and debit cards, and requirements and exposures related thereto. That conversation segued into the financial loss exposure a merchant has when they accept fraudulent card.
As cyber policies exist at the moment, the merchant (or other business) whose system was breached and provided the data that enabled the creation of the fraudulent card would have coverage for liability to the consumer.
If an unrelated merchant accepts the fraudulent credit card, he is certainly participating in the chain of events that hurts the consumer, the banks, the credit card issuers and everyone else, but if he has a cyber policy, generally this scenario would not trigger coverage, because his "wrongful act" has nothing to do with a breach. It has to do with accepting the fruits of someone else's breach. So I'd say it's pretty safe to assume there's no liability coverage for this scenario. There may not be any liability to start with, but it's always good to have a policy that will defend that proposition, but I can't see most cyber policies being triggered here. So what about the merchant's own financial loss?
If a merchant accepts a fraudulent card, he gets paid by the acquiring bank as usual, but when the bank finds out these charges are fraudulent, they will come back to the merchant to be reimbursed for those payments. So now the merchant doesn't have the product he sold, nor does he have money for the product.
In a similar low-tech situation, a merchant could accept a bad check. The TV walks out the door with the fraudulent purchaser, the merchant deposits the check and does not get paid, so the TV has, in effect, been stolen.
I talked to my go-to crime underwriter about these scenarios and asked him if he knew of any coverage for this kind of theft loss. Interestingly, he said he did not have any solution suitable for merchants and didn't know of anyone who offered such a coverage. He then opined regarding the merchant's need to vet the purchaser, especially if the purchase is large, and commented that a lot of this kind of theft would be relatively small and not something insureds would report to a crime policy even if they had one that would respond.
I get that, and I think for the one-off fraudulent card or check, he's probably right -- insureds wouldn't and shouldn't utilize insurance for such activities. But now let's think about a breach where the fraudulent card is a store card, so we have a slew of fraudulent transactions and stolen goods concentrated in one store. Target, and Home Depot come to mind, but every merchant that issues a store card is at risk for this.
So, let's say you're Target, and you have processed hundreds of thousands of transactions on fraudulent cards. Your bank is not going to get paid for these transactions, and they're coming after you to disgorge the previously paid funds and make them whole. Now you're out the money. The product was "sold" to the so-called buyers, and you'll never see it again. No money, and no product. Sounds like you've been robbed!
I'm not a property expert, but it seems to me that crime coverages evolved separately from property specifically because they pertain to money and securities, but the scenario above pertains pretty clearly to the theft by fraud of tangible property - the goods - which typically would be insured under a property policy. If they were stolen by someone sneaking into the store overnight and spiriting them away, there would be no doubt of coverage (assuming the insured qualified for and had purchased theft coverage). Does their removal under false pretenses not end up with the same result? Missing product - no money.
Do property policies have a way to respond to this kind of theft?
If not, should they?
Is theft by fraud an excluded cause of loss under most property policies? If so, can it be bought back?
Should it matter if the fraud was perpetrated via bad check or via a fraudulent credit/debit card?
Is this an uninsurable business risk? Or is there a solution, whether common or uncommon?
I'm eager to hear your thoughts. Inquiring minds want to know.....
Until our next Knugget - Produce Well and Prosper!