Cyber crimes and mishaps continue to plague businesses both domestically and abroad. According to recent FBI statistics, worldwide losses associated with Business Email Compromise (BEC) schemes alone have skyrocketed to over $12 billion. Whether a company’s computer network has been compromised, its business operations interrupted, or its employee duped into wiring funds to a criminal’s bank account, the financial consequences of a cyber event can be devastating.
To date, attention following a cyber incident typically has been on the company that actually experiences the incident. But if the fallout impacts the company’s ability to meet its financial obligations, the brunt of the cyber incident may be borne by the company’s unpaid business partners.
An important question therefore should be considered: Is there insurance coverage for a company that is not paid for goods and services it provided to a customer because of a BEC or other cyber event impacting the customer? The good news is yes, and perhaps surprisingly, it can be found in an insurance product that has been on the market for almost two hundred years.
Accounts Receivable Insurance
Accounts Receivable (AR) or credit risk insurance in the US dates back to the 19th century. Its purpose is to protect the insured entity when its customer — whether domestic or foreign — fails to pay what it owes for goods or services rendered by the insured. The coverage provided under any AR policy will depend on its specific terms, but coverage generally is available for non-payment by or bankruptcy of a customer of the insured company. To trigger coverage, the insured typically must have shipped goods or rendered and invoiced services to a customer pursuant to a contract for sale.
AR policies contain several exclusions, including for an insured’s fraudulent acts and misrepresentations, but importantly, they currently do not exclude coverage for non-payment due to a cyber or BEC event affecting a customer’s ability to pay its debt to the insured.
In addition to providing a hedge against cyber-related (and other) customer non-payment losses, AR insurance offers substantial financial benefits to the insured entity. It can be an effective tool to increase borrowing capacity and expand sales and profitability by allowing the insured entity to reduce bad debt and associated reserves, do business with companies and in markets that otherwise would be considered too risky, and offer customers more liberal payment terms.
As cyber criminals become more sophisticated and the complexity of cyber threats continues to increase, it’s becoming harder for companies to assess how these risks will impact their customers’ ability to pay for goods or services. This is particularly true following a merger or acquisition that creates an expansion of the company’s customer base. Today’s enterprises are encouraged to take a hard look at AR insurance as part of their overall cyber risk management plan and consider how it can protect their bottom line against this costly operational risk.
 With regard to coverage for this risk under a cyber insurance policy, at least one cyber insurer is now offering coverage to organizations that have been unable to collect an outstanding debt for good or services provided to a third party following the “release or distribution of any fraudulent invoice or fraudulent payment instructions” resulting from a security or privacy breach. This “invoice manipulation” endorsement covers the insured’s net loss, which excludes any profit.