Clever criminals and the evolving ISO Crime and Fidelity program

January 13, 2022 / 4 min read

As if we needed more to worry about, crimes targeting organizations and businesses are on the rise. One survey found that last year, fraud alone cost businesses $42 billion, and nearly half of businesses surveyed had experienced at least one incident of fraud.¹ Of those businesses on the receiving end of a fraudulent act, 13 percent had seen losses over $50 million.²

ISO crime and fidelity program

What insurers need to know about the new ISO Crime and Fidelity program.

Crime may not pay, but these sums are no doubt sobering to organizations of all sizes. To help insurers underwrite today’s crime risks, we’re filing extensive updates to the ISO Crime and Fidelity Insurance Program, including new forms, rules, and advisory loss costs.

A (very brief) introduction to crime and fidelity insurance

Organizations can face a dizzying array of risk exposures from the actions of their employees as well as outsiders. Employee embezzlement remains one of the most significant exposure to loss that businesses face, costing organizations an estimated $730 billion a year.³ But there are other obvious and brazen loss exposures, including burglary, robbery, and fraudsters duping an employee into transferring funds to an illicit account.

The ISO Crime and Fidelity program contains forms, endorsements, rules, and advisory loss costs designed to help address these and other organizational risk exposures.

What’s new in the ISO Crime and Fidelity program?

A lot, but here are just a few highlights:

Tackling social engineering

Phishing. Smishing. Vishing. That’s not gibberish but sophisticated forms of fraudulent impersonation (AKA social engineering) that criminals can use to steal money, securities, or even property from an organization. In 2020, organizations faced an average of 700 social engineering attacks throughout the year.⁴ Last year alone, business email compromised (a type of phishing) cost businesses nearly $1.8 billion.⁵

In our updated Crime and Fidelity Insurance Program, we’re taking the Fraudulent Impersonation insuring agreement endorsement CR 04 17 (which generally addresses impersonation schemes that involve the transfer of money or securities) and including it into the various base coverage forms, where appropriate. We’re also introducing a new, optional endorsement to extend Fraudulent Impersonation coverage beyond money and securities to include other property.

Importantly, to help insurers keep pace with the changing nature of social engineering risk exposures, we’ve also amended the Fraudulent Impersonation insuring agreement. For example, the existing ISO Crime and Fidelity Insurance Program addresses what you could colloquially call the “Fake President” scam: An individual impersonates an organization’s president and demands a wire transfer from the organization to an illicit account (because, after all, who wants to say “no” to their organization’s president?).

But what happens if an employee receives fraudulent instructions to change the wire account information of a client or vendor, ensuring that any future legitimate wire transfer request from that client/vendor routes to an illicit account? The new filing will help address losses stemming from this scheme.

Greatly expanding the coverage territory

Organizations with international reach could find themselves victimized in other countries. That’s why we’re expanding the program’s coverage territory from the United States, Puerto Rico, and Canada to the world.

Rooting out so-called “silent cyber” exposures

As cyber risks continue to grow, many commercial lines insurers may be concerned that they could face cyber-related claims they never anticipated during underwriting. That’s why we’re including policy language to underscore that certain cyber risk exposures are more appropriately addressed in a dedicated cyber insurance policy.

Streamlining loss reporting

The insured will no longer have to report a loss if it doesn’t exceed a percentage of the deductible shown in the declarations. If the insured later learns that the amount loss does exceed that percentage, they’ll have 15 days to notify their insurer. (This option was previously available in an endorsement, CR 20 25, which we’re withdrawing.) We’re also defining a designated person who must have knowledge of a loss to trigger coverage.

New insuring agreement for ERISA benefit plans

Employees can steal more than money from an organization’s cash register; they can also defraud employee benefit plans. The risk exposures associated with Employee Retirement Income Security Act (ERISA) plans were previously addressed in the ISO Crime and Fidelity program as an extension to the Employee Theft insuring agreement. But we’re adding a new insuring agreement for ERISA plans so that insurers have added flexibility to write coverage limits specifically for ERISA exposures.

Easier system integration

The program’s forms and rules are now in a single column format, which some users may find easier to read and integrate into their systems.

The filing (login required) will be effective in many states on June 1, 2022. If you’d like more information on the ISO Crime and Fidelity Insurance Program or want to learn more about the changes we’ve filed, please email Stephen.Whelan@Verisk.com or Robert.Olausen@Verisk.com.

Global Economic Crime and Fraud Survey 2020, PwC Global, 2020, < https://www.pwc.com/gx/en/services/forensics/economic-crime-survey.html >, accessed on December 28, 2021.
Ibid.
Autumn Demberger, "Employee Embezzlement Just Got a Whole Lot Easier Now that We're Working Remotely," Risk & Insurance, October 12, 2020, < https://riskandinsurance.com/employee-embezzlement-just-got-a-whole-lot-easier-now-that-were-work-remotely/ >, accessed on December 28, 2021.
Jonathan Greig, "Average organization targeted by over 700 social engineering attacks each year: report," ZDNet, July 28, 2021, < https://www.zdnet.com/article/average-organization-targeted-by-over-700-social-engineering-attacks-each-year-report/ >, accessed on December 28, 2021.
Internet Crime Report 2020, Federal Bureau of Investigation, 2020, < https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf >, accessed on December 28, 2021.