Businesses increasingly are seeking insurance coverage for internal crime such as employee theft and external crimes like robbery. There’s even coverage available for active shootings.
But many businesses are missing one type of policy that everyone should have, agents say — coverage for cyber crime.
Buzz about active shooter or active assailant insurance started increasing a couple of years ago.
According to the Gun Violence Archive, which tracks gun violence events involving the shooting of four or more people, there were 417 mass shootings in the United States in 2019, making it the worst year on record up to that time for mass shooting attacks.
The demand for workplace violence insurance rose dramatically the following year, with a 270 percent increase in new policies.
As of June 14 this year, the archive had recorded and verified 267 mass shootings. Inquiries about active shooter insurance increase after particularly well publicized events like the recent elementary school attack in Uvalde, Texas. But requests from businesses in the Colorado Springs area are relatively rare.
“It’s very specialized coverage, and it’s generally reserved for people who do municipality insurance, schools and things like that,” said Ben Shoemaker, senior account executive at Bigfoot Insurance.
Most companies that carry this type of insurance are international companies like Lloyd’s of London, he said.
Carriers that offer active shooter coverage might monitor social media for a school or church, and while this type of coverage is growing in popularity worldwide, “we don’t do much of it,” he said.
Specific active shooter insurance can be purchased for small, midsize and large businesses that provides coverages including victim expenses; medical, dental and psychological treatment; salaries; and rehab, as well as legal liability coverages including defense costs, indemnity judgments and settlements, said Bill Syddall, president of ALINK Insurance Services.
“You can also get things like business interruption built into those exposures and physical damage to property,” he said. “We do get business owners asking, ‘What are my risks associated with that?’”
Business owners who think they need this type of coverage should discuss it with their agent, he said.
Small businesses are much more likely to need liability and property insurance to cover internal crimes such as embezzlement or external crimes like break-ins, said Martin Burlingame, CEO of Bigfoot.
And cyber coverage is crucial for small and midsize businesses, Syddall said.
“Since the beginning of the pandemic, there’s been over a 40 percent increase in cyberware attacks on businesses, and over 55 percent of the businesses that are being impacted have 100 or fewer employees,” Syddall said. “Cyber criminals realize that the small and midsized businesses don’t have the resources, time, focus or energy to commit to putting barriers and firewalls in place to keep them out.”
Insurance against internal crime often is part of a business’ liability package but can be sold separately.
“If you don’t ask, you won’t get it,” Shoemaker said.
This type of insurance covers losses from employee dishonesty and theft. For retail businesses, it might involve money missing from a cash register or safe, or computer fraud.
“It’s what we refer to as first-party coverage, not crime from a third party,” Shoemaker said.
In the past couple of years, insurers have been providing sublimit coverage for internal crime.
“Five or 10 years ago, the full policy limits were available for a covered claim such as crime,” Shoemaker said. Now, they might include coverage that pays a portion of the policy limit — such as $500,000 on a $1 million policy — specific to the peril of the crime.
Sublimits are common for other types of coverage as well.
“The bigger the company, the more they need specific coverage to handle large events,” Burlingame said. “A small business might be fine with the coverage that’s in your policy.”
Business owners should ask whether their coverage includes losses due to fraud, embezzlement, theft and forgery, Shoemaker said.
“Those are the basic things that you need to see,” he said. Owners also should ask if the full policy limit is covered or whether there is a sublimit.
External crime like robbery usually falls under a business’ property coverage, but it’s important to read the fine print to determine the coverage you have.
Damage to a business’ building from breaking and entering as well as internal loss of property normally is covered.
“When you get into civil unrest and things of that nature, it gets a little bit murkier,” Shoemaker said. “Insurance companies can choose to do that from time to time. It’s a partial portion of the policy that is covered. But there’s also times in the country’s history where there are moratoriums on writing new business because of anticipated social unrest.”
However, insurance companies generally won’t refuse to offer crime coverage to businesses in particular areas of town.
