We came across an interesting article on the increased number of employee theft claims due to the economy and the corresponding need for Crime Insurance. Here are some of the highlights of the article.
Since the recession began two and a half years ago, crimes by employees and third parties, including the dollar amounts involved, have risen sharply. Fueled by the fear of unemployment, employees are increasingly fighting back against their employers. They’re more likely to take what they feel they deserve because of the work done for their company over the years. As well, many companies are taking a closer look at risk controls to cut unnecessary costs, uncovering theft issues that may have been undetected in the past.
The vast majority of people who commit these crimes are not professional criminals–they’re in a financial bind…and they tend to rationalize their conduct as borrowing the money they took until they can pay it back.
Small businesses must take all necessary precautions to prevent employee theft and fraud by addressing the fraud risks or their policy limits to adjust for the related losses, as only one in four private companies buys crime insurance. Stand alone crime policies are better than crime coverage added to Business Owners Policies (BOPs). Separate out crime coverage’s and add things like computer fraud and funds transfer fraud.
One way to determine an appropriate crime limit is to assume 5% of the company’s revenues will be the cost of fraud, and include that amount in the limit. Another way is to use organizations like Advisen that can evaluate a client’s cash flow, number of employees and business locations, employee turnover rates, and the effectiveness to its internal risk controls in order to determine a limit.
Risk Controls to minimize employee fraud:
- use pre-numbered checks typed or written in permanent ink
- be aware of employees who object strongly to new policies concerning financial, inventory, or supply matters
- employees with duties that do not include check preparation or distribution should reconcile the bank checking account
- improve background checks of job applicants
- separate receiving, storekeeping, and shipping functions. Complete physical inventories annually and assign them to an individual who is not responsible for inventory records.
- be aware of employees who exhibit signs of compulsive gambling, persistent borrowing, or repeated requests for salary advances–Separate mail opening and posting functions
- record Checks and cash in appropriate registers and stamp checks for deposit only
- be aware of employees who suddenly want to work late
Source: Russ Banham, Independent Agent, Nov 2010
Online criminals are targeting small to midsized businesses according to the US Federal Bureau of Investigation. Hackers are getting away with over $100 million in bank fraud through malicious programs know as Trojans.
Trojans are planted into networks of target companies, stealing passwords to various online services such as fund management and online banking. This opens up ACH or Automatic Clearing House Network Fraud where hackers wire money from the victim’s accounts and into the accounts of money “mules” that launder the money for a profit. Criminal masterminds positioned in other countries such as China and Russia receive the funds since they are out of the reach of US law enforcement.
The small and midsized businesses are favored because hackers know they often lack the time and money to put stringent security controls in place. Even though this may be true there are ways to protect your business and yourself. Educate your employee’s about the risk and instruct them in basic security awareness. Also, use network security procedures such as web and mail filtering solutions, network firewalls, and antivirus software.
Source: US Federal Bureau of Investigation
I found an excellent bulletin from Travelers Insurance that describes the financial threats posed by funds transfer fraud and computer fraud and the need for specialized Crime Insurance Coverage. The Travelers coverage version, wrap +, includes both Electronic Funds Transfer and Computer Fraud coverages on a combined basis.
Here are some eye opening facts:
- According to a 2008 survey by Computer Security Institute, the average financial loss due to computer fraud was $289,000. The average loss due to funds transfer fraud was $500,000.
- Pfishing scams, Trojan horses, key loggers and other techniques allow hackers to gain control of online banking transactions and to circumvent normal online authentication controls.
- Internal controls such as antivirus, firewalls, and employee training are critical, but not enough for 100% protection.
- Specialized Financial Insurance coverages should be purchased to protect against this risk.
Electronic Funds Transfer Fraud Claim Examples:
- The bank of a victim company allegedly sent a letter explaining a new security program. The company received the email that appeared to be from the bank and an employee opened the email. Opening the email allowed a Trojan horse virus access, which read keystrokes from the company’s computer, thereby allowing the perpetrator to obtain banking and password information. A fraudulent electronic wire transfer was initiated and the company lost $683,000.
