Category: Crime & fidelity · Reviewed by Mark Fox, Broker · Renewals · Last reviewed 2026-06-05
Computer crime insurance covers loss caused by computer-enabled criminal acts, including unauthorised access to computer systems, manipulation of computer records, computer fraud, funds transfer fraud and social engineering fraud; it is typically a section of commercial crime insurance but is also written as a dedicated standalone product.
Category: Crime and fidelity Also known as: cyber crime insurance, electronic crime insurance First codified: Lloyd’s wordings from c.1980s; significant expansion from 2010s with growth of cyber-enabled fraud Related legislation: Computer Misuse Act 1990 [1]; Fraud Act 2006 [2]; Data Protection Act 2018 [3]
Computer crime insurance addresses the financial losses arising from criminal acts carried out using or against computer systems. The class has grown rapidly since c.2010 as cyber-enabled financial crime has become a dominant source of corporate fraud losses, with traditional fidelity and theft losses now substantially exceeded by computer-enabled losses for most commercial operators [4][5].
The principal covered events under typical computer crime wordings are:
Unauthorised access to computer systems (covering both external hacking and internal employees acting beyond their authority).
Manipulation of computer records (fraudulent alteration of accounting records, customer records, transaction records).
Computer fraud — fraudulent use of computers to transfer money or property.
Funds transfer fraud — fraudulent electronic instructions to financial institutions to transfer funds.
Social engineering fraud — fraud using impersonation to induce the insured to transfer money or property.
Computer extortion — extortion demands following unauthorised access (substantially overlapping with dedicated kidnap, ransom and extortion insurance cover for cyber extortion).
The relationship between computer crime insurance and dedicated cyber insurance products is complex. Cyber insurance typically focuses on data breach response, regulatory liability, business interruption from cyber events and similar broader cyber exposures. Computer crime insurance typically focuses on the narrower financial loss from computer-enabled theft or fraud. The two product classes overlap significantly and modern broking practice typically arranges both with coordinated wordings [4][5].
The Computer Misuse Act 1990 (as substantially amended) is the principal UK criminal statute underlying computer crime insurance. The Act creates the offences of unauthorised access to computer material (section 1), unauthorised access with intent to commit further offences (section 2), unauthorised acts with intent to impair operation (section 3) and unauthorised acts causing or creating risk of serious damage (section 3ZA, introduced by the Serious Crime Act 2015) [1][6].
The Fraud Act 2006 provides the substantive fraud offences that underlie computer-enabled fraud. Section 2 (fraud by false representation) is particularly applicable to phishing, social engineering and similar fraud techniques [2].
The Data Protection Act 2018 (implementing the UK GDPR) imposes obligations on data controllers and processors. Computer crime events that result in personal data breaches trigger reporting obligations to the Information Commissioner’s Office within 72 hours and potential fines under the UK GDPR regime. These regulatory exposures are typically addressed under dedicated cyber insurance rather than computer crime insurance, but the overlap requires careful policy coordination [3][7].
The Network and Information Systems Regulations 2018 impose security and incident reporting obligations on operators of essential services and relevant digital service providers, with enforcement by the relevant Competent Authority [8].
The Insurance Act 2015 governs the duty of fair presentation and warranty rules for computer crime insurance placements. Disclosure of IT security arrangements, internal control structures, prior incidents and high-risk operations is critical to the fair presentation obligation. The 2015 Act has been applied in several reported disputes over computer crime claims where disclosure of IT vulnerabilities and prior security incidents was contested [9].
Modern computer crime cover is typically written as Section E (computer fraud), Section F (funds transfer fraud) and Section G (social engineering fraud) of a comprehensive commercial crime insurance policy, with limits and sub-limits set by reference to the insured’s exposure profile [4][5].
The social engineering fraud sub-limit has been the focus of substantial market attention since c.2015. Traditional commercial crime wordings either excluded social engineering fraud entirely or covered it only at very low sub-limits (£25,000–£100,000), reflecting the historical position that voluntary transfer of money by the insured (induced by fraudulent instruction) fell outside traditional theft and fraud cover. As social engineering losses have grown — with cases of £5m+ losses now common — the market has expanded cover, with sub-limits up to £5m–£10m available subject to specific conditions including verification call-back procedures and dual authorisation requirements [4][5].
Computer fraud and funds transfer fraud cover typically address the more ‘pure’ computer-enabled events where money or property is transferred without the insured’s voluntary participation. Limits are typically aligned with the broader employee dishonesty section, reflecting the substantial overlap in coverage and underwriting [4][5].
Claims handling for computer crime losses is technical and time-critical. Major claims involve forensic IT investigation to establish the cause and extent of the unauthorised access or manipulation, forensic accounting to quantify the financial loss, banking channel recovery efforts (where applicable), notification to law enforcement (Action Fraud is the UK reporting channel) and (where personal data is involved) notification to the ICO under UK GDPR. Recovery of transferred funds is rare in most cases — particularly for international transfers to high-risk jurisdictions where banking cooperation is limited [4][5].
Standalone computer crime cover: dedicated product for high-exposure operators, particularly financial institutions and large corporates.
Comprehensive crime policy computer sections: dominant modern structure as sections of commercial crime insurance.
Combined cyber and crime cover: integrated cover for both data breach exposures and financial loss exposures, increasingly common in modern broking.
Sub-limited social engineering: where the social engineering fraud cover is at a substantially lower sub-limit than the broader crime cover, reflecting market practice.
Verification call-back conditional cover: cover subject to specific procedural requirements (typically verification call-back before processing instructed transfers).
Financial institution computer crime: enhanced cover for banks and similar institutions, typically integrated with the broader banker’s blanket bond.
Public sector computer crime: cover for local authorities, government departments and similar public sector employers.
Cyber extortion extension: cover for ransom payments following ransomware or similar cyber extortion events, with specific conditions including law enforcement notification.
A UK mid-market manufacturer places commercial crime insurance including computer crime sections. The placement provides £10m for computer fraud, £10m for funds transfer fraud and £3m sub-limit for social engineering fraud (subject to a verification call-back procedure condition). Annual premium for the combined crime policy is approximately £32,000. During the policy year, a phishing email targeting the company’s finance team results in a fraudulent invoice being paid to a third-party account. The fraud is identified by the company’s bank within 24 hours and approximately £180,000 of the £420,000 paid is recovered through banking channel reversal; the balance of £240,000 is paid by the insurer under the social engineering fraud cover, subject to verification that the verification call-back procedure had been followed (in fact bypassed by the finance team in this instance, leading to a coverage dispute that was ultimately resolved with a reduced settlement). Figures in this example are illustrative.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-05. Next review: 2026-12-05.
Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote