The Risks of Internal Theft vs External Theft for Financial Professionals

The topic of external theft is familiar for many advisors. Assets you oversee are attractive to criminals and so is the personally identifiable information of your clients, investors and plan participants. Stories abound of fraudsters and internet hackers stealing funds from financial firms and their customers. Yet advisors also face risks from inside their own organization.

Internal theft can drain the firm’s operating accounts and endanger assets under management. Here’s an overview of the risks of internal theft versus external theft for financial professionals, including the differences in the risks, which insurance protects against each, and the policies needed to prevent a gap in coverage.

External Theft Risks

As a financial professional managing external theft risks, it can feel like you have a big target on your back. In a way, you do. Finance consistently ranks among the top five business sectors targeted by criminals.

Tactics

Financial theft used to come in the form of train robberies and bank holdups. Yet the main risks now entail phone and computer crime. Instead of the strongarm tactics of the past, crime now starts with social engineering. Firm owners and employees are tricked into divulging sensitive information such as passwords or security procedures that can then be used to further a crime.

Impersonation of VIPs, bosses, coworkers, clients and more sometimes occurs over the phone, but also often happens online through phishing, malware, ransomware and other web, messaging and email scams. After compromising a firm’s security, external thieves commit wire fraud, using their new access to steal funds out of accounts.

Exposures

In external theft incidents, client accounts and their investments are often targeted for unauthorized distributions. Consequences for financial professionals are unpredictable. If the monies aren’t recovered, clients often sue. Plan sponsors, administrators, recordkeepers and other fiduciaries may be named in the suit, even if not involved in the theft. Overall costs can then balloon to involve fees for cyber security experts, legal defense, regulatory fines and more.

If your firm is the victim of an external theft, a financial loss is a given. If the funds stolen belong to your firm, the exposure may end there. But more often than not, the funds stolen belong to a third party to which you owe a fiduciary duty. For this reason, many cases of external theft involve not only the loss of the initial sum, but also settlements, judgments and regulatory fines.

Protection

In many cases, the risk of the theft of digital funds by an outside actor can be protected against with a quality cyber liability insurance policy. As the name suggests, cyber policies are specially designed to protect businesses from online crime. Crimes that involve online customer portals being hacked, client accounts being accessed by criminals, emails, text messages and voice calls being spoofed to misdirect wire transfers and more all qualify for coverage under typical policies.

Additionally, the liability aspect of a cyber liability policy is important to call out because it protects your firm against claims of negligence and breach of fiduciary duty that may result if an external theft targets client accounts and investments or plan assets. This protection extends to legal defense costs, cyber forensics expenses and judgments or settlements that may become a part of the claim.

Limitations

A robust cyber liability policy offers important protection for advisors and their firms, but it doesn’t cover everything. Accusations of excessive fee charges, poor investment performance and other fiduciary negligence claims not involving theft are best served by a traditional errors and omissions policy.

A cyber liability policy also does not provide coverage for claims where the source of the theft is inside your own firm. For this risk, it’s important to have additional protection.

Internal Theft Risks

Internal theft risks aren’t something most advisors want to think about, but they do exist. One survey found 351 incidents which cost financial services firms a median loss of $100,000 in 2022. Internal theft risks share a number of similarities with external threats, but there are some important differences.

Tactics

Like external theft, today’s internal theft often involves computers and the interpersonal trust established between the firm and the thief through social engineering tricks. But in this case, the computer involved is often the employee’s assigned work computer that is connected to the firm’s own network. Internal thieves also don’t need to impersonate those with authority to move funds, since they are often delegated such authority themselves by their employer.

A firm can run into problems with internal theft when the wrong person is entrusted to sign checks; control, transfer or disburse funds; or have oversight over such sensitive activities. While background checks may help firms avoid hiring known dishonest employees, a majority of internal theft incidents are committed by employees who pass a background check before being hired.

Exposures

Unlike an external threat, internal thieves have more options for when, where and how they take possession of money that is not theirs. In the financial services industry, some of the most common exposures come from embezzlement and other high-level corruption schemes. Theft of cash, check tampering and financial statement fraud are also common.

As with external thefts, incidents of internal theft that result in the theft of funds owned by customers, clients and beneficiaries are likely to lead to the firm facing legal and regulatory actions. Yet even a theft of the firm’s own assets could create an external exposure, depending on how the incident was handled and what new safeguards were put in place. This is because there is a greater risk for a firm that experienced an internal theft of its own assets later experiencing an internal theft of its assets under management.

Protection

Just as is possible with external theft, insurance can help protect your firm from the risks of internal theft. The tool used to do this is called a fidelity bond, sometimes also referred to as an ERISA bond or crime insurance. This type of coverage is designed to protect the firm’s assets under management from dishonest or fraudulent acts committed by the firm’s fiduciaries.

Coverage typically protects against internal theft by in-house fiduciaries, trustees and administrators, as well as outside contractors or consultants with the authority to manage assets under management.

Limitations

Like a cyber liability policy, a fidelity bond policy is an important piece of protection for advisors and their firms, but it doesn’t cover everything. It is important to note that fidelity bonds do protect the firm’s assets under management from intentionally dishonest acts by the firm’s fiduciaries, but they do not protect those dishonest fiduciaries from any civil or criminal liability for their intentional actions.

Because crime insurance policies often cover employee theft, fraud, robbery and digital crime, there may be some overlap with a cyber liability policy. However, the digital crime protection of a fidelity bond is usually much more limited than that provided by a dedicated cyber liability policy. Without fidelity bond protection, most advisors would have a coverage gap.

Complete Theft Protection Is a Must

Today’s financial professionals face a broad spectrum of theft risks. From online scams that steal funds from an operating account to employee misconduct that drains a plan participant’s retirement savings, the protection you choose for your firm needs to be comprehensive.

The Lockton Affinity Advisor Insurance Program offers coverage designed especially for the broad-spectrum risks of advisors like you. Our industry-leading Errors & Omissions coverage protects you from today’s risks, with protection that meets the custodian requirements of Schwab, Fidelity and Pershing.

Lockton Affinity Advisor’s Fidelity Bond and Cyber Liability coverage complete your protection, ensuring that common gaps between piecemeal policies are covered. With over 30 years of industry experience, you can be sure that your internal and external theft risks are protected against.

Most importantly, our coverage comes with fiduciary coverage automatically included. This coverage meets ERISA standards, including for services you perform as an ERISA 3(21) and 3(38) advisor.

Protect your firm today with Lockton Affinity Advisor.