MPR offers insurance for well-established crime techniques, as well as those that are newly emerging.
The Crime and Cyber Crime policy has been developed using the insight gained from many years at the heart of the crime insurance market. Experience of many of the straightforward criminal methods, combined with fraud strategies that have developed more recently, have shaped the design and content of this product to address the risks facing all types of organisations.
Why do your clients need crime insurance?
- Statistics puts the cost of fraud to the UK economy at £137 billion a year – that’s more than £4,000 per second.
- 64% of UK businesses surveyed by PwC in their 2022 Global Economic Crime Survey had experienced fraud in the preceding 24 months.
- The average organisation loses approximately 6% of its total annual revenue to fraud and abuse committed by its own employees.
- Social engineering fraud continues to be a popular method for third parties to deceive businesses into transferring funds.
What does the policy cover?
An ‘All Risks’ insuring clause, which includes cover for:
- Theft of money, securities or property belonging to an insured organisation;
- Theft of money, securities or property belonging to a client of an insured organisation;
- Social engineering fraud;
- Expenses arising from crime.
What limits are available?
Up to £5 million for any one claim.
Expense costs have their own extra limit (typically up to 10% of the policy limit, or £500,000, whichever is less).
What does an underwriter like to see?
- Organisations with good checks and controls in place, such as:
- call back procedures for phone transfer requests;
- structured procedures around bank account changes;
- robust supplier and vendor procedures;
- dual controls;
- HR background checks;
- internal audits.
- Financially stable organisations
Is there anything an underwriter wouldn’t insure?
There are higher hazard business activities with good controls and lower hazard business activities with poor controls, so much depends on this detail. That said, some areas will, by their very nature, merit closer attention. These include;
- housing associations;
- international charities;
- government and ex-government bodies;
- casinos and gaming companies;
Why choose MPR?
- Deep experience over many years in all the products we underwrite
- Simple and clearly stated policy language with the removal of ambiguity
- A straightforward, broker focussed, technical and service based proposition
- Strong financial rating
- Single, all risks, insuring clause
- Much less chance of a loss falling against an uninsured or unnamed peril or into a policy gap.
- ‘e-theft’ or ‘cyber’ loss
- This cover has always been within scope of crime insurance and is typically not covered by policies that have been developed to deal with emerging cyber risks. This policy definitively addresses this exposure.
- No ‘direct financial loss’ requirement
- Policies often cover ‘direct financial loss’ caused by the crime. This is a time-hallowed expression but is a more complex creature than it looks. The line between direct financial loss and indirect financial loss is often factually and legally difficult to draw with room for some uncertainty.
- Cover for the clients of an organisation
- Many organisations have money, securities or property belonging to a client for which it is liable if it is stolen.
- Worldwide coverage
- The policy reimburses covered crime losses that occur anywhere in the world. Overseas losses, either by source of the crime or through the destination of misappropriated funds, are a feature of many of the emerging crime themes.
- A 90-day notification period
- When a loss occurs, an organisation may be busy with internal protocols, or restoring confidence to its customers. The policy allows them to put their business first, and has an extended period from the point of discovery to provide details of any crime.
What can go wrong?
The marketing manager of a business advisory company received irregular and unauthorised payments from suppliers whom he had introduced to the business. He made arrangements with some of these suppliers to inflate their invoices to maximise his ‘commissions’. He also used the suppliers to conduct work for other organisations (in which he had interests) and paid for the work out of his employer’s account. The cost to the company he worked for was over £250,000.
Many examples of employee theft are straightforward, crude or opportunistic and this was no exception. In this case there was too much trust placed in individuals which led to a simple exploitation of a weakness in internal controls. There was also little or no diligence around appointment of suppliers and no dual controls.
The fraud was uncovered after a tip off from a supplier. Whistleblowing is the most common means of detection, in over 40% of cases, with only around 35% uncovered by corporate controls. Less than 3% are discovered by law enforcement and many by chance, retirement or even the death of the perpetrator.
A call was received on a direct dial line, asking for a specific individual. The caller identified himself as the assistant to the CEO, advising that the CEO wanted to speak with her urgently. An individual impersonating the CEO was then transferred and explained that he was arranging an extremely confidential and commercially sensitive acquisition. Using the genuine email address of the CEO, the employee received instructions to transfer money in varying amounts. The employee obtained the authorisation of a colleague, explaining that she was unable to identify what the money was for because of the secrecy. She then transferred over £300,000 to the specified destination account.
The employee only became suspicious when she did not get a return email after the funds had been transferred. Even then, this was not raised with colleagues and was only notified to the bank. The employee then took 2 days holiday before escalating it on her return.
Whilst many organisations have Social Engineering Fraud policies in place, they need to be followed. In this case, following a simple procedural rule would have prevented the loss. Moreover, these kinds of losses are time critical. The money was transferred to a bank in China, where the freezing of accounts is complex, expensive and can take up to 6 months. Dual authorisation is vital but it is equally vital for the procedures to be followed. In one case, where over €700,000 was transferred, authorisers had exchanged login and password details so they could approve transfers without having to make a request to each other.
A car sales executive disguised his thefts by allocating subsequent customer receipts to the sales which he had previously made. In what was a simple fraud, he would take card payments from customers but, when he entered these onto the computer system, he would allocate the payment to another customer who he had previously stolen cash from. Stock balancing only took place once a month, allowing a six-figure sum to be misappropriated in a relatively short space of time.
Delays between the stock take and the date of the debtor listing allowed for manipulation. Manual books were kept and sales staff could raise credit notes and add discounts, which allowed amounts to be written off. Cash counting was allowed by individuals and remittance was sporadic rather than daily.
The matter was discovered after the employee returned from holiday. No sales had been made during that time so he was unable to collect sufficient cash on his return to hide the deficit that had built up. The employee played on his reputation of being disorganised so that the administration staff assumed discrepancies and delays were a consequence of poor record keeping. In truth, he was a drug addict and alcoholic and needed more cash than he was earning to fund his lifestyle. This also meant there was very little prospect of recovery.
In another case involving vehicle retail, the Assistant Administration Manager misappropriated more than £400,000 in cash deposits over a four year period. The court sentence was £6,000 in costs and a Community Service Order. No recovery was made.