You probably saw the headline. It’s the kind of story that feels like it’s straight out of a spy movie. A director at a U.S. military contractor—a firm that literally finds and sells computer security flaws—pleaded guilty to stealing company secrets.
And he didn’t just steal a little something. He admitted to taking and reselling a staggering $35 million in trade secrets. The buyer? A Russian cyber-tools broker with ties to the Russian government.
It’s easy to read that and think, "Wow, that's wild. Glad I'm not in the military contracting business." But I want you to pause for a second. Let's pull this story out of the world of international espionage and drop it right into your world, into your business.
Because this isn’t really a story about hackers or the government. At its core, this is a story about a trusted employee who went rogue. And that, my friend, is a risk every single business faces. It’s one of the scariest, and it’s a place where your insurance can get really, really tricky.
Let's Unpack What Really Happened Here
So, the guy at the center of this is Peter Williams. He was a director. Not some low-level intern, but a person in a position of significant trust and authority. His company's whole business model is built on handling incredibly sensitive digital information.
He basically took the company's crown jewels—its proprietary cyber vulnerabilities—and walked out the digital door with them. Then, he sold them. This wasn't a mistake. It wasn't an accident. It was a deliberate, malicious act of theft by someone on the inside.
This is what we in the insurance world call an "insider threat," and honestly, it’s the stuff of nightmares for risk managers. Why? Because you spend all this money on firewalls, antivirus software, and security systems to keep the bad guys out. But what do you do when the bad guy is already inside, with a key card and a network password?
"But My Cyber Insurance Covers Hacking, Right?"
This is the first place people's minds go, and it's a perfectly logical thought. You hear "stolen data," you think "cyber insurance." And you're not wrong... but you're not entirely right, either.
Here's the thing about insurance policies: they are incredibly specific. A standard Cyber Liability policy is primarily designed to protect you from external threats. Think of a hacker who breaches your firewall or an employee who accidentally clicks on a phishing link that unleashes malware.
But when one of your own people, especially a director, intentionally steals from you? That's a different kettle of fish.
The Employee Dishonesty Gap
Many cyber policies contain an exclusion for intentional or fraudulent acts committed by an employee or executive. The policy is there to protect you from outside attacks and internal mistakes, not necessarily from a high-level employee who decides to become a criminal.
Reading this, you might be feeling a little pit in your stomach. "So you're telling me my cyber policy might not pay out in one of the worst-case scenarios?"
It's a definite possibility. And that's exactly why this story is such a critical lesson. You can't just assume you're covered.
The Real Hero of This Story: Crime Insurance
So, if cyber insurance might not be the answer, what is? Let's talk about a less flashy but incredibly important policy: Commercial Crime Insurance, sometimes called a Fidelity Bond.
Think of it like this:
- Cyber Insurance is your alarm system for break-ins.
- Crime Insurance is your protection against the trusted housekeeper stealing the family silver.
Crime insurance is specifically designed to cover losses resulting from, you guessed it, crime. And a huge piece of that is employee dishonesty. It covers an employee stealing money, securities, or property from you or your customers. In today's world, "property" absolutely includes digital assets and intellectual property—exactly what was stolen in this case.
For the company Peter Williams worked for, a robust Crime policy would be the first line of defense to recoup the direct financial loss from the theft of their trade secrets.
The Problem Doesn't Stop at the Theft
Okay, so the secrets are gone. That's a huge, direct financial hit. But the nightmare is just getting started. Now come the lawsuits.
Imagine you're one of that contractor's clients. You trusted them with your security. Now, their secrets—which might be related to your systems—are in the hands of a foreign power. You'd be furious, right? And you'd probably be calling your lawyer.
This is where the insurance puzzle gets a few more crucial pieces.
When Your Clients Sue: Errors & Omissions (E&O)
The clients of this firm are almost certainly going to sue, claiming the company was negligent. They'll argue the contractor failed in its professional duty to safeguard its own intellectual property, thereby putting the clients at risk.
This is precisely what Errors & Omissions (E&O) insurance is for. It's also known as Professional Liability insurance. It protects your business if you're accused of making a mistake, being negligent, or failing to deliver on your professional services. In this case, it would be the policy that responds to defend the company against those client lawsuits and pay for settlements or judgments.
Protecting the Leadership: The Role of D&O
But wait, there's more! What about the other executives and the board of directors at this company? They're going to get sued, too.
Shareholders, clients, or even government regulators could file a lawsuit against the entire leadership team, alleging they failed to have proper oversight, ignored red flags, or didn't implement controls that could have prevented this director from stealing everything.
This is where Directors & Officers (D&O) Insurance comes into play. This policy protects the personal assets of the company's leaders if they are personally named in a lawsuit for alleged wrongful acts while managing the company. Without it, their personal savings, their houses, everything could be on the line.
Your "Insider Threat" Insurance Checklist
This whole situation is a perfect, if terrifying, example of how one single event can trigger multiple insurance policies. It's not just a "cyber" problem or a "crime" problem. It's a complex business risk that requires a layered defense.
So, what can you do? Let's get practical.
- Dust Off Your Cyber Policy: Don't just assume you're covered for employee theft. Read the "conduct" exclusions carefully. Have a frank conversation with your insurance broker and ask them, "If my CFO intentionally wires a million dollars to their own account, are we covered under this policy?"
- Make Friends with Crime Insurance: If you handle sensitive data, have access to client funds, or have valuable intellectual property, a separate Commercial Crime policy isn't a luxury; it's a necessity. It's specifically built for this kind of betrayal.
- Review Your E&O and D&O Limits: Are they high enough to handle a worst-case scenario? A $35 million theft could easily lead to lawsuits that are double or triple that amount. Don't skimp on these policies.
- Insurance is the Last Step, Not the First: Remember, insurance is a safety net. Your first job is to prevent the fall. That means strong internal controls, dual authority for major transactions, regular audits, and fostering a culture where employees feel valued and heard.
This story is a stark reminder that your biggest threats aren't always faceless entities on the other side of the world. Sometimes, they're sitting in the office down the hall. Planning for that possibility, with both smart internal procedures and a rock-solid, layered insurance program, is one of the most important things you can do to protect the business you've worked so hard to build.
