Many business owners assume that having one form of fraud insurance means they are fully covered. The reality is more nuanced — and the gaps between commercial crime and cyber insurance are where significant uninsured losses occur.
Commercial crime insurance: the traditional fraud cover
Commercial crime insurance was designed long before the internet, to cover the classic forms of business fraud: an employee stealing cash, a forged cheque, a fraudulent supplier invoice. Modern commercial crime policies have evolved to include computer fraud — but in specific, limited ways.
*What commercial crime covers:* - Employee dishonesty and embezzlement (the fidelity component) - Forgery and alteration of financial instruments - Counterfeit currency - Computer fraud: where a criminal directly manipulates your computer system to cause a fraudulent transfer - Premises and in-transit theft (some policies)
*What it doesn't cover:* - The cost of investigating and responding to a cyber attack - Business interruption from a ransomware event - Data breach notification costs under the Privacy Act - Third-party liability for customer data compromised in a breach - Social engineering losses where an employee was deceived (often excluded as "authorised payment")
Cyber insurance: the modern coverage layer
Cyber insurance was developed to address what commercial crime policies cannot: the full financial consequence of a cyber event.
*What cyber covers:* - Forensic investigation to determine what happened - System restoration and data recovery - Business interruption during system downtime - Ransom payments and negotiation - Privacy breach notification costs (mandatory under the Privacy Act 2020) - PR and crisis communication management - Third-party liability to affected customers - Regulatory investigation costs
*What it doesn't cover:* - Employee embezzlement without a cyber element - Physical theft of assets - Traditional forgery or counterfeit currency losses - Social engineering (often excluded or available only as an add-on)
The dangerous overlap zone: computer fraud
Both policies may cover "computer fraud" — but they define it differently. Commercial crime's computer fraud section covers losses where a criminal directly manipulates your financial systems. Cyber's computer crime section covers similar events but frames them as cyber incidents.
This overlap creates a risk: each insurer may argue the loss falls under the other policy. For businesses with both covers, make sure the policies are coordinated (ideally through the same broker) to avoid disputes at claim time.
Social engineering: the gap neither covers by default
Business Email Compromise and CEO fraud sit in neither camp by default. Commercial crime excludes them as "authorised payments." Cyber excludes them as non-hacking events. A dedicated social engineering endorsement — available as an add-on to DUAL NZ's cyber policy or as part of Chubb's FraudProtector — is required to close this gap.
NZ provider examples
| Cover | Provider | Product | |---|---|---| | Commercial crime | Chubb | FraudProtector | | Cyber | DUAL NZ | Cyber + Social Engineering add-on | | Cyber | NZI | Cyber Base / Cyber Ultra | | Combined approach | AIG | CyberEdge with crime module |
What most businesses need
For comprehensive protection, most businesses need: 1. Fidelity or commercial crime insurance (for employee fraud and traditional crime) 2. Cyber insurance (for data breaches, ransomware, and Privacy Act obligations) 3. Social engineering endorsement on the cyber policy (for BEC and payment diversion)
The cost of all three together is typically $3,000-$8,000 per year for an SME — a fraction of the average fraud loss.
For tailored advice on your specific combination, submit a quote request and a licensed adviser will help you map your exposures.