- Finance director of a company opened an attached zip file in an email that contained a virus. The user ID and password to the company’s account with its bank was obtained through code inserted by the virus. A fraudulent electronic wire transfer totaling $147,000 was initiated by criminals from the company’s bank account to an unknown bank account in Arizona. The immediate withdrawal was unrecoverable.
- Payroll supervisor logged on to the payroll account for the company and noted that three payments totaling $704,632 had been wired from the account. The transactions were reported to the bank as unauthorized and the account was shut down. Unfortunately, $238,781 was not recovered.
Computer Fraud Claim Examples:
- An employee of a customer of a company hacked into the company’s website and changed the bank routing and account numbers to her own. When the company paid her employer for services rendered, she fraudulently received the funds in her account.
- A former employee used his supervisor’s password to enter the insured’s unlocked building and gained access to use the supervisor’s computer. Using his bank routing number, he activated transactions to receive fake reimbursements allegedly made to the company’s customers.
Source: Travelers Bond & Financial Products, Bulletin, 11-09
Sadler Tech Insurance And Risk Management Blog is ranked 14th best Nationally by Risk Management Masters, an online resource specializing in Insurance Risk Management.
We are proud to be recognized as an important source for technology insurance and risk management information and strive to educate our prospects, clients and the public on these topics.
Source: “Top 50 Risk Management Blogs”
YouTube, Facebook, and Twitter have become prevalent and the risks involved for the workplace are often not taken into account.
Here are a few threats that can be overlooked:
1. Your Friends List
“Social media” can be very helpful when making contact with customers, finding jobs, corresponding with potential clients, etc. But dangers lurk when all the people in your friends list have access to your comments. Ranting and raving about your boss and forgetting that he/she is listed as “your friend” can lead to obvious problems.
2. Employers Fail To Set Internet Usage Policy
Many companies are using blogs and social networking to their advantage; however, they can also become a liability risk. It is vital that policies are in place for how and when employees can use the Internet and that personal data is secured.
3. Hackers Look For Any Open Door
Any employee using these sites while on the job exposes the organization to phishing, being hit by spam, and malware attacks. One result shows that a quarter of all businesses have been affected by “social media” use in the workplace.
4. Providers Fail to Take Appropriate Safety Measures
Lawsuits are beginning to target the social media companies for privacy issues along with user-generated content. Several classmates set up a private group on Facebook. Now Facebook has been named in a lawsuit for over allegedly defamatory content contained in the private group’s comments.
5. Ignorance Is Your Loss
An even bigger danger is to ignore the social media frenzy. In doing so Companies lose the newest, most poplar opportunity to stay in touch with their markets, their clients, and build customer relationships. Just be wise in how your company uses social media.
Source: Patricia Vonwinkle Risk and Insurance
New regulations are increasing at a rapid rate and it is vital that business owners and Chief Information Officers (CIO) become familiar with current regulations and compliance dates.
State Notification Laws require businesses to notify customers or patients in a timely matter of any data breach that might affect them. Each state has its own requirements and failure to notify per such state’s notification law could lead to fines and penalties.
The Hi-Tech Act which is part of the 2009 American Recovery and Reinvestment Act, creates a federal notification requirement for the breach of Protected Health Information. The HITECH Act also provides incentives for physicians to put into practice “meaningful use” of an Electronic Health Record system.
Red Flags Rule applies to “financial institutions” and “creditors” with “covered accounts,” per the regulation. This rule was created in November 2007 as an addition to the Fair Credit Reporting Act.
The Massachusetts Office of Consumer Affairs & Business Regulation issued a regulation known as Massachusetts 201 CMR 17.00 in September of 2008. This regulation was intended to protect the unauthorized disclosure of personal information for Massachusetts’s residents. The importance of this wide sweeping law applies to any person or business that has personal information on a resident of Massachusetts. Penalties for non-compliance may be subject to a $5,000 civil penalty for each violation of each person affected.
