The typical organization loses 5% of revenue each year to fraud – a potential projected global fraud loss of $3.7 trillion annually, according to the ACFE 2014 Report to the Nations on Occupational Fraud and Abuse.

In its new Embezzlement Watchlist, Hiscox examines employee theft cases that were active in United States federal courts in 2014, with a specific focus on businesses with fewer than 500 employees to get a better sense of the range of employee theft risks these businesses face. While sizes and types of thefts vary across industries, smaller organizations saw higher incidences of embezzlement overall.

According to the report, “When we looked at the totality of federal actions involving employee theft over the calendar year, nearly 72% involved organizations with fewer than 500 employees. Within that data set, we found that four of every five victim organizations had fewer than 100 employees; more than half had fewer than 25 employees.”

Overall, they found:

Hiscox Embezzlement Watchlist

It is particularly interesting to note that women orchestrate the majority of these thefts (61%) – a rarity in many kinds of crime. Yet the wage gap extends even to ill-gotten gains, Hiscox found: While they were responsible for more of these actions, women made nearly 30% less from these schemes than men.

Drilling down into specific industries, Hiscox found that financial services companies were at the greatest risk, with over 21% of employee thefts – the largest industry segment – targeting an organization in this field, including banks, credit unions and insurance companies. Other organizations frequently struck by employee theft include non-profits (11%), municipalities (10%) and labor unions (9%). Groups in the financial services, real estate and construction, and non-profit sectors had the greatest total number of cases in the Hiscox study, while retail entities and the healthcare industry suffered the largest median losses.

For more of the report’s insight on specific industries, check out the infographic below:

Hiscox Embezzlement Watchlist Targeted Industries


NEW YORK—Yesterday, Travelers hosted “Hacked: The Implications of a Cyber Breach,” a panel of the insurer’s top experts and outside consultants drilling down into the realities of the cyber threat.

According to Travelers’ brand new 2015 Business Risk Index, cybersecurity rose from the #5 threat in 2014 to the #2 threat perceived by business leaders, with 55% most concerned about malicious and criminal attacks.

In an exercise to show just how valid that concern it is, panelists Kurt Oestreicher, a member of the cyber fraud investigative services team at Travelers, and Chris Hauser, former Silicon Valley FBI agent and current member of the cyber fraud investigative services team at Travelers, successfully carried out a live hack. Using a fake website created for this demonstration, the experts staged an SQL injection attack—the same kind of attack as Heartbleed, these are still responsible for 97% of breaches. Using an open-source penetration testing program that Hauser described as “point and click hacking,” they easily found a way to tunnel into the site’s SQL database. The process of scanning for vulnerabilities and acting on a known exploit—in other words, conducting the actual, successful “hack”—took about two minutes, including the time Hauser spent talking the audience through the process.

The program used to conduct this hack was free, and the number of resources readily available for free or very low cost means that more everyday businesses will become victims as malicious actors face very few obstacles to attempt a hack. “As tools and techniques like this become more common, it becomes far easier to target small- and medium-sized businesses and that exposure increases, especially because there are such low costs up front,” said Oestreicher.

Every day in the United States, 34,529 of these known computer security incidents take place. Yet many go undetected, and a lot are willfully unreported. While larger breaches impact more records, the preponderance of breaches strike Main Street businesses, not Wall Street corporations. In fact, of those that are identified and reported, 62% of breaches impact small and medium-sized businesses, Travelers found. Increased awareness among this group has yet to translate into increased coverage, however. According to a survey by Software Advice, insurance penetration among this group hovers at just over 2%, a trend Mullen has seen in the field as well. “Only about 10% of those who should have that coverage actually do,” he said.

According to data from NetDiligence, those incidents that are covered by insurance break down as follows:

NetDiligence Cyberinsurance Claims by Business Sector

NetDiligence Cyberinsurance Claims by Data Type

With hefty fines, costly investigation and notification requirements, and possible lawsuits and class actions, the true costs rapidly spiral. According to Mark Greisiger, president of data breach crisis services and security practices company NetDiligence, the average cost of a breach is $733,000 for SMBs—before any possible lawsuits or fines. Per record, the cost ranges from 1 cent to $1,000, based on the type of information contained. The average legal settlement after such breaches is currently about $550,000. Yet these numbers primarily reflect incidents where insurance was in place. Without the trusted vendor agreements, for example, retaining forensic investigation services in the midst of a crisis can be up to three times higher, he reported.

