White-collar crime should be of great concern to all risk management professionals. It can be occurring now, right in front of us. People we trust. How many times have we read in newspapers of the kind old bookkeeper, polished senior executive, parish priest, well-respected city manager, and other people we deal with day to day who are arrested for stealing from their employer or otherwise taking funds that did not belong to them?
Computers are an integral part of the financial accounting and transaction infrastructure of all organizations today. Organized crime in 2009 is not necessarily limited to that portrayed in the HBO series "The Sopranos." It is composed of organized individuals from around the world using state-of-the-art technology to steal funds by hacking and other means of penetration into an organization's accounting and finance technology systems.
When asked about internal procedures, many organizations state, "It cannot happen to us. Bill has been our controller for years. We would know if something was amiss." Yet, organizations seem to chance their profitability by not spending enough time ensuring that the peril of theft is minimized as much as possible. To paraphrase Pogo, "The white-collar thief looks just like you and me." Many risk management professionals seem to overlook or downplay the importance of crime risk management and appropriate use of crime insurance.
The peril of theft can pose loss to an organization as disruptive and costly as a wrongful termination, fire at a critical location, or a claim for products liability. "Theft," for purposes of this article, is defined as "the unlawful taking of property to the deprivation of the insured" and is the definition used in the Insurance Services Office, Inc. (ISO) Commercial Crime Policy (CR 00 23 05 06) (Loss Sustained) and Commercial Crime Policy (CR 00 22 05 06) (Discovery). Burglary (an act of breaking and entering a building with the intent to commit a crime) and robbery (the unlawful taking of property from care and custody of another threat of bodily harm), while significant exposures to many organizations, are not the focus of this article.
How Much Theft Coverage Is Provided by a Commercial Property Insurance Policy?
At what point does a crime policy insure the peril of theft that may not be insured by the commercial property policy? We begin with an examination of ISO property insurance forms: Building and Personal Property Coverage Form (CP 00 10 0607); Causes of Loss—Basic Form (CP 10 10 06 07); Causes of Loss—Broad Form (CP 10 20 06 07); and Causes of Loss—Special Form (CP 10 30 06 07). The reader is advised to review his or her own property polices as many insurers use a filing independent of ISO or use portions of an ISO form.
What Can Be Stolen from an Organization?
Assets can be stolen. Assets can be tangible (i.e., furniture or fixtures) or intangible (i.e. intellectual property). For the purposes of this discussion, we will deal with tangible assets defined by ISO as "personal property" which may range from office contents, furniture, and fixtures; inventory (raw, in process, finished); and cash and securities. The building and property coverage form declares specific tangible property is not covered:
Accounts, bills, currency, food stamps, or other evidences of debt, money, notes or securities. Lottery tickets held for sale are not securities.
If property is defined as "covered property" in commercial property insurance how is the peril of theft addressed in the three causes of loss policy forms?
The basic form and broad form provide coverage for loss from named perils. Neither form includes theft, burglary, or robbery as covered perils, but each do allow coverage for damage to a building caused by burglars breaking in or exiting the premises.
The causes of loss—special form is thought of as an "all risk of loss" form except for perils specifically excluded. Theft is a covered peril within the special form but coverage is subject to exclusion for:
Dishonest or criminal act by you, any of your partners, members, officers, managers, employees (including leased, employees), directors, trustees, authorized representatives or anyone to whom you entrust the property for any purpose: 1) acting alone or in collusion with others; or 2) whether or not occurring during the hours of employment. This exclusion does not apply to acts of destruction by your employees (including leased employees); but theft by employees (including leased employees) is not covered.
What Does This Mean?
No coverage for theft is provided in the basic or broad form whether it is theft of office equipment or cash and securities. While theft is a covered peril in the special form, loss is limited to theft of only a portion of tangible property; no coverage exists for tangible assets, such as money and securities. In this article, we will examine how ISO crime policies provide theft coverage to replace that excluded in commercial property policies.
ISO has several crime insurance policy forms available for an insured. Coverage is available on a loss sustained basis (CR 00 23 05 06) or discovery basis (CR 00 20 05 06). The difference in forms is similar in concept to occurrence and claims-made coverage triggers in liability policies: loss sustained is akin to an occurrence trigger, while discovery is similar to claims-made triggers. We use the ISO commercial crime policy loss sustained form as the basis of discussion within this article. The reader is advised to review his or her own crime insurance polices as many insurers use a filing independent of ISO or use limited portions of the ISO form.
