Index
A finance employee gets an email from the CEO. Wire $180,000 to close a deal today. The email looks right. The signature is right. The employee sends the money. The CEO never asked. The account belongs to a criminal, and the cash is gone within hours.
This is the most common loss a funded startup faces, and most founders assume their cyber policy covers it. It often does not. The coverage you need is commercial crime, with social engineering added on. This guide explains the gap, the threat, the cost, and how to close it.
The numbers behind the threat
Business email compromise is not a rare event. The FBI’s Internet Crime Complaint Center logged more than $2.7 billion in reported business email compromise losses in 2024 alone, and that counts only the cases people report. Social engineering, where a person is tricked into sending money or data, appears in a large share of breaches year after year.
Startups are easy targets for a reason. They hold investor cash. They move fast. They run lean finance teams where one person can move money. Criminals know this and aim accordingly.
The new threat: deepfake fraud
The scam used to rely on email. Now it uses your voice and your face. In 2024, an employee at the engineering firm Arup paid out about $25 million after joining a video call with what looked and sounded like senior executives. Every person on the call was an AI-generated fake.
The technology that powers many startups now powers the fraud against them. A short clip of a founder on a podcast is enough raw material to clone a voice. As these tools spread, “I spoke to him myself” stops being proof.
What commercial crime insurance covers
Commercial crime is a money-and-securities policy. It responds when funds or property are stolen, not when data is breached. The core coverages are consistent.
It covers employee theft, when someone inside takes money or property. It covers funds-transfer fraud, when a criminal sends fraudulent instructions to your bank. It covers forgery and alteration of checks and similar instruments. And, by endorsement, it covers social engineering, the cases where your own employee is tricked into sending the money.
Alliance Risk writes this through our crime insurance program. The social engineering piece is the one to focus on, because it is the gap most policies leave open.
Why your cyber policy won’t pay
Here is the trap. Most founders carry cyber liability insurance and assume it covers fraud. Cyber is built for breaches: stolen data, ransomware, notification costs, system recovery. Our guide to data breach insurance shows what that policy is designed to do.
When an employee is tricked into wiring money, that is not a breach. No system was hacked. A person was deceived. Many cyber policies either exclude this loss or cap it with a small sublimit, often $100,000 to $250,000, far below what a real scam takes. The money walks out the door, and the policy you thought would respond points somewhere else.
Crime vs. cyber vs. fidelity bond
These three get confused, and the difference decides who pays. Use this as a quick map.
| Coverage | Pays for | Does not pay for |
|---|---|---|
| Commercial crime | Theft of money, funds-transfer fraud, employee theft, social engineering | Data breach response, customer privacy claims |
| Cyber liability | Breach response, ransomware, notification, system recovery | Money tricked out the door by social engineering (often excluded or sublimited) |
| Fidelity bond | A narrower form of employee-dishonesty cover | Third-party fraud and most social engineering |
The headline is simple. Cyber covers the breach. Crime covers the theft. You need both, and you need to read the social engineering line on each.
How to size your sublimits
The number that matters most is your social engineering sublimit. A full crime policy might carry a $1 million limit while the social engineering coverage sits at $250,000. If your typical wire is larger than that, you are underinsured on the exact risk you face.
Size the sublimit to your real exposure. Look at your largest routine payment, your vendor payment runs, and your payroll. Then push to raise the social engineering sublimit toward your full limit. This is a negotiation, and a specialist broker knows which carriers say yes.
The controls underwriters now require
Carriers price this risk on your process, not just your size. A few controls do most of the work and also lower your premium.
The first is dual authorization: no single person can release a large payment alone. The second is out-of-band verification: before you change a vendor’s bank details or send a large wire, you confirm by a phone call to a known number, never by replying to the email or joining the call that made the request. The third is vendor onboarding checks: verify banking details when a vendor is added, not just when they change. These steps stop most attacks and signal to underwriters that you take the risk seriously.
Build them into your finance process now. They cost nothing and they are the difference between a near miss and a six-figure loss.
What it costs
Commercial crime is one of the more affordable specialty lines. The ranges below are indicative for funded startups.
| Company profile | Typical limit | Indicative annual premium |
|---|---|---|
| Seed-stage startup, basic controls | $250,000 – $500,000 | $1,000 – $3,000 |
| Series A with strong payment controls | $1,000,000 | $2,500 – $7,500 |
| Higher limits or weak controls | $1M+ | Priced on risk |
Compared with a single successful wire fraud, the premium is rounding error. Strong controls move you to the low end and can lift your social engineering sublimit at the same time.
Don’t learn this the hard way
The founders who get burned are the ones who find the gap after the money is gone. The ones who sleep well added crime coverage early, raised their social engineering sublimit, and put a callback rule in place before a fake CEO ever called.
Commercial crime fits inside the broader management liability program most startups build, and alongside the full coverage stack an AI company needs.ny needs.
What a paid claim looks like, step by step
Coverage is easier to trust when you see how a claim runs. Here is the path after a social engineering loss.
First, you discover the fraud, often when a real vendor asks where their payment is. Move fast, because banks can sometimes recall a wire within hours. Second, you report it to your bank and to law enforcement, including the FBI’s IC3, which creates the record your insurer will want. Third, you notify your broker and file the claim under the crime policy’s social engineering coverage. Fourth, the insurer reviews how the loss happened and confirms it falls inside the coverage and below your limit and sublimit.
This is also where claims get denied. If your policy excluded social engineering, or capped it at $100,000 while you lost $300,000, the gap is yours. If you skipped the verification step your application promised, the insurer can push back. The lesson runs in both directions: buy the right coverage, and actually follow the controls you told the underwriter you use.
Frequently asked questions
Does my cyber policy cover wire fraud?
Usually only up to a small social engineering sublimit, if at all. The bulk of the loss often falls to a commercial crime policy, which is why most funded startups carry both.
What is the difference between funds-transfer fraud and social engineering coverage?
Funds-transfer fraud covers fraudulent instructions sent to your bank. Social engineering covers the case where your own employee is deceived into sending the money. Many policies treat them separately, so check both.
How big should our social engineering sublimit be?
Size it to your largest routine payment, not a default $100,000. If you regularly wire more than your sublimit, you are underinsured on your most likely loss.
Will controls really lower our premium?
Yes. Dual authorization and out-of-band callback verification are among the controls carriers reward most, and they often unlock a higher social engineering sublimit too.
We are only ten people. Are we too small to be targeted?
No. Small, cash-rich teams are prime targets precisely because one person can move money and controls are often thin.
Want to know if your cyber policy actually covers wire fraud?
Talk to an Alliance Risk advisor. Send us your current cyber declarations and we will show you the gap and quote standalone crime coverage.