Recovering from these incidents varies wildly by the type of records exposed, and the resources available to aid in the effort. “It’s a wild pain in the butt with insurance,” said breach coach John Mullen, a managing partner of the Philadelphia Regional Office and chair of the U.S. Data Privacy and Network Security Group at Lewis Brisbois Brisgaad & Smith. “Without insurance, it’s a small- and medium-sized business killer. The Main Street story is a $2 million bill and no business.”

In the 2015 Business Risk Index, Travelers also shared a more detailed view of preparedness among specific industries:

Business Risk Index Cyber Preparedness


For CEOs, who naturally favor “pro-growth,” low-tax states, southern states present an undeniable bastion for business, according to Chief Executive magazine’s 2015 “Best and Worst States for Business” survey.

In this year’s survey, Texas remained the best state for business for the 11th year in row, followed by Florida, North Carolina, Tennessee and Georgia. Since the recession began in December 2007, 1.2 million net jobs have been created in Texas, while 700,000 net jobs were created in the other 49 states combined, the magazine reported. This job creation contributed toward unemployment rates 1% lower than the national average, an advantage rounded out by extremely favorable taxation and regulation, strong workforce quality, and very good marks for living environment.

Despite notably low unemployment, two of the greatest hubs for business drew particularly unfavorable marks from CEOs: California ranked last in the survey, preceded by New York. Illinois, New Jersey and Massachusetts completed the bottom five. CEOs gave these states the lowest ratings because of their high tax rates and regulatory environments. One CEO told the magazine, “The good states ask what they can do for you; the bad states ask what they can get from you.”

Compared to the 2014 rankings, Idaho has made the largest improvement, rising 10 spots to number 18, primarily due to high growth rates in GDP, while South Dakota dropped eight places, “even though quality-of-life attractions enhance the state’s low-tax bona fides,” the magazine reported.

Check out the full rankings below:

Best States for Business rankings



An Amtrak train that derailed on May 12, traveling more than 100 miles per hour on a known dangerous curve, has an unfortunate similarity to the Spuyten Dyvil crash in December 2013. In that incident, a Metro North train traveling at 82 miles per hour derailed on a treacherous curve, traveling at nearly three times the allowed speed.

Four passengers died in the Spuyten Dyvil derailment. Operator fatigue was deemed to be the cause for that accident. This most recent crash killed at least eight people and eight are listed in critical condition. In both cases, National Transportation Safety Board (NTSB) experts contend that a safety measure called “positive train control” (PTC) could have prevented the disasters.

Robert Sumwalt, a member of the NTSB, explained during a press conference on Wednesday that Amtrak already has a system in place called the Advanced Civil Speed Enforcement System (ACES), which is installed throughout most of the Northeast Corridor. “However, it is not installed where the accident occurred,” Sumwalt said. “That type of a system, we call it a positive train control system, is designed to enforce the civil speed, to keep the train below its maximum speed. We have called for positive train control for many years, it’s on our most wanted list. Congress has mandated that it be installed by the end of this year.”

Sumwalt continued, “Based on what we know right now, we feel that, had such a system been installed in this section of track, this accident would not have occurred.”

He said that a thorough walk-through of the accident site was conducted yesterday and that investigators will be looking into the track, the train control signal system and the operations of the train. “Our mission is to not only find out what happened, but why it happened to prevent it from happening again,” he said.

The looming question is why this safety measure was not in place, even though PTC has been called for since a collision in Chatsworth, California killed 25 people. The Rail Safety Improvement Act of 2008 mandates that PTC for passenger and freight trains be operational by the end of 2015. But because of high costs and the complexity of the system, Congress has been considering an extension until 2020.

According to the NTSB website:

In the aftermath of the Chatsworth tragedy, Congress enacted the Rail Safety Improvement Act of 2008. The Act requires each Class 1 rail carrier and each provider of regularly-scheduled intercity or commuter rail passenger service to implement a PTC system by Dec. 31, 2015. Progress is being made toward this lifesaving goal. Metrolink became the first commuter rail system to implement PTC, when it began a revenue service demonstration on the BNSF Railway. This demonstration project is a step in the right direction, and Metrolink reports it will implement PTC fully throughout its entire system before the Congressionally-mandated deadline.

It has been more than 45 years since the NTSB first recommended the forerunner to PTC. In the meantime, more PTC-preventable collisions and derailments occur, more lives are lost, and more people sustain injuries that change their lives forever.

Yet there is still doubt when PTC systems will be implemented nationwide as required by law.

Each death, each injury, and each accident that PTC could have prevented, testifies to the vital importance of implementing PTC now.