CFOs and risk managers should carefully and completely explain their financial and computer activities to competent insurance agents so that IT and crime package policies are tailored to insure their business in the event of an attack or theft. The financial consequences of not doing so can not be overestimated. For example, The CPA Journal noted in an article:
Sometimes the highest and best value that CPAs can give their clients and employers to prevent problems from occurring or to recognize events that may have negative impact effects. Auditors do not need to be experts in information technology to help organizations realize the risks of criminal use of cyber tools and probably better than anyone else understand the enormous financial costs of technical risks. As an example, based on reports from multiple sources, the Equifax intrusion could cost the company up to $ 700 million … 1
In a 2020 report, The Hidden Costs of Cybercrime provided McAfrime. a summary of the growing economic turmoil caused by cybercrime:
Since 2018, we have estimated that the cost of global cybercrime reached over $ 1 trillion. We estimated the monetary loss from cybercrime at about $ 945 billion. Added to this was global cyber-security spending, which was expected to exceed $ 145 billion by 2020. Today, this is a $ 1 trillion burden on the global economy. This is our fourth report on the costs of cybercrime. Our reports examined widely available information on national losses, and in a few cases we used data from interviews with cybersecurity officials. Our 2018 report showed that cybercrime cost the global economy more than $ 600 billion. Our new estimate indicates an increase of more than 50% in two years.
The problem is that many companies have criminal, cyber and computer package policies that are full of insurance gaps. For example, review AIG's website regarding its coverage for computer and cyber losses. Many companies would think that AIG offers good coverage in the event that some cybercriminals target and steal money. But what AIG promises in its emissions guarantee may not be what their computer claims executives will say is covered after a loss occurs.
A recent example is RealPage v. National Union Fire Ins. Co. of Pittsburgh . 2 The court drafted the case as follows:
This case is the result of a successful phishing expedition. After an employee of RealPage, Inc. clicked on a fake link in a seemingly harmless email and provided login information for RealPage's account with Stripe, Inc., a third-party payment processor, phishers stole the login information. They then used them to divert millions of dollars in rent payments from tenants intended for RealPage's property managers. RealPage and Stripe got back some of the stolen funds but lost about $ 6 million to the phishing crooks. RealPage compensated its customers and filed claims under their commercial criminal insurance for the stolen funds. However, its primary insurer denied coverage, stating that the fishing funds were not covered for losses because RealPage never "held" them. RealPage then brought this action and questioned the denial of coverage.
In its legal review, AIG's policyholders framed the issue of coverage in this way:
This insurance recovery case involves a new issue that is fundamental to how companies do business in 2000- century and is likely to recur in future cases involving software applications used to manage funds …
The central legal issue concerns the interpretation and application of an insurance provision which states that the insurance covers property held by the policyholder for others. " In this case, the policyholder collects funds from residents in rental apartments and then transfers these funds to the unit holders, who are the policyholder's customers. The policyholder uses an electronic payment application provided by a third party to carry out the policyholder's collection of funds on behalf of, and subsequent transfer of funds to, its customers. The insurer has claimed that the funds were not covered by property under the insurance because the policyholder did not physically "hold" the funds for his customers when the funds were stolen. However, the policyholder managed, controlled and controlled the funds, using third party software for this purpose, and to limit the word "hold" only to cases where a business policyholder conducts business through his own personal bank account ignores the reality of how modern companies engage in digital payment management and is incompatible with the terms of the policy.
To avoid this scenario, it is strongly recommended that the company's CFOs, risk managers, IT support and operations explain how all the money they keep for themselves, others and directly explained in detail so that correctly coverage can be obtained, and a poor coverage result does not occur. Here, the court held that the insurer found:
To sum up, RealPage never had the funds of its property managers stuck in the nets of the anglers. And, thanks to RealPage's argument that they could still "hold" the funds without "holding" them, RealPage did not control the lost funds either, despite the routing instructions it gave to Stripe. We therefore agree with the district court that RealPage never held the money, as "hold" is used in National Union policy.
A recommendation may need to be added to the policy language so that coverage is given for how real companies conduct their business. Asking an insurer and explaining how its business works before the loss occurs is crucial to the high-risk scenarios that almost all companies face against cybercrime.
Thought for the day
  Hackers strike break the profit systems. Before, it was about intellectual curiosity and the pursuit of knowledge and excitement, and now hacking is big business.
1 Susan B. Anders, PhD, CPA. Cyber Security Tool for CPAs . The CPA Journal, August 2019. Available at: https://www.cpajournal.com/2019/09/13/cybersecurity-tools-for-cpas-2/
2 RealPage v. National Union Fire Ins . Co. of Pittsburgh – F.4th -, 2021 WL 6060972 (5th Cir. 22 Dec. 2021) ( the insurer is an AIG subsidiary ).