Crime Insurance News: Bitcoin and Fraudulent Impersonation Coverages; Bitcoin Comes to Insurance

Bitcoin seems to be, as Winston Churchill said about Russia, a riddle wrapped in a mystery inside an enigma. Even the name Satoshi Nakamoto, the one claimed to have developed Bitcoin, seems to be an alias for some other person or persons. Nevertheless, in many ways using Bitcoin is not that different from what you may already be doing if you pay bills online and have payments electronically deposited. If that’s how you handle your finances, you may never have any physical contact with a bank. Bitcoin works similarly except that there isn’t any bank at all. In fact, there’s no third party involved, not even the government. When you buy Bitcoins, the transaction is recorded on a digital ledger. When you use them to make a payment, they’re transferred from your account to the other party’s account.1

The anonymity of Bitcoin transactions may be the key attraction for anti-government types and criminals, but Bitcoin’s appeal is much broader.2 In addition to anonymity, supporters of Bitcoin cite as its advantages: instant transfers, lower use fees, international flexibility, and greater privacy.

Bitcoin and other types of virtual currency, also referred to as digital currency or crypto currency, are gaining users. Worldwide, the number of retailers accepting Bitcoin is estimated at more than 100,000. In the US that includes Microsoft, Dell, Wikipedia, Twitch, Greenpeace, Expedia and PayPal.3 A car dealer in Southern California says a customer bought a Tesla Model S with a (virtual) stack of Bitcoins.4 (A follow-up article pointed out that the dealer actually had the customer convert the Bitcoin into US dollars just as if he wanted to pay in a foreign currency.)

A recent article described Bitcoin this way: “A Bitcoin is nothing more than a unique string of numbers. It has no independent value, and is not tied to any realworld currency. Its strength and value come from the fact that people believe in it and use it. Anyone can download a Bitcoin wallet their computer and buy Bitcoins with traditional currency from a currency exchange… Transactions are secure, fast, and free, with no central authority controlling value or supply, and no middlemen taking a slice.” (Sue Halpern, “In the Depths of the Net,” New York Review of Books, October 8, 2015, page 55.)

Cryptography is used to secure transactions, but hacking is always a possibility. Federal Reserve Chairwoman Janet Yellen says the Fed has no authority to regulate it, which means, among other things, no Federal Deposit Insurance protection.

Since it works in many ways like paper money, checks, and bearer securities, there are obviously loss exposures to be insured. Insurers argue that standard money and security coverage would not apply to digital currency, but some courts have ruled that Bitcoin is money or a security. In one case, an online investment trust that invested in Bitcoin promised an incredible seven percent per week return.5 The SEC accused it of being a Ponzi scheme. The trust replied that since Bitcoin is not actual money, the SEC did not have jurisdiction. United States Magistrate Judge Amos Mazzant of the Eastern District of Texas ruled that the SEC could proceed with its lawsuit against Shavers because “Bitcoin is a currency or form of money.”6 On the other hand, the IRS has defined Bitcoin as property, not a currency. If your client is looking for insurance for virtual currency, relying on debatable court precedents is not a good idea. Your client needs real insurance.

In 2014, Great American became the first US insurer to offer crime insurance for virtual currency. In its 2015 crime coverage revision, ISO has jumped in. ISO is closing the door to claims that a standard money and security policy covers virtual currency by adding an exclusion to its crime forms:

This insurance does not cover… Virtual Currency Loss involving virtual currency of any kind, by whatever name known, whether actual or fictitious including, but not limited to, digital currency, crypto currency or any other type of electronic currency.

For those who want coverage, ISO has created a new optional endorsement: Include Virtual Currency as Money (CR 25 45 11 15). The endorsement contains a schedule listing the name of the currency, the name of the exchange, and the limit of coverage applying to virtual currency. Coverage is provided by adding the following exception to the exclusion shown above:  However, if a Virtual Currency Limit of Insurance is shown in the Schedule, we will pay up to that amount for loss of virtual currency shown in the Schedule.

The definition of money is amended to include the virtual currency shown in the schedule. Because virtual currency does not have a face value, the valuation clause for virtual currency is changed from face value to the value at the close of business on the day the loss was discovered, as published by the exchange shown in the schedule. The insurer has the option of replacing the currency or paying its value in US dollars at the time of the loss.

ISO’s filing has a date of 11/1/15 in most states (including New York, New Jersey, and Connecticut) but will not be available from a company that uses ISO forms until the state has approved the filing and the company has adopted it.

PRACTICE POINTER: What should you do about this coverage? Chances are that few, if any, of your insureds are accepting virtual currency. However, some might be. If you send regular correspondence to your clients and prospects, include a note about the availability of Bitcoin and other virtual currency coverage. Even for those who don’t have the exposure, it will demonstrate that you’re keeping up with new developments in the industry. If you don’t regularly correspond with your clients, why don’t you?

