Exclusively from Foa & Son
Nearly every organization today relies on some form of electronic tool in its banking and financing activities, including cash management as well as for core internal processes such as order entry, billing, inventory controls, and accounts payable. The main tool used is the organization’s computer system, which may be linked to other systems, including one or more outside banking or financial institutions.
The internet is a great conduit for an organization to gain access to and manage critical financial and other services, but it is also a means for thieves to gain unauthorized access to an organization’s computer systems. Your first line of defense always has to be your own internal and external controls, but since the possibility of a breach always exists it’s worth considering a couple of small enhancements to your crime policy.
Computer Fraud coverage is a standard coverage provided in Insuring Agreement 6 in the standard Insurance Services Office (ISO) form, and almost all insurance companies writing these policies offer it, or an equivalent. Coverage is provided for loss or damage to money, securities, and other property which results directly from use of any computer to fraudulently cause a transfer of insured property from inside the insured’s premises or a bank’s premises to a person or place outside of the insured’s premises or a bank’s premises. This is something of a duplication in coverage, since if such a loss was proven to have occurred due to employee dishonesty that coverage section would apply, but this section is broader because 1) you don’t have the burden of proving it was an employee that caused the loss and 2) loss caused by non-employees is covered (the cleaning lady’s teenage hacker son comes with her one night, sits at your terminal and cleans out your bank account).
Another general weakness found in many crime insurance policies is lack of coverage for fraudulent funds transfer, which is ISO Insuring Agreement 7. Coverage is provided for loss of funds resulting directly from a fraudulent instruction (from any source) that directs a financial institution to transfer, pay, or deliver funds from the insured’s transfer account. A common exposure for many organizations is a transfer of funds by electronic instruction (wire, telefacsimile) or voice initiated transfer (telephone). The term “Fraudulent Instruction” in ISO forms means:
1. An electronic, telegraphic, cable, teletype, telefacsimile or telephone instruction which purports to have been transmitted by you (the Insured), but which was in fact fraudulently transmitted by someone else without your knowledge or consent;
2. A written instruction issued by you, which was forged or altered by someone other than you without your knowledge or consent, or which purports to have been issued by you, but was in fact fraudulently issued without your knowledge or consent;
3. An electronic, telegraphic, cable, teletype, telefacsimile, telephone or written instruction initially received by you which purports to have been transmitted by an “employee” but which was in fact fraudulently transmitted by someone else without your or the employee’s knowledge or consent.
Note that this coverage does not rely on a computer, thus this coverage supplements that provided to the insured organization by the Computer Crime insuring agreement. As with computer crime, there is some overlap with other sections of the policy, but there is important new coverage in this section which would make it the preferred section under which to file a claim if the need arose.
The premium charge to add computer crime and fraudulent funds transfer to the crime policy is in almost all cases quite reasonable, usually a small percentage of that charged for the employee theft coverage, which is usually not an expensive coverage to begin with. These two coverages are a must for all organizations today.