"We have crime insurance, so we're covered for cyber fraud."
This is one of the most dangerous assumptions in business insurance — and it's wrong. Commercial crime and cyber insurance overlap in some areas but leave significant gaps when used alone. Understanding the difference is essential for any business managing fraud risk.
Commercial Crime Insurance: the original fraud cover
Commercial crime insurance (which includes fidelity insurance) has been around for decades. It was designed to cover tangible, criminal acts — an employee stealing cash, a forged cheque, a supplier submitting fictitious invoices.
*What it covers:* - Employee dishonesty and embezzlement (fidelity) - Forgery and alteration of financial instruments - Computer fraud — where a criminal hacks your system and initiates a fraudulent funds transfer - Counterfeit currency - Premises theft and robbery - In-transit theft
*Key limitation:* Commercial crime insurance focuses on direct financial loss from specified criminal acts. It typically doesn't cover the investigation costs, system restoration, business interruption, reputational damage, or third-party liability costs from a cyber incident. It also often excludes social engineering losses where an employee was deceived into authorising a payment.
Cyber Insurance: the newer, broader cover
Cyber insurance was developed to address the full financial impact of cyber incidents — which commercial crime policies were never designed to cover.
*What it covers:* - Incident response and forensic investigation costs - System and data restoration after an attack - Business interruption losses from a cyber event - Ransomware extortion payments and negotiations - Privacy breach notification and customer management costs - Third-party liability to individuals affected by a data breach - Regulatory defence and (some) fines - Social engineering fraud (as an add-on endorsement)
*Key limitation:* Cyber insurance focuses on cyber events — hacking, malware, data breaches. It generally doesn't cover theft of physical assets, employee embezzlement (absent a cyber element), or traditional fraud that doesn't involve computer systems.
The overlapping zone: computer fraud and social engineering
The two products overlap in the area of computer-enabled fraud:
*Computer fraud:* Both commercial crime and cyber insurance may cover funds stolen through direct manipulation of your computer systems. Check the specific wording to avoid paying for duplicate cover or having both insurers deny the claim on the grounds that it's covered by the other.
*Social engineering:* Neither product automatically covers social engineering fraud (where an employee is deceived into authorising a payment). This is explicitly excluded from most commercial crime policies (it's an "authorised" payment) and from standard cyber policies (there was no system compromise). A specific social engineering endorsement is required — available as an add-on to cyber policies from DUAL NZ and others.
What most businesses should have
For comprehensive fraud protection, most businesses need both:
- 1.*Fidelity/commercial crime insurance* for employee fraud, physical theft, forgery, and traditional crime exposures
- 1.*Cyber insurance* for data breaches, ransomware, business interruption from a cyber event, and regulatory/privacy costs
- 1.*Social engineering endorsement* (typically added to cyber insurance) for BEC, CEO fraud, and payment diversion losses
The good news: these can often be combined in a bundled package, and many insurers offer competitive pricing for buying multiple covers together.
Getting the right advice
The coverage interactions between commercial crime and cyber insurance are complex. The right combination depends on your specific business profile — your transaction volumes, employee headcount, data holdings, and sector. An experienced commercial insurance broker can help you map your exposures and ensure you have appropriate cover without unnecessary overlap or dangerous gaps.
Contact us to be connected with a specialist fraud insurance broker for a tailored assessment.