By Marc Kramer
Everyone knows that if a commercial bank account is victimized by cyber thieves, there’s no need to worry; your bank or the Federal Deposit Insurance Agency (FDIC) will make it whole, right?
Wrong!
The FDIC only covers bank accounts against the bank going out of business. Perhaps more importantly, while banks are obligated to cover losses to personal accounts, they are not responsible for doing the same for business accounts, including those of associations and nonprofits.
Yes, if you argue/beg/plead with your bank, it might reimburse some or even all of your losses. But there’s no guarantee of anything, and you might spend a few weeks with your account locked down, making it impossible for you to: meet payroll; pay vendors; stop checks from bouncing; or prevent loans from possibly being called in because you are out of covenants. In essence, you won’t be able to do much of anything, and that can be crippling.
That’s what happened to Philadelphia-area chiropractor Kevin Kita who was twice victimized, but isn’t sure exactly how. Both times, however, he was left in the lurch while the cybercrime was under investigation. While he could deposit money, he couldn’t withdraw any or pay bills, considering he had what appeared to be a large deficit. Luckily for Kita, his bank eventually did reimburse him.
Ann Talbot, the chief financial officer of engineering and construction for Golden State Bridge, Inc., of Martinez, California, has also seen her company twice victimized by cyber theft. In 2006, someone reached into the company’s bank account, established a wire, then sent $100,000 to the Philippines. Golden State Bridge was able to claw back about $70,000, but the perpetrator never was caught. Talbot believes the breach happened on the bank side, which the bank denied, even though the breach occurred in a building across the street from the bank, and Talbot’s login and password were used.
The second incident occurred in May 2010, involved a different bank and likely involved a breach in Golden State Bridge’s system. The company’s office manager’s computer was breached; her login and password were used. Talbot believes it happened on Facebook, as someone was able to load a Zeus keylogger virus and waited until she entered the bank account. The company initially lost about $125,000, but was able to retrieve $30,000. It also had a blanket business policy at the time, which covered the rest.
At a March hearing, U.S. Representative Chris Collins (R, NY) cited a recent study showing that "nearly 60 percent of small businesses will close within six months of a cyber-attack." Bloomberg has reported that more than $1 billion is stolen annually from bank accounts. Seventy-three percent of the time money gets transferred, according to a joint study by Guardian Analytics and Ponemon Institute. In 61 percent of the attacks, money was lost. The average annual cost of cyber attacks on small- and medium-sized businesses and organizations was $188,242.
So, what should associations and nonprofits do? For one thing, don’t bury your head in the sand. This is a real problem that requires you to be proactive.
The first step to take is to consider dual computers systems— one dedicated for banking and the other for the rest of the association’s operations. Next, authenticate everything with your bank. Hackers often start small as a test run. A 38¢ transfer might not seem like a big deal, but it could just be a precursor to a five-digit withdrawal.
Consider cyber theft insurance. While you’re likely to already have some or all of the following insurance—officers and directors liability insurance, errors and omissions, auto, worker’s compensation, or employment practices liability—none of them typically cover cyber theft. Some policies offer specific cyber theft protection, while others offer the coverage as part of a rider on other existing policies.
Here are some additional tips for protecting your association.
- Keep your firewall on.
- Install or update your antivirus software.
- Install or update your antispyware technology.
- Keep your operating system up to date.
- Be careful with what you download, especially if you don’t know the sender.
- Turn off your computer when it’s not in use.
- Use difficult to guess passwords instead of "12345" or "password."
- Back up your data.
Benjamin Franklin didn’t have to worry about cyber attacks when he noted that an ounce of prevention is worth a pound of cure. By taking a proactive approach to cyber security, there’s ample opportunity to avoid being a victim.
Be smart, and be safe.
Marc Kramer is the co-founder of Commercial Deposit Insurance Agency, Inc. (www.cdiaus.com) of Radnor, Pennsylvania.