Employee Theft and Cyber Fraud Risks Are Underinsured

Employee Theft and Cyber Fraud Risks Are Underinsured

February 28, 2019 Business Insurance and Risk Management, The Beacon Blog 0 Comments

Embezzlement is a long established risk; cyber fraud is relatively recent. What they have in common is that insurance seldom covers the total risk. Recent studies bear this out.

U. S. Captive Insurance Law reports on recent studies by Hiscox and The American Society of Fraud Examiners (http://www.uscaptiveinsurancelaw/com/blog/embezzlement-more-common-and-very-costly):

  • 22% of occupational frauds caused at least $1 million in losses.
  • Fraud schemes typically take 16 months to discover, and 29% persist for over five years.
  • Average loss for an employee theft continuing for over five years is $2.2 million; for losses continuing over ten years, the average is $5.4 million.
  • Median loss from owner/executive fraud was $850,000, compared to $100,000 from lower level employees.

In a more recent study (https://www.hiscox.com/documents/2018-Hiscox-Embezzlement-Study.pdf) 79% of cases involved two or more people working in concert. 70% of schemes were conducted over a year or more; average time with the organization was eight years. Companies recovered 39% of loss at best, and half recovered nothing.

In estimating your exposure to employee theft, consider how much a trusted employee could steal, and how long it would take to detect the theft.

The SEC has issued an investigation report (at https://www.sec.gov/litigation/investreport/34-84429.pdf) on nine public companies who were victims of cyber fraud. There were two types of fake emails; some purported to come from company executives, others from vendors. Each company lost at least $1 million; two lost more than $30 million; and total losses were almost $100  million. Most of the losses were not recovered. The SEC decided to issue the report to make companies aware of the threat of spoofed or manipulated emails and devise controls to combat them.

As I have repeatedly said, social engineering fraud needs to be addressed both in a company’s insurance program and through training employees to recognize and report suspicious emails.

About the Author

Harry Cylinder

Harry Cylinder, CPCU, ARM has spent nearly fifty years in the insurance industry, the majority of the time as a consultant. He has been employed by The Beacon Group of Companies since 2008, specializing in the review and analysis of property and casualty coverage forms. Mr. Cylinder has been reviewing policy forms as they have evolved over the past decades. In 2008 he published an article in the CPCU Journal which was the first description of cyber insurance coverage for a general insurance audience. Since that time he has regularly written on cyber and other topics for The Beacon Companies’ blog.