In our previous blog –You Don’t Need Crime Insurance – Part 1, we discussed three reasons organizations use to justify not purchasing crime insurance.
We will further our discussion by introducing three more reasons and will help show you the value a well-structured program can add – crime insurance is about anticipating exposure and a part of the necessary due-diligence to ensure business continuity after a loss.
We don’t have any cash on hand
This view unfortunately highlights many of the classic misconceptions around financial crime in the 21st century. For some industries, one of the exposures they face is theft of cash – from petty-cash, donation collection or retail cash registers – but in the grand scheme of things, these usually represent a very small exposure. For “small local” businesses, Not-For-Profit or large multinational companies, all organizations move money in order to facilitate their business; bills need to be paid, employees compensated, receipts to be accounted for and taxes (for most) to be sent to the government and each one of those transactions entails the involvement of money, if not cash.
As companies have largely moved away from cash based systems, so have those trying to defraud us. Fake invoice schemes, ghost employee scams and company cheques being altered or forged are all very real examples of losses that typically involve no cash - the monumental shift to computer based fraud never involves cash.
The outdated view that a company’s only material exposure is theft of cash is dangerous and leaves many organizations with significant blind-spots. It also highlights our struggles as an industry to ensure our insureds know what a crime insurance policy is intended to cover as this disconnect is material.
We used to underwrite the cash exposure heavily. Now, except for those few industries that still have a cash presence, it almost never comes up. That money in the bank is a big enough target for fraudsters to focus on, and there are generally fewer eyes watching it, than that cash in the drawer!
We have very few employees that have any access to our accounts
This is something we hear from small companies all the time – particularly where authority is highly centralized with an owner, CEO or a very small executive group. This can actually be dangerous thinking for a few reasons.
The first concern typically in these situations is that controls are pretty relaxed with these “inner circle” individuals. Rarely do senior executives require a second signature or authorization when they want to move money, their instructions generally receive little to no scrutiny from staff, and usually signifies a lack of segregation among some key functions, notably between the capacity to withdraw money and reconcile bank accounts. This isn’t necessarily to say that these key individuals are more likely to commit a fraud (though that can be the case!), but rather those weaker controls may create an avenue or opportunity for clever fraudsters to exploit. Why target where the walls are thickest when there are areas ripe for exploitation?
Secondly, this presumes the main risk still comes from within. While employee fraud is still the leading cause of financial loss within most organizations, it is not the overwhelming winner that it used to be. We’re seeing a marked shift towards crimes committed against organizations by non-employee third parties. These attacks are usually in the form of hacking or social engineering (or a combination of the two), and are shockingly effective.
The biggest threat is if third parties gain access to an organization’s online banking credentials, to make fraudulent wire transfers. These types of transactions are fast, big, and tough to recover as the money can be moved around the world in a very short period of time. Fraudsters will often gain access to these credentials through social engineering (deceiving an individual into sharing this information), hacking (through the introduction of key logging or other spying software) or phishing (which includes tricking an employee into navigating to a spoofed banking website through a fraudulent email that looks authentic – where they happily log-in giving the fraudsters access to the usernames and passwords required to log-in to the real banking portal).
Once upon a time, it was the threat of employees going rogue that would keep us up at night. While they certainly can contribute to some restless nights, it is the persistent, industrious and patient third-party that now causes us to really question what happens when the lights go out!
That doesn’t happen in my industry
Every company is unique and we fight hard to differentiate ourselves in just about everything we do. That same lens, however can make it too easy for companies to dismiss events that happen to other companies as being irrelevant to them or their industry. It’s hard to see how an employee dishonesty loss at a clothing retailer can happen to you, a software-as-a-service company. It’s hard to see how a wire transfer fraud event at a law firm can happen to you, a mining company.
It is therefore important we acknowledge that while each industry does in fact have its own unique risk profiles, the majority of the crime exposures are quite homogenous. Many of the common types of loss are industry agnostic, so we should avoid the false sense of security that this “not in my industry” mindset can create. Vendor fraud, funds transfer fraud, ghost employee scams etc. are all exposures that every company faces in some shape or form. There is literally no company that is exempt from all of these exposures. Understanding and accepting this reality is an important first step in being able to set up a good defence and exploring, open mindedly, quality risk transfer options like crime insurance.
We can handle a small loss
Let’s assume for a moment that the loss we’re talking about is actually small (say, under $100,000). The challenge with “eating” a small loss is that these are net losses but the actual impact to the organization is usually much greater.
Assume a company suffers an $85,000 loss due to third party wire fraud. The company had a couple million in the “bank” and generally speaking feels it can absorb the loss. However, if this company operates at a 10% profit margin, that $85,000 is actually like losing $850,000 in revenue and is what it needs to recoup those losses.
Further, that $85,000 doesn’t include the costs associated with hiring external investigators to find out actually how and how much went out the door. Let’s assume that is roughly a $15,000 price tag. So now we’re up to $100,000 actual dollar loss, or $1,000,000 of lost revenue. We still haven’t factored in the internal costs of the investigation for your own employees and addressing the morale issue – which is usually measured in a time cost and has a material impact on productivity (and isn’t insurable) – so getting that $1,000,000 is much harder than it used to be.
What would the reaction of management be if the risk of losing a $1,000,000 account looked like it could become a reality? It’d likely be “all hands on deck” and just about any avenue to avoid the loss would be considered. The intent here is not to scare, but rather to start to look at the “real” cost of fraud and perhaps to shift the perspective a little of those contemplating the value of crime insurance.
Thinking about and planning for a time that we will be betrayed by an employee or defrauded by a malicious outsider is extremely unpleasant but are necessary steps in ensuring the resources are available should the worst come to pass. A robust crime policy with adequate limits is a key component in any effective insurance portfolio. So maybe you do need crime insurance after all?
To further discuss Crime Insurance and coverage please consult your broker or for more information, please visit our website and connect with us.
Joshua Laycock is The Guarantee’s National Fidelity Product Manager responsible for the maintenance and development of underwriting standards, product innovation and supporting strategies for one of Canada’s largest Fidelity insurance portfolios. He started his career over 10 years ago working with a multi-national insurance brokerage in Toronto as a broker and client executive in the Financial Institution and Professional Services industry practice before moving to the company side five years ago. He has a BComm from the University of Toronto and holds the Chartered Insurance Professional (CIP) and Registered Professional Liability Underwriter (RPLU) designations.
Please be reminded that the following blog/article is intended to be used for informational purposes only and nothing contained herein shall be deemed to provide legal, technical or other professional advice or to represent actual or potential coverage under any insurance contract. At all times, the specific issued policy in its entirety including all definitions, conditions and exclusions is to be used when determining the scope of potential coverage under The Guarantee insurance products. The Guarantee Company of North America disclaims all warranties whatsoever.