Commercial crime insurance — also known as fidelity insurance — covers loss of money, securities, or other property caused by employee dishonesty, forgery, theft (inside and outside the premises), computer fraud, funds transfer fraud, and impersonation fraud. It is the oldest line of business insurance, and in the modern environment of social engineering, vendor impersonation, and insider threats, it has become one of the most actively used.
Crime is distinct from both cyber liability (which covers data and liability, not direct loss of money) and from the ERISA bond (which protects plan assets only). A complete protection plan for any meaningfully-sized organization includes all three, structured to dovetail rather than overlap.
Commercial crime insurance — a first-party property policy that reimburses the insured for direct financial loss resulting from criminal acts, including employee dishonesty, forgery, theft, robbery, burglary, computer fraud, funds transfer fraud, social engineering fraud, and acceptance of money orders or counterfeit currency. Distinguished from the ERISA bond (which insures plan assets) and from cyber liability (which is a liability policy, not a first-party loss policy).
The standard insuring agreements
A modern commercial crime policy is built from seven or eight separate insuring agreements, each addressing a distinct loss scenario. Buyers select the agreements applicable to their operations; the policy is essentially a menu rather than a single monolithic coverage.
Employee Theft (Employee Dishonesty)
The historical foundation of the policy. Pays for direct loss of money, securities, or other property caused by theft or forgery committed by an employee, acting alone or in collusion with others. Modern forms include short-term workers and (with endorsement) volunteers, leased employees, and temporary staff. The employee theft agreement is the highest-frequency claim source on the policy.
Forgery or Alteration
Covers loss from forgery of checks, drafts, promissory notes, or similar negotiable instruments drawn on the insured's accounts. Also covers loss from altered instruments. In the era of check fraud's resurgence — driven by mail theft and the resale of stolen checks — this agreement has become unexpectedly active.
Inside and Outside the Premises
"Inside the Premises" covers loss of money and securities from inside the insured's premises or inside a banking premises by theft, disappearance, or destruction. "Outside the Premises" covers loss while in the custody of a messenger or an armored vehicle company. These agreements respond to robbery, burglary, and certain transit losses.
Computer Fraud
Covers direct loss resulting from the use of a computer to fraudulently cause a transfer of money, securities, or other property from inside the premises to a person or place outside the premises. This is a narrow coverage by design — the loss must result from unauthorized computer manipulation. Many losses from social engineering fall outside the strict reading of the computer fraud agreement because the transfer was technically authorized by an employee who was deceived. Separate social engineering coverage closes that gap.
Funds Transfer Fraud
Covers loss resulting from a fraudulent instruction directed to a financial institution to transfer funds from the insured's account. Like computer fraud, the historical reading required that the transfer be "unauthorized" — courts have split on whether deception of an authorized employee qualifies.
Money Orders and Counterfeit Currency
Covers loss from the acceptance in good faith of counterfeit money orders or counterfeit paper currency. A modest coverage in a digital economy but still relevant to retail, hospitality, and cash-handling businesses.
Social Engineering Fraud / Impersonation Fraud / Fraudulent Inducement
The most important crime endorsement of the past decade. Covers loss from voluntary transfer of funds by an employee who was deceived by a third party impersonating a vendor, a customer, a senior executive, or another authorized party. Without this endorsement, the typical "fake CEO" wire fraud, vendor account-change fraud, or invoice manipulation fraud falls into the gap between computer fraud (transfer was authorized) and funds transfer fraud (the financial institution received an authorized instruction). Carriers commonly sub-limit social engineering at $100,000 to $500,000 or higher, with separate retentions and warranties around call-back verification.
The ERISA Fidelity Bond
The ERISA fidelity bond is a distinct fidelity instrument required by federal law for every employee benefit plan covered by the Employee Retirement Income Security Act. It is closely related to commercial crime — both are fidelity coverages, both respond to dishonest acts — but it serves a different purpose, names a different insured, and is governed by a different statute. Plan sponsors regularly buy it as a separate insuring agreement on the commercial crime policy or as a stand-alone bond. We place both.
Section 412 of ERISA requires every person who "handles funds or other property" of a covered employee benefit plan to be bonded against loss caused by acts of fraud or dishonesty. The bond runs to the plan as the insured party. It does not protect the fiduciary — it protects the plan from the fiduciary. That distinction is the most commonly misunderstood feature of ERISA bonding. Fiduciary liability insurance (which protects the fiduciary from third-party breach-of-duty claims) is a separate, third-party liability policy; the ERISA bond is a first-party fidelity instrument owned by the plan.
Required bond amount
The minimum required bond amount is the greater of $1,000 or 10% of the funds handled in the preceding plan year, with a statutory cap of $500,000 per plan. Plans that hold employer securities — common stock, preferred stock, or other securities issued by the plan sponsor or an affiliate — carry an elevated cap of $1,000,000 per plan. The calculation is done plan-by-plan and reported annually on Form 5500. The DOL routinely flags missing or inadequate bonds during Form 5500 review and during plan audits. Failure to maintain the bond is itself a fiduciary breach.
Standard vs. non-standard ERISA bonds
The standard ERISA bond — single-employer qualified retirement plans, ordinary plan structures, qualifying assets only — is rate-driven, fast to bind, and inexpensive. Standard plans up to a $1,000,000 bond amount typically bind on a one-page worksheet at published three-year premiums. Non-standard ERISA bonds are required for multiemployer plans (Taft-Hartley union plans), multiple-employer plans, plans holding non-qualifying assets, plans with significant employer-securities exposure, and any plan requesting bond amounts above the rated capacity. Non-standard bonds require fuller underwriting — trustee structure, investment governance, audit posture, and the nature of any non-qualifying assets.
