Workplace fraud is a common, everyday occurrence and a business reality. Every business, whether it is large or small, is vulnerable to these crimes. Workplace fraud can take many forms—including embezzlement, forgery, theft of inventory and other assets, and most importantly computer crime. Many of these frauds can continue unchecked for years.
Workplace fraud is a Real risk
India has witnessed many scams like Satyam Scandal (which ultimately led to 2 year ban on audit practice of a Big 4 firm), 2G Scam , Sahara Scam, Wanna Cry, Petya etc to name a few. Recently, a pen manufacturer has been in the news for a financial scam as well. To keep such instances in check, certain regulations have been put in place. For example, the Companies Act 2016 requires specified types of companies to establish a vigilance mechanism for their directors and employees. Similarly, SEBI has mandated setting up a whistleblowing mechanism for listed companies in India.
Startups are not exempt
However, workplace frauds continue to dominate the corporate world. Recently, we learnt about a cab aggregator ordering an investigation into fraud allegations against the company’s HR and administration head. He has been allegedly involved in favouring select recruitment vendors and in return receiving money estimated to be worth millions of dollars. The report added that the cab aggregator firm has hired one of the ‘Big Four’ audit firms to lead the internal probe. Cases of fraud by employees of a food aggregator had come to light a couple of years ago.
Public Sector Undertakings are Equally at Risk
We cannot ignore the Rs 11,500 crore fraud in state-run PSU bank by three of its employees who issued fake Letter of Undertaking (LoUs). These employees used SWIFT the global financial messaging service to move millions of dollars across borders every hour by smartly bypassing the core banking system (CBS) as they were aware of the loop hole in their system that credit was not readily available in the bank’s FINACLE software system and took advantage of it.
Cyber Frauds- the emerging risk
A growing number of types of fraud are being perpetrated by electronic means. Hacking, slamming (changing your telephone service without your knowledge), phishing (acquiring user names, passwords, credit card information), identity theft and other forms of business fraud are some of the most difficult to control. As technology becomes more critical to organizations , the number of cyberattacks have increased where a single incident can inflict damage to the tune of hundreds of millions of dollars.
Cyber-related risks are two of the top five risks facing corporations, according to the World Economic Forum’s 2018 Global Risks Report.
Various cyber attacks encountered in India
WannaCry
It is considered one of the biggest cyber attacks in history and the top five cities impacted by the ransomware attack were Kolkata followed by Delhi, Bhubaneswar, Pune, and Mumbai. Almost 60 percent of the ransomware attack attempts by the malicious WannaCry virus was targeted at enterprises, while the rest were on individual customers. WannaCry infected computers running on older versions of Microsoft operating systems like XP and the cybercriminals demanded a fee of about $300 in crypto-currencies like Bitcoin for unlocking the device. The impact was huge as the Police Department in Andhra Pradesh were disabled, West Bengal State Electricity Distribution Company Limited (WBSEDCL) were attacked, a government-run hospital in Odisha was targeted, in Gujrat over 120-odd computers connected with GSWAN (Gujarat State Wide Area Network) were affected, Maharashtra Police department was also partially hit. Further computers in two panchayat offices in Wayanad and Pathanamthitta in Kerala too were disabled, and there were reported cases in states like Delhi and Tamil Nadu.
Petya
India’s largest container port, Jawaharlal Nehru Port (JNPT) one terminal operated by APM Maersk, near Mumbai along with local manufacturing units of global companies was affected due to Petya attack.
Data breaches
Indian restaurant search and discovery service provider Zomato in May reported that the company’s database was breached which led to personal details of 7.7 million users being stolen. While this was a serious issue, the leaked information was also reportedly listed for sale on a Darknet market. Following the incident, Zomato contacted the hacker and took down the data. Details about the deal have not been disclosed. Similarly, Reliance Jio the trending network service provider was also a victim of a data breach.
Frauds Put Corporates at Risk
Fraud is a global scourge that harms corporate reputations, costs millions and ruins lives. It is a heavy economic and moral burden on the society. Before we go further, let us first understand what is a fraud.
Wikipedia defines a fraud as
“a deliberate deception to secure unfair or unlawful gain, or to deprive a victim of a legal right. Fraud itself can be a civil wrong (i.e., a fraud victim may sue the fraud perpetrator to avoid the fraud or recover monetary compensation), a criminal wrong (i.e., a fraud perpetrator may be prosecuted and imprisoned by governmental authorities) or it may cause no loss of money, property or legal right but still be an element of another civil or criminal wrong.”
A KPMG survey report states that weak internal controls are a contributing factor for three fifth of the frauds (close to 61%). Successful fraud risk management efforts tend to go beyond strong internal controls or the presence of policies.
Major Contributors to Fraud: Insiders, Outsiders and Collusion
Among fraudsters who were employees , 38% of the employees work for more than 6 years in the organization and 58% of the fraudsters are Management and Executive members.
What should companies do to manage the workplace fraud?
A highly ethical business culture is an essential element in any effective fraud prevention and deterrence program but still the risk to business due to crime persists. The determined fraudster or thief will exploit control weaknesses in even the most well prepared organizations. Hence it is of vital importance that the Indian corporate understands the importance of Commercial Crime Insurance Policy as well as Cyber Risk Insurance Policy.
What is Commercial Crime Insurance Policy and what does it cover?
A commercial crime policy typically provides coverage against :
- loss of money
- securities
- Other assets resulting from employee theft, computer fraud, forgery,
- loss of employee benefit plan assets etc.