Fraudulent Impersonation

Fraudulent impersonation coverage is a hot topic with crime underwriters. Many of the leading specialty crime insurers that use their own forms already have coverage available. (Some call it “social engineering coverage,” but the intent is the same.) ISO endorsements are filed to be effective 11/1/15. Fraudulent Impersonation coverage endorsement would provide coverage for the loss of money, securities, or other property due to an employee having, in good faith, complied with a transfer or delivery instruction that an impostor fraudulently transmitted.

A leading crime insurer illustrates the coverage this way:

“A company’s accounts payable manager received an email that appeared to be from a familiar overseas supplier. The email requested the company’s bank account be changed for its next payment. Because the supplier was overseas the new bank account details couldn’t easily be verified.

After the manager tried unsuccessfully to reach the bank, the supplier’s emails became more urgent to pay the invoice, worth about $250,000.

Eager to keep the supplier happy, the manager made the change and wired the money to the new bank account.

The next day, the real supplier called the manager in a panic to say it had been hacked and someone was posing as the supplier to customers. The supplier offered an apology … and then mentioned the matter of the unpaid bill.”7

Bob Olausen, Crime Commercial Lines Manager at ISO wrote this about fraudulent impersonation exposures:

The Federal Trade Commission reported on one…popular impersonation scam, sometimes called “masquerading.” As part of the scam, the hacker poses as a senior executive and asks an employee to complete a confidential business investment or a payment to a vendor. The unwitting employee complies, wires the money to a bogus account managed by the hacker, and it’s gone. According to an alert issued last year by the U.S. Internet Crime Complaint Center (IC3), the average dollar loss per victim was approximately $55,000, with some exceeding $800,000. In certain cases, the losses can be even greater….[A] federal grand jury charged a Florida man with stealing nearly $2.3 million from a global technology company by posing as its chief financial officer.  The telephone is just one way to trigger a fraudulent impersonation loss that’s not covered by standard crime or cyber insurance. Another is email phishing. It’s estimated that sending phishing emails to just 10 employees of a firm will get vital information from at least one of them 90% of time. Cyber-security experts say that there are over 260 million phishing emails sent every day.9

The standard ISO crime form contains an exclusion that would exclude coverage for most of these schemes:

1. Transfer or Surrender of Property

(1) Loss of or damage to property after it has been transferred or surrendered to a person or place outside the premises or banking premises:

(a) On the basis of unauthorized instructions;

Coverage is available using the optional endorsement to the ISO Commercial Crime Coverage Form (Fraudulent Impersonation CR 04 17 11 15). It can close some of the gaps. Here are the ISO endorsement’s insuring agreements:

Fraudulent Impersonation

1. Employees…We will pay for loss resulting directly from your having, in good faith, transferred money, securities or other property in reliance upon a transfer instruction purportedly issued by: a. An employee, or any of your partners, members, managers, officers, directors or trustees, or you (if you are a sole proprietorship) if coverage is written under the Commercial Crime Coverage Form or Commercial Crime Policy…
2. Customers and Vendors…We will pay for loss resulting directly from your having, in good faith, transferred money, securities or other property in reliance upon a transfer instruction purportedly issued by your customer or vendor, but which transfer instruction proves to have been fraudulently issued by an imposter without the knowledge or consent of the customer or vendor.

(I’ve omitted the wording for government crime coverage forms. It’s similar to the commercial forms.)

At first glance that looks pretty good, but, as one of my favorite insurance mavens is fond of saying: RTFP—-Read the fine print. The endorsement defines customer and vendor as follows:

Customer is someone to whom you sell goods or provide services under a written contract. A vendor is someone from whom you purchase goods or receive services under a written contract. I’ve emphasized “under a written contract,” because business is often conducted over the phone without ever reducing it to writing. Goodbye coverage. Email has reduced the reliance on verbal contracts, but often the email trail is not complete enough to establish a true contract.

Insurers using their own forms are often more liberal in their definitions. One insurer’s form is silent about a written contract requirement for a customer and defines a vendor as someone who has provided goods or services under a legitimate pre-existing arrangement or written agreement. The key word is “or”; the pre-existing arrangement standard would not require a written contract.

Loss control is a key factor in reducing the exposure to fraudulent impersonation. Most applications ask for details about how the applicant verifies customer information before initiating financial transactions, as well as what types of vendor and supply controls and voice and electronic initiated transfer controls are used. I suggest recommending that clients review the items in a fraudulent impersonation application to improve their security even if they don’t purchase the coverage.

Some forms require verification of all transfer transactions as a condition of coverage. The ISO form has options to specify levels of verification. The insured may be required to verify all transfer instructions, verify just those in excess of a stated amount or not be required to verify at all. There’s no definition of what’s meant by “verify.” One company requires callback verification; some insurers’ forms have no verification requirements at all in the policy, although they generally ask about them in the application.

PRACTICE POINTER: This coverage is not expensive. A firm with over 300 employees and annual sales over $100 million was quoted a premium of $418 for a $250,000 limit. (One of the shortcomings of the current market for this coverage is the low maximum limit that most insurers are willing to provide.) Next, check the coverage terms with several insurers. Be sure that coverage matches the insured’s operations. Tell your clients about the availability of this coverage. Just about every firm is a potential victim.