This is likely to be a subject I return to many times in the future as I see this as a major risk for all businesses large and small. At this point in time, I am not sure that there is a satisfactory solution but I shall make it a priority to find one for my clients.
A few weeks ago a client of mine called me to say that he had checked his online banking and found that a substantial sum of money had been transferred out of his account to an unknown third party. He immediately called his bank and advise them of this erroneous transaction. They alerted their fraud team and set about recovering the loss.
It transpired that my client had been carrying out routine payroll transactions using his security card in the relevant card reader as required by his online banking. He then received a conference call which took over an hour to complete and during this time, whilst his security card was still in the reader, his computer was hacked and the transfer authorised. The source of the hack was not identified but it appears that his computer had been infected with some form of malware which allowed the hack to take place.
I was alerted to the loss immediately and consulted their insurance policy which includes a section for hacking and virus loss. Close examination of the wording showed that the specific loss of money in these circumstances is not covered under this kind of policy and I set about checking other similar wordings. All of the wordings I could find provided a similar cover for loss or damage to the insureds own network systems or data but not for subsequent misuse of online banking credentials. My assumption is that insurers do not feel there is a risk of loss as all of the banks provide an online banking guarantee to indemnify any losses arising out of the use of online banking. However, on this occasion, the bank concerned refused to honour this guarantee as the loss had occurred whilst the security card was in the card reader. Therefore, I feel there should be some contingent cover provided for the failure of the online banking guarantee by the insurers of this type of risk.
I had taken this up with a couple of leading insurers and will report back on progress here.
Fortunately, in this particular case there was a happy ending with the bank agreeing to refund the loss in full. The client felt that the bank had been slow in reacting to the lost and have they avoided delay they may have been able to recall the fraudulent transaction.