So what’s next? H.R. 2221, the Data Accountability and Trust Act was recently passed by the House subcommittee on Commerce, Trade, and Consumer Protection which would require businesses to notify customers when outside parties gain access to sensitive information due to a security breach.
Cyber liability or security and privacy insurance has been developed by insurance carriers to provide coverage for these exposures. First Party Coverages include business income and extra expense; crisis management expenses, cyber extortion; credit monitoring expenses and notification costs. Third Party Coverages include network security and privacy liability; internet and media liability; and regulatory defense coverage (including penalties and fines).
Finally, remember that there is no standard policy form in the marketplace. Each policy form will require extensive review and analysis by a Cyber Insurance Specialist.
Source: David Perkins, September 7, 2009 www.insurancejournal.com
“Many employees disable the encryption solutions on their laptops, putting their employers at risk for data breaches, according to a study by Absolute Software Corp. and The Ponemon Institute.”
The study specifies “Corporate America” is being affected by the behavior of employees who destabilize data protection. This behavior is resulting in encryption not being enough to protect laptops and other mobile devices that have sensitive information stored on them. The number one source of data loss is from lost or stolen laptops. When a laptop has been stolen, 3 out of 4 companies will incur a data breach.
Necessary safety measures are not being taken by business owners to secure their laptops. Some business managers even deactivate their laptops’ encryption making themselves and their clients more vulnerable to identity theft. Additional layers of security can be utilized to identify data that has been accessed, even delete sensitive information remotely, and find a lost or stolen laptop. Employers can not afford to rely on the behavior of their employees nor encryption technology to provide the data protection they need according to this study.
Source: Absolute/Ponemon
http://www.insurancejournal.com/news/national/2009/04/27/99982.htm
Here’s a question you may not have thought about: If one of your employee’s is working at home and is injured, are you responsible? The answer depends on individual circumstances. For example, electrocution from a faulty cord on a computer you provided is different from a slip and fall on the way to the bathroom. As technology allows more and more work to be performed at home, it’s a good idea to adopt safety expectations for your employees’ home offices.
Here are some ideas to keep in mind if you have staff working from home:
* Temperature, noise, ventilation and lighting levels should be adequate.
* Electrical equipment should be free from hazards (e.g., frayed or exposed wires). Wiring and electrical cords should be secured and out of the way.
* The work area should be large enough to safely accommodate all equipment, wiring and so on without posing a risk of hazard to the employee.
* Hallways and doorways should be free from obstructions.
* The working environment should be free from clutter or materials that could create fire hazards.
* Floor surfaces should be clean and dry. Carpeting should be properly secured.
* There should be ample lighting for the work that the employee will be doing.
* The working area should be equipped with sufficient electrical outlets to accommodate all necessary equipment safely.
* Desks and chairs should be the appropriate size, height, etc., to provide comfort.
* Some organizations ask employees to sign a statement indicating that they will comply with the company’s stated safety requirements; others even ask employees to bring in photos of their work areas indicating that they are in compliance with safety regulations.
Employee safety needs to be your concern even when their working from home. If you or someone you know has staff that telecommutes or works from home please contact our office to discuss your protection options.
The following risk management controls can help companies avoid cyber losses due to viruses, hackers, trojan horses, malware, denail of service, extortion, errors & ommissions in delivering tech services, intellectual property violations, etc.:
* firewalls
* encryption
* password protection
* network security reviews
* disaster recovery services
* forensic services in response to security breaches
* emergency loss containment
* employee handbook provisions on internet and email security
* hacker vulnerability assessments
* review of your content and use terms by intellectual property attorney
Sources:
With Computers Under Siege Cyber Insurance Rides To The Rescue
Do You Need Coverage For Cyber Risks?, The John Liner Letter, Vol. 43, No. 7, June 2006
