We came across an interesting article on the increased number of employee theft claims due to the economy and the corresponding need for Crime Insurance. Here are some of the highlights of the article.
Since the recession began two and a half years ago, crimes by employees and third parties, including the dollar amounts involved, have risen sharply. Fueled by the fear of unemployment, employees are increasingly fighting back against their employers. They’re more likely to take what they feel they deserve because of the work done for their company over the years. As well, many companies are taking a closer look at risk controls to cut unnecessary costs, uncovering theft issues that may have been undetected in the past.
The vast majority of people who commit these crimes are not professional criminals–they’re in a financial bind…and they tend to rationalize their conduct as borrowing the money they took until they can pay it back.
Small businesses must take all necessary precautions to prevent employee theft and fraud by addressing the fraud risks or their policy limits to adjust for the related losses, as only one in four private companies buys crime insurance. Stand alone crime policies are better than crime coverage added to Business Owners Policies (BOPs). Separate out crime coverage’s and add things like computer fraud and funds transfer fraud.
One way to determine an appropriate crime limit is to assume 5% of the company’s revenues will be the cost of fraud, and include that amount in the limit. Another way is to use organizations like Advisen that can evaluate a client’s cash flow, number of employees and business locations, employee turnover rates, and the effectiveness to its internal risk controls in order to determine a limit.
Risk Controls to minimize employee fraud:
- use pre-numbered checks typed or written in permanent ink
- be aware of employees who object strongly to new policies concerning financial, inventory, or supply matters
- employees with duties that do not include check preparation or distribution should reconcile the bank checking account
- improve background checks of job applicants
- separate receiving, storekeeping, and shipping functions. Complete physical inventories annually and assign them to an individual who is not responsible for inventory records.
- be aware of employees who exhibit signs of compulsive gambling, persistent borrowing, or repeated requests for salary advances–Separate mail opening and posting functions
- record Checks and cash in appropriate registers and stamp checks for deposit only
- be aware of employees who suddenly want to work late
Source: Russ Banham, Independent Agent, Nov 2010
“Risk is a function of the likelihood of a given threat source’s exercising a potential vulnerability, and the resulting impact of that adverse event on the organization.”
Due to the changing nature of cyber risk, IT risk managers must upgrade risk management strategies to focus on new areas of concern. In the past, primary attention was given to protecting computer infrastructure from losses caused by lapses of physical security, internet servers, networks, and rogue insiders. Now, attention must be expanded to applications and software used by the organization.
Due to stepped up risk management controls in the areas of improved network security, cyber criminals have turned their attention to less protected vulnerabilities in applications and software. In addition, the purpose of the attacks have morphed from causing embarrassment and denial of service to profiting from the theft of confidential financial and client information.
Cyber Attacks focus on the following areas:
* disrupting infrastructure operations
* posting confidential enterprise information online
* theft of intellectual property
* identity theft
* theft of confidential information
* confiscating or compromising online bank accounts
* spreading viruses on other computers
* malicious insiders seeking revenge
* use of internet launched viruses, malware, trojans, phishing, botnets, other malicious code
A company’s risk analysis should include identification from among the following risks where primary attention should be given to those risks which present the largest loss potential by either their frequency or severity:
* identification of viruses on servers, workstations, and laptops.
* open ports on firewall
* which assets are currently being attacked
* which assets are most likely future targets
* Payment Card Industry (PCI) audit if credit cards are used
* HIPAA and HITECH audit for medical information if applicable
* various state confidentiality and data protection laws
See entire article for suggested risk management controls to reduce these risks.
Source: Resources, Winter 2010, Paul W. Burkett, The National Alliance For Insurance Education And Research
Sadler Tech Insurance And Risk Management Blog is ranked 14th best Nationally by Risk Management Masters, an online resource specializing in Insurance Risk Management.
We are proud to be recognized as an important source for technology insurance and risk management information and strive to educate our prospects, clients and the public on these topics.
Source: “Top 50 Risk Management Blogs”
The following risk management controls can help companies avoid cyber losses due to viruses, hackers, trojan horses, malware, denail of service, extortion, errors & ommissions in delivering tech services, intellectual property violations, etc.:
* firewalls
* encryption
* password protection
* network security reviews
* disaster recovery services
* forensic services in response to security breaches
* emergency loss containment
* employee handbook provisions on internet and email security
* hacker vulnerability assessments
* review of your content and use terms by intellectual property attorney
Sources:
With Computers Under Siege Cyber Insurance Rides To The Rescue
Do You Need Coverage For Cyber Risks?, The John Liner Letter, Vol. 43, No. 7, June 2006
