The Sport of Stealing
From coast to coast and from small towns to major metroplexes, fraud and embezzlement are happening within American amateur youth sports leagues.
Since 2011, the Center for Fraud Prevention (CFP), estimates there have been hundreds of arrests and convictions in 43 states involving 15 sports.
About $2 million has been reported stolen or embezzled from 37 Little League teams alone since 2009, according to an article in Vice Sports.
What makes these organizations uniquely vulnerable to crime?
The CFP, which helps youth sports associations fight theft and embezzlement, said there are several key factors: Community members are volunteers, many organizations lack formal structures and there is a tendency to trust the people managing the leagues.
And with the flow of cash from membership fees to fund-raising events, theft is often inevitable.
The good news is that coverages are available to deal with losses, according to John M. Sadler, president of Sadler Sports and Recreation Insurance, in Columbia, S.C., which works with more than 9,500 local and 30 national sports organizations through various special programs.
“Crime insurance is the most important coverage for an amateur sports league to protect against internal theft, which may take the form of embezzlement from bank accounts, unauthorized personal charges on credit cards, theft of equipment, and skimming gate admission payments,” he said.
Formerly known as a fidelity bond, crime insurance is typically a “modular policy” consisting of employee dishonesty, forgery and alteration, and theft of money and securities. The coverage can also include computer fraud and electronic funds transfer fraud, he said.
“The employee dishonesty coverage part is most applicable to internal theft,” Sadler said.
Dario J. Nalli, director, executive lines, Burns & Wilcox, said amateur sports leagues should also consider purchasing directors and officers (D&O) coverage, in addition to a commercial crime policy.
Commercial crime insurance protects the entity of theft by employees of either money or property, including forgery of checks for their own purposes or misuse of a company credit card to purchase personal gifts, he said.
“For any of these organizations, having a commercial crime policy would be key,” Nalli said, noting that it can be pretty inexpensive, with limits offered as low as $100,000. Smaller organizations that need smaller limits may opt for a business owners policy (BOP) with additional endorsements for crime and employment practices liability coverage.
D&O insurance, of course, protects an organization’s management should a theft or embezzlement happen.
“If there are no checks and balances, it makes it easy to write fraudulent checks.” — Dario J. Nalli, director, executive lines, Burns & Wilcox
“No matter the type of organization, if you sit on a board or have management responsibility, you could be liable for decisions made in that role,” he said.
That means a member of the board for a school or athletics organization is responsible for the organization’s assets and funds, and can be accused of mismanagement and potentially face liability should a theft occur.
“Whether or not the claim has any grounds, the individual and organization would still have to defend themselves in court,” Nalli said. “D&O polices provide the much needed defense cost coverage that can bail out a nonprofit organization from using their own assets or an individual from using their own assets.”
If a youth sports treasurer, for example, stole money over the course of years from an organization, a D&O policy would cover defense costs for those in management roles who were unaware of the theft while a the commercial crime policy would cover the stolen funds.
Leagues should also consider policies that would provide coverage for volunteers; non-compensated officers; specified directors, trustees and committee members; partners; and service providers, he said.
Because sports leagues have high turnover, Sadler said blanket employee coverage might be better than specifically naming insureds.
To prevent such incidents from occurring, however, Sadler said amateur sports organizations should:
- Create a separation of duties so that no single person has control over any one process or audit procedure.
- Understand that organizations run by a close group of long-time staff members who have built up a great deal of trust among one another are fertile grounds for insider theft.
- Require a counter-signature on all checks or on checks over a certain amount.
- The person who reconciles the bank account should not be authorized to deposit or withdraw.
- If credit cards or debit cards are used, authorized users should not be tasked with reviewing the monthly statements (another officer should take over these duties).
- Keep detailed inventory records of all equipment and require a log to be maintained when equipment is assigned or checked out.
- Create an audit committee to review all financial records, account statements, and to take an inventory of all equipment.
- Collect checks instead of cash during fund-raisers.
Burns & Wilcox’s Nalli said it’s critical to ensure that the right policies and procedures are in place, with checks and balances to mitigate any theft from employees or volunteers in the organization.