- What is Cyber Risk Insurance Policy and what does it cover? Cyber risk insurance policy typically provides cover against
- Legal Liability to others for Privacy Breaches or Computer Security Breaches
- Loss to Data/Information
- Loss of Revenue due to cyber attack
- Public Relations Expenses
- Regulatory Actions or Scrutiny expenses
- Incidental Expenses to respond to Cyber Attack
- Cyber Extortion Expenses
Here are the coverages definitions which are available with a commercial crime and a cyber risk insurance policy:
Employee Theft Cover:
It includes loss of securities, money or other property by theft or forgery by the employee of the company.
Premise Cover:
It includes losses from destruction, wrongful abstraction, theft of securities or money from the policyholder’s premises by third-parties.
Transit Cover:
It comprises of losses from disappearance, destruction of money or security outside the policyholder’s premise by a third-party.
Depositors Forgery Coverage:
If the insured or the insured’s bank, at the request of the insured, shall refuse to pay any of the foregoing instruments (cheque, draft, promissory note, bill of exchange, or similar written promise, order or direction to pay a sum certain in Money, made or drawn by, drawn upon the insured) alleging forgery or alteration, and this refusal shall result in a suit being brought against the insured, then any reasonable legal expenses will be considered as a loss under the policy.
Computer Fraud Coverage:
It comprises of losses which a policyholder has to endure due to computer fraud made by third-party along with the expenses which the policyholder has to incur due to a violation of computer
Companies can also opt for the following extensions:
Care custody and control for money and securities
Coverage includes loss of third party money or securities which is in the care custody or control of the insured.
Credit Card Forgery Coverage:
Coverage includes Theft of the insured’s assets or funds due to forgery or alteration of any written instrument required in connection with any corporate credit cards.
Staff coverage:
Cover for outsourced employee, temporary employees, interns, trainees, students, contractors and sub-contractors: Employee definition to include outsourced employee, temporary employees, interns, trainees, students, contractors and sub-contractors.
Data Reconstitution Costs :
Coverage includes costs incurred in reproducing or amending the software programs or systems following a Criminal Act in respect of the use of the computer hardware or software programs or systems owned and operated by the Insured. (Correction costs).
Depositors Forgery Coverage:
If the insured or the insured’s bank, at the request of the insured, shall refuse to pay any of the foregoing instruments (cheque, draft, promissory note, bill of exchange, or similar written promise, order or direction to pay a sum certain in Money, made or drawn by, drawn upon the insured) alleging forgery or alteration, and this refusal shall result in a suit being brought against the insured, then any reasonable legal expenses will be considered as a loss under the policy.
Money or Securities:
Damage, destruction & disappearance: Coverage includes financial loss due to physical loss of or damage to or actual destruction or disappearance of money or securities
Fees, Costs & Expenses:
Coverage includes any reasonable legal fees, costs and expenses incurred and paid by the Insured in the Defence of any demand, claim, suit or legal proceeding
Use of investigative specialists :
Cover is extended to include the fees and expenses of an investigative specialist, to investigate the facts behind a loss covered or loss potentially covered under this policy and to determine the quantum of such loss.
Criminal Damage :
Cover is extended to include loss sustained as a result of criminal damage committed with the principal intent to cause the insured to sustain such loss
Violent or forcible theft of property by any other person :
Loss caused by theft or attempted theft following entry to or exit from the premises by forcible and violent means by any other person (third party)
Interest payable or receivable :
Amount of any interest which would have been receivable but for a loss covered under this policy, or which becomes payable by the insured resulting directly from a loss covered under this policy
Cyber Extortion :
Coverage includes financial loss suffered by the Insured due to extortion. Extortion includes any threat to
i) cause impairment to Computer Systems
ii) deny access to Computer System or Communication System
iii) sell or disclose confidential security codes or confidential information
iv) introduce or activate a Malicious Code
v) cause an insured to surrender Money, Securities or Property by reason of having gained unauthorized access to Computer Systems that results in Money, Securities or Property being surrendered.
In most of the cases, commercial crime insurance policy comes with a deductible clause which states that at the time of loss, a part of the claim would require being paid by the policyholder. The insurance company would pay the remaining amount. Further, most of the insurance companies allow customizing commercial crime insurance policy to cover various fraud-related losses as per the company’s specific requirements.
Takeaways:
Although insurance can help recoup some monetary losses resulting from fraud, other losses can never be recovered, such as losses resulting from adverse publicity, the disruption of operations, and time spent with law enforcement officials and others.
While it is not possible to completely eliminate fraud risk, it is possible to reduce the risk and to minimize fraud-related losses and other consequences through effective loss control measures. Reduction of fraud risk requires a thoughtful, comprehensive, and proactive approach. Fraud risk management includes establishing effective loss control measures that focus on prevention, detection, and response. Given the potential costs of workplace fraud, proactive fraud risk management makes good business sense.
Resources
- http://www.brinknews.com/its-time-to-quantify-cyber-risk-exposure/
- https://assets.kpmg.com/content/dam/kpmg/pdf/2016/05/profiles-of-the-fraudster.pdf
- https://www.indiatoday.in/india/story/petya-ransomware-major-global-cyber-attack-wannacry-jawaharlal-nehru-port-trust-985106-2017-06-28
- https://www.gizbot.com/internet/features/cyber-attacks-that-affected-india-in-2017/articlecontent-pf82318-046533.html
Title Image : Creative Commons 3 – CC BY-SA 3.0 by Alpha Stock Images