Does Your Company Do Wire Transfers? If so, be Careful

It’s Monday morning and you come to your office, turn on your computer, go to get a cup of coffee. You see your employees standing around in a huddle discussing something. Curious, you inquire about their
conversation.

You are alarmed by their looks of sadness and fear…and then the bookkeeper tells you your worst nightmare. Over the weekend, someone hacked into your company’s computer system and gained access to the bank records, passwords and relevant security information. With this information, the hacker then proceeded to wire money from your bank account to their account somewhere in India.

Your accounts have been drained dry. What do you do? Who is going to pay for this? How are you going to get your money back? Wire transfer risk is real. The scenario above happens. Sadly, it happens more often than you think.

According to Varonis, cybersecurity issues are becoming a day-to-day struggle for businesses. Recent trends and cybersecurity statistics reveal a huge increase in hacked and breached data from sources that are increasingly common in the workplace, like mobile and IoT devices.

Additionally, recent security research suggests that many companies have unprotected data and poor cybersecurity practices in place, making them vulnerable to data loss. To successfully fight against malicious intent, it’s imperative that companies make cybersecurity awareness, prevention and security best practices a part of their culture.

Will the Bank Accept Liability?

When you arrange for wire transfers with your company’s bank from your corporate account, two things will typically happen.

1. You will be asked to sign an authorization letter that becomes permanent record on file with the bank. This authorization letter will stipulate who can complete the wire transfer within your organization and will also have several security questions that must be asked to the authorized employee each time a wire
transfer is requested.

2. You will be asked to submit a separate form for each individual wire transfer request. This is the form that stipulates the amount of the transfer, where the money should go, etc. At the time of the wire transfer, the bank should ask the previously agreed-upon security questions, make sure the person they are talking to
is an authorized person per the record on file, and confirm that the wire transfer authorization information is accurate.

If they do NOT follow the security protocol, they can be held liable for a fraudulent wire transfer.

However, if they DO follow protocol but the hacker was good enough to obtain the security questions and answers from your system, convince the bank they were the authorized employee and the transfer  ultimately goes through, they are NOT legally liable for your loss. You are on your own.

Banks are extremely regimented. They follow protocol. Their phone calls are usually recorded. Even if you suspect they did NOT follow the security guidelines, proving that can be nearly impossible. It is incredibly rare that a bank does not follow through with their security obligations.

The odds are that you will not be reimbursed by the bank and you should look to an alternative remedy for this exposure.

How Can I Protect Myself?

There are two ways to procure coverage for this unique, but all too real risk.

1. A crime insurance policy. Most companies now cover crime exposures on their commercial insurance policies. There are many crime coverages available, but most business owners are electing to only cover employee dishonesty. The employee dishonesty limits chosen usually range from $25,000–$250,000. Your company can add coverage called “funds transfer fraud” to your existing crime policy to cover yourself in the event the bank does not accept liability in the above scenario. The only downside to this option is that you typically cannot add Funds Transfer Fraud at a limit higher than your employee dishonesty limit. If you have employee dishonesty at $50,000, you are limited to $50,000 for funds transfer fraud as well.

2. A cyber liability policy. Cyber liability policies cover your company for a variety of things, but most of the policies are purchased for coverage against hacker activity. This can be the loss of your customers’ personal information such as credit card numbers, addresses, etc. It also protects your employees’ personal information which may be stored on your company’s database. You are liable for the staunch protection of this information as well as the notification to these individuals if their personal information is compromised. The liability limits on the cyber liability policy are usually $1,000,000. “Funds transfer fraud” can also be added to the cyber liability policy, limited to 50% of the cyber liability limit. If you have a cyber policy with a limit of $1,000,000 you can add the funds transfer fraud coverage for a limit of up to
$500,000.

Determining which of these options is most appropriate for your organization depends on your operation. Do you have a crime policy currently on your commercial insurance package? Do you have a cyber risk other than funds transfer that would make a cyber liability policy attractive?

These are all things to discuss with your broker. As computer fraud and the hacker world become more sophisticated, these issues become more important to bring to the forefront. A good, thorough review of
your exposures and your coverage are paramount between you and your insurance professional.