“If there are no checks and balances, it makes it easy to write fraudulent checks,” he said. “Make sure all policies are written down and become part of the bylaws.”
Also, since many amateur sports leagues are volunteer-based, it’s smart to ensure that they are not able to have access to or handle cash, he said.
“If there are employees, it’s a good idea to do background checks on anyone handling money,” Nalli said.
“Also, larger organizations should seek legal counsel to make sure bylaws and policies and procedures are well-written.”
The New Wolves of Wall Street
Cyber security measures advanced by leaps and bounds over the past decade. Unfortunately, cyber criminals sharpened their game even more.
As it gets tougher each day to slip in through back doors, hackers turned their talents toward carving out side windows. They adapted, developing new business models and finding smarter ways to profit off of the backs of organizations.
Credit card information, personally identifiable information and protected health information are all still in demand, but they’re no longer the only treasures that cyber criminals are after.
“It is no longer hacking merely for a quick payout. It is hacking as a business model.” — Preet Bharara, U.S. attorney
They want your trade secrets. They want your intellectual property. They want to eavesdrop on your most sensitive financial activities so they can leverage that information on the stock market — shorting stock, investing in stock, timing stock to their advantage.
The cyber security challenge is intense, because it’s hard to get a handle on. These crimes are being perpetrated by various groups of actors with different motivations. They’re being executed using a broad array of techniques that include any combination of malware, phishing and social engineering.
They could be coming at you from anywhere in the world. And it’s not even necessarily your systems that are being attacked directly. It could be your vendors, your partners — any organization that has a connection to your confidential information.
Last August, the SEC filed charges in a fraud scheme involving two Ukrainian hackers who broke into multiple newswire services to steal unreleased corporate earnings announcements. The hackers shared the information with 30 people who traded on it, generating more than $100 million in illegal profits.
The following November, federal prosecutors disclosed the existence of a sizable worldwide hacking scheme, involving more than 100 people in a dozen countries.
Among the other offenses listed in the 68-page indictment, the crime ring orchestrated elaborate pump-and-dump stock schemes and traded on stolen corporate information, pocketing hundreds of millions along the way.
“It is no longer hacking merely for a quick payout,” U.S. Attorney Preet Bharara said in announcing the indictment.
“It is hacking as a business model.”
M&As Increase Vulnerabilities
The rise of worldwide M&A activity turned the stock market into a profitable playground for hackers — those working for either side of the transaction or outside parties looking for a way to profit illegally from the transaction.
2015 was record-breaking year for M&As, topping $5 trillion in volume globally for the first time. Half of the targeted companies were based in the U.S.
2016 is expected to see continued high level of activity. That leaves plenty of opportunities for illegal gains.
“If outsiders are aware of the negotiations going on, they can put upward pressure on the stock.” — Bill Sweeney, chief technology officer, BAE Systems Applied Intelligence
“You can disrupt an M&A a lot of different ways,” said Bill Sweeney, chief technology officer at BAE Systems Applied Intelligence.
“One way is you can publicize that it’s going on sooner than people would like.
“M&A is a very sensitive topic because it’s very price dependent. Companies will walk away from deals because they can’t narrow the gap between $25 and $30 dollars a share.
“If outsiders are aware of the negotiations going on, they can put upward pressure on the stock. So when somebody thought they were going to be getting a 25 percent premium [against their stock], but now because of the upward pressure, they’re only getting a 15 percent, why would they sell?”
During a “Cyber Security: The Achilles Heel of M&A Due Diligence,” webinar in April, Brian Finch, a partner with Pillsbury Winthrop Shaw Pittman LLP, outlined the recent case of a company that was courted by international suitors.
The company was certain that it was healthy, but repeated audits showed it operated at a loss. An investigation revealed that the company was under attack, with hackers corrupting information to decrease the value of the company.
When the company value bottomed out, a foreign investor swooped in with a lowball offer.
Even if hackers don’t outright alter the data, they’re still finding ways to leverage it.
“We’ve seen China-based groups … compromising companies across various industries, stealing information that would give