By: Drew M Smith
During the last several months there have been numerous reports of cyber breaches in a variety of different companies. Whether it is a big business like Home Depot, or a more private company, cyber-crime has been on the rise and causing billions of dollars’ worth of damage in fines, identity theft, lawsuits and settlements. What happens when an employee is deceived into providing information transferring funds or other assets? Is this covered by commercial crime insurance? Well maybe yes, and maybe no.
An issue arises when an authorized signer on the company’s bank accounts. One way this type of cyber-crime occurs is when an employee gives out information to someone who they think is with their company. Such as receiving an e-mail or text from someone they believe is the President and CFO. We have all received e-mails from an email address we thought were friends and colleagues which were found to be a hoax (this is referred to as phishing). But this turns out to be a ruse to steal money, account information or other assets from the company. This can cause irreparable harm on the company and potentially expose the company to uninsured claims. This is called Cyber Deception.
It can be started with just a simple e-mail. In Massachusetts, an employee at a manufacturing company got an IRS E-Mail saying that they needed to shore up their tax numbers and thus needed the company to wire the funds. The naïve employee followed the instructions and in short order wired $400,000 from the company’s bank account to a fictitious account number. It was traced to Nigeria and then pin wheeled to other banks throughout Africa. The bank was only able to get part of the money back and company filed a claim with their commercial crime insurance carrier. This claim was denied by the crime carrier on the grounds that their authorized employee voluntarily gave up the information and wired the money. Only when the client threatened to sue that the carrier finally wrote them the check.
In another case, the controller received an email from someone that they thought was the CFO and wired $900,000 to a fictitious bank account. The CFO’s email had been hijacked. Again since the authorized employee made the transfer, the bank didn’t refund the money and since there were funds transfer exclusions in the crime policy, the company was out of luck.
When cyber deception occurs, many people believe that the loss is covered under their cyber or crime coverages. They are shocked when neither of these policies pay the claim. The reasoning in the carrier’s eyes is that the loss came as a result of the client’s employee’s negligence not the banks. Additionally, many commercial crime policies have funds transfer exclusions and thus void the coverage for this type of crime. You should contact an expert to properly design your privacy and commercial crime policy coverage and develop strategic procedures for fund transfers.
About Axis Insurance Services, LLC
Axis Insurance Services, LLC (AIS) is a licensed professional liability insurance broker located in Franklin Lakes, NJ with agents licensed nationwide. They offer access to high-quality insurance products in the areas of Errors and Omissions insurance (E&O), Directors and Officers liability insurance (D&O), Crime, Fiduciary, and Privacy/Network security coverage for today’s professional service firms. AIS works with all company types including commercial real estate firms, real estate agents and brokers, property managers, insurance agents, medical groups, practice managers, third party administrators, lawyers, accountants, architects, engineers and many others.
Axis Insurance Services Inc., is not affiliated with Axis Insurance Company or its subsidiaries or affiliates in any way
Please note that the above information does not constitute any legal advice. You should consult your attorney prior to implementing any employment related policies and procedures for your company.