Employee Theft and Cyber Fraud Risks Are Underinsured
Embezzlement is a long established risk; cyber fraud is relatively recent. What they have in common is that insurance seldom covers the total risk. Recent studies bear this out.
U. S. Captive Insurance Law reports on recent studies by Hiscox and The American Society of Fraud Examiners (http://www.uscaptiveinsurancelaw/com/blog/embezzlement-more-common-and-very-costly):
- 22% of occupational frauds caused at least $1 million in losses.
- Fraud schemes typically take 16 months to discover, and 29% persist for over five years.
- Average loss for an employee theft continuing for over five years is $2.2 million; for losses continuing over ten years, the average is $5.4 million.
- Median loss from owner/executive fraud was $850,000, compared to $100,000 from lower level employees.
In a more recent study (https://www.hiscox.com/documents/2018-Hiscox-Embezzlement-Study.pdf) 79% of cases involved two or more people working in concert. 70% of schemes were conducted over a year or more; average time with the organization was eight years. Companies recovered 39% of loss at best, and half recovered nothing.
In estimating your exposure to employee theft, consider how much a trusted employee could steal, and how long it would take to detect the theft.
The SEC has issued an investigation report (at https://www.sec.gov/litigation/investreport/34-84429.pdf) on nine public companies who were victims of cyber fraud. There were two types of fake emails; some purported to come from company executives, others from vendors. Each company lost at least $1 million; two lost more than $30 million; and total losses were almost $100 million. Most of the losses were not recovered. The SEC decided to issue the report to make companies aware of the threat of spoofed or manipulated emails and devise controls to combat them.
As I have repeatedly said, social engineering fraud needs to be addressed both in a company’s insurance program and through training employees to recognize and report suspicious emails.