“Insurance companies have to file their rates and forms with the state,” Shoemaker said. “I’ve never seen it happen before — that’s not to say it hasn’t — but I would think it would not be in the best interest of an insurance company that wants to do business within a certain state to exclude coverage for certain areas. It would be a little too close to what insurance regulators call ‘redlining’” — a practice that is prohibited in most states because it tends to discriminate against minorities.
Commercial auto policies also may extend a business’ property coverage to crimes such as catalytic converter theft, Syddall said.
“That’s a big thing happening now,” he said. “A lot of them are being cut off commercial fleet vehicles that are stored in parking lots overnight. They’ll just jump the fence and cut off the catalytic converter, melt it down for the precious metals and make a killing selling those metals.”
In some cases, coverage of this sort will be included in Business Owners Policies, which blend liability and property exposure coverages. But it is essential for owners to discern what is included and what is excluded.
Coverage for medical, dental and psychological aftereffects of external crime such as being held at gunpoint and robbed is available and may be included in policies, Syddall said.
“It gets down to the nuances of the policy and the form,” he said. “There are many policies where that coverage will not exist, and the worst time to find out you have no coverage is when you need it and you think you have it.”
Cyber insurance is a necessity for nearly all businesses, Burlingame said.
Although the odds are low against an attack on a particular small business, and businesses are constrained on what they can spend, “the cost of a cyber attack on a small business can be in the hundreds of thousands of dollars,” he said. “It’s the biggest thing small businesses need that they don’t buy.”
Cyber insurance used to be targeted at companies deemed to be at higher risk, such as hospitals, Shoemaker said. But in the past five years, it’s become obvious that everyone is at risk.
Someone who hacks your website may not just steal your money — the hacker may steal your client records.
“Now you have to pay to have your records redacted, Shoemaker said.
Some hackers may access networks in a way that causes property damage, he said.
“One large retailer had a vulnerability in their HVAC system, which was connected to the Internet of Things,” he said. “Over a long holiday weekend, it destroyed tons of food.”
Anyone who takes credit cards, has a website or performs any operations online has a cybersecurity threat, he said.
Even so, “I still wouldn’t say that it’s yet part of what we would call the standard package,” he said. If cyber coverage is included, it may be sublimited.
“The big question today is, should we expand cybersecurity to include not only liability losses, but property losses as well?” he said.
Cyber coverage begins with businesses assessing their overall risk strategy regarding theft — “not just physical theft but the theft that can occur through social engineering, wire fraud, ransomware and spyware,” Syddall said.
Shoemaker said cyber insurance pricing has come to a point where it may be palatable for small businesses, who should ask their agents for quotes. More types of cyber attacks are being covered as well, he said.
Small business owners may think they can’t afford cyber insurance, but Syddall said policies and endorsements can be added to their existing coverage.
“What I tell my clients is, ‘I don’t want you stepping over dollars to save a few cents. And the logic of that is, let’s make sure you’re purchasing a value-based insurance policy and not just a cheap-priced insurance policy, because the adage ‘you get what you’re paying for’ is very true,’” he said.
A footnote to commercial coverage is that cannabis-related businesses generally can’t get coverage through traditional insurance companies.
“Most, if not all of the traditional insurance companies (technically called the “admitted market”) do not provide coverage, as cannabis is still illegal at the federal level,” said Vincent Plymell, assistant commissioner for communications at the Colorado Department of Regulatory Agencies’ Division of Insurance.
“From what we have been able to ascertain, cannabis businesses are able to get commercial policies through the surplus lines market,” Plymell said.
The surplus lines market is insurance for risks that are considered too high for regular insurance companies, he said. That type of insurance is commonly associated with very high-value homes or sought when someone has something unusual, rare or singular that they want to insure, he said.
“Because of the nature of surplus lines insurance, there could be some differences in filing claims — different or higher deductibles, more exclusions, more specifics required, and so forth, but it will depend on the policy,” Plymell said.