How the ERISA bond fits inside commercial crime
Most modern commercial crime policies include an ERISA Fidelity insuring agreement that satisfies the Section 412 bond requirement for plans the insured organization sponsors. The agreement names the plans as insureds (typically by general reference to "all employee benefit plans sponsored by the named insured") and provides the statutorily required limits without a separate bond instrument. This is the cleanest structure when the plan sponsor is also the buyer of the crime policy. Where the plan is structured separately — multiemployer plans, trustee-administered plans, or where the plan sponsor does not buy commercial crime — a stand-alone ERISA bond is the right instrument.
We can place either configuration. Our sister site ERISA-Bonds.com is dedicated to ERISA bond issuance for plans in all 50 states, Puerto Rico, and the U.S. Virgin Islands, with standard plans bound the same day in most cases. For broader fiduciary liability discussion, see our Fiduciary Liability & ERISA Bonds page.
Who is covered
The named insured is the insured. Modern forms automatically extend to:
- Direct and indirect subsidiaries (subject to ownership thresholds and acquisition reporting)
- Employee benefit plans of the named insured (often as a separate insuring agreement satisfying ERISA bond requirements)
- Joint ventures (often by endorsement)
- Acquired entities (typically with a 60- or 90-day reporting period)
Definition of "employee" matters more than most buyers realize. Modern forms include leased employees, temporary employees, interns, volunteers (often by endorsement), seasonal workers, and former employees for a tail period after departure. Independent contractors are typically excluded unless endorsed.
Discovery vs. loss-sustained — the trigger matters
Commercial crime policies are written on one of two triggers, and the choice has substantial implications for any actual claim.
Discovery form covers losses that are discovered during the policy period, regardless of when the underlying acts occurred — as long as the prior coverage was continuous. This is the more common modern form and the more buyer-friendly trigger. Employee theft is often discovered years after it begins; a discovery form responds.
Loss-sustained form covers losses that occurred during the policy period and are discovered within a specified period (commonly one year) after the policy expires. Loss-sustained forms create gap risk at every renewal and are increasingly rare in mid-market and large-account placement.
Confirming the trigger and the discovery period before binding is one of the highest-value steps in any crime placement. The most common bad surprise on a crime claim is a buyer assuming discovery coverage and finding loss-sustained language.
How commercial crime differs from related coverages
Crime vs. ERISA bond — ERISA bonds insure plan assets against fiduciary dishonesty; commercial crime insures the insured's own assets. Most modern crime policies include an ERISA-compliant insuring agreement that satisfies the Section 412 bond requirement for plans the insured sponsors, but the agreement runs to the plan, not the sponsor.
Crime vs. cyber liability — Cyber is a liability policy plus first-party data and business interruption coverage. It does not cover direct loss of money in the same way crime does. The overlap is in social engineering — where carefully coordinated coverage avoids both double-dipping and the more common gap. We routinely structure the cyber policy as primary for social engineering and the crime policy as primary for direct employee dishonesty.
Crime vs. directors and officers — Crime is first-party. D&O is third-party. A theft from the company is a crime claim. A suit alleging the directors failed to prevent the theft is a D&O claim. Both can arise from the same underlying event.
What commercial crime does not cover
- Inventory loss — covered by property insurance, not crime, except where attributable to identified employee theft
- Indirect loss — lost income, loss of business reputation, loss of customer goodwill
- Loss resulting from the insured's voluntary parting with property (absent social engineering endorsement)
- Loss involving trading by employees acting within the apparent scope of authority (separate coverage exists for this)
- Acts committed by directors and officers in their capacity as such — covered by D&O (and excluded here)
- Patent, copyright, or trade secret loss — not theft of property in the traditional sense
- Acts of war and certain government acts
Coverage applications
Commercial crime / fidelity bonds use the small-business commercial crime application. ERISA fidelity bonds use one of three plan-specific applications depending on plan structure. We can quote all of them together if the named insured needs both crime coverage and an ERISA bond.
Common questions
Do we need crime insurance if we have cyber?
Yes — and the answer is the same in reverse. The two policies cover different things. Cyber covers data and liability and business interruption. Crime covers direct loss of money and securities. A meaningful financial-loss event almost always implicates both, and coordination is the work of the broker.
What is "employee theft" coverage really worth?
Average employee theft losses, by ACFE benchmarks, run in the high five figures for small organizations and into the seven figures for larger ones. Median duration before discovery is around 14 months. Recovery rates from convicted employees are negligible — most stolen funds are spent before the theft is discovered. The crime policy is, in practice, the only meaningful recovery vehicle.
How are limits structured?
Crime limits are typically structured per insuring agreement with a single policy aggregate, or as a single limit applying to all insuring agreements. Common limits for mid-market accounts run from $500,000 to $5,000,000 with social engineering sub-limited to a fraction of that. Larger accounts may stack excess crime above primary crime to reach $25M, $50M, or higher towers — particularly for cash-handling, financial services, and high-net-worth fiduciaries.
What about the retention?
Crime retentions are typically modest — $5,000 to $25,000 for mid-market accounts, scaling with size. Social engineering retentions are often higher than employee dishonesty retentions, reflecting the higher frequency of the loss.
Are claims confidential?
Commercial crime claims involving employee dishonesty are nearly always handled confidentially by the carrier. Public disclosure is rare except where regulatory reporting (SEC, FINRA, banking regulators) compels it, or where the theft becomes the subject of criminal prosecution.
The crime policy is the most under-respected coverage on the management liability stack. It is also the policy that pays the most frequently. Buyers who treat it as a renewal afterthought discover the gaps only when the theft is finally found.
Speak to an underwriter
Crime structure depends on how money moves through your organization — who has authority, what controls are in place, how vendors are added, and how wires are released. Call (800) 373-2804 and we will walk through it.