From this point on we need to follow the risk management process for theft exposures and not rely on what we may have done for other covered property. The cash and securities loss exposure is different than the other tangible property exposures, and thus, risk financing treatments will need to be different as well. When we think of crime exposures and theft, we need to consider theft by an employee of an organization as well as theft by other than an employee.
It is, of course, crucial to identify crime exposures facing the organization. This includes identifying the entities and the dishonest acts to be covered.
What entities within the organization have a crime exposure? Most entities have a crime exposure even if it has limited tangible assets (i.e., no building and limited office contents) as in a service business such as accounting firm or a "paper corporation" that has assets of only cash accumulated for tax purposes. The risk manager must understand the crime exposure of each entity to ensure coverage will be arranged correctly. While an omnibus clause may cover all entities of the organization, it does not replace the due diligence needed from the risk manager to ensure that exposure and coverage are addressed in the most appropriate manner.
Oftentimes, employee benefit plans are overlooked as "entities" that have a crime exposure and then are not properly identified in the crime policy. The Employee Retirement Income Security Act (ERISA) is a federal statute that applies to employee benefit plans such as 401(k), profit sharing/pension, medical, dental, life, and disability plans. ERISA has many requirements for a plan sponsor (i.e., employer) including specific requirements for insurance.
The law requires that any person, not just an employee, who handles funds of an ERISA plan must be bonded. The ERISA bond requirement is a limit of 10 percent of the funds handled, subject to a minimum limit of $1,000 and a maximum limit of $500,000. A limit of $1 million per plan is required by ERISA if the plan holds employer securities other than through a pooled investment vehicle. Employee benefits liability coverage (EBL) found in a general liability policy or ERISA fiduciary liability insurance, sometimes referred to as pension trust liability, do not satisfy the ERISA requirements for crime insurance.
Appropriate due diligence should be done by the risk management professional to ensure ERISA requirements are understood and addressed as needed for employee benefit plans sponsored by any organization. The employee theft coverage provided by an ISO commercial crime policy can be used to satisfy ERISA if each plan is included as a named insured. ERISA also has some other requirements that are included within the ISO commercial crime policy. If your organization is not insured by a recent ISO crime policy, you will need to review it to see if a separate ERISA compliance endorsement is needed.
ERISA compliance in a crime policy is often confused with both EBL and fiduciary liability insurance. ERISA requires only employee theft coverage; it does not require any other coverage—not EBL or fiduciary liability. Complying with ERISA in the crime policy does not provide any coverage to the organization for third-party exposures that may arise out of failures in plan administration or breach of fiduciary duty. EBL and fiduciary liability policies are available for the third-party liability exposures created by sponsorship of an employee benefit plan.
Dishonest Acts by Employees or Non-Employees
There are eight coverage sections to an ISO commercial crime policy. Only one section is for employee theft; the others provide coverage for loss caused by theft by other than employee. Coverage for employee theft is broad as it includes coverage for loss by forgery or alteration, computer fraud, and funds transfer fraud. Theft by a non-employee can be insured for forgery or alteration, computer fraud, and funds transfer fraud. The insured organization is given an option by ISO to insure its employee and non-employee exposures by different coverage limits.
Exposure identification for theft exposures is critical to arranging appropriate crime insurance, especially since coverage can be arranged quite differently for that caused by an employee or non-employee. An organization's risk manager must understand how it may use its employees for certain functions and how its financial operations and transactions may be penetrated by non-employees. Exposure identification can become complex since ISO defines "employee" in a broad sense, and organizations today may use the services of a non-employee in a manner similar to how it actually uses its employees. Therefore, it is critical for the risk manager to understand the differences.
How does a risk manager determine who an "employee" is for purposes of crime insurance? First, carefully review the definition of "employee" in the crime insurance policy used. Then develop a process that allows the risk manager to interact with all parts of the organization: operations—hire employees; human resources—manage employee services, such as job performance and employee benefits; procurement/purchasing for outsourced activities; and finance and technology to understand how an "employee" may be able to circumvent policy and procedure to steal from the organization. Only when the overall "employee" and "non-employee" exposures are understood can the risk manager begin to quantify the various exposures and determine the appropriate use of commercial crime insurance. This may be the most important step in the crime risk management process.
A risk manager needs to approach crime risk management and use of insurance differently than other processes used for commercial property insurance. Only when employee and non-employee exposures are understood can the risk management professional determine the appropriate arrangement of crime insurance for the insured organization. We will review crime coverage triggers, coverages available in the ISO crime policy, and how to establish dollar limits by coverage section in Part 2 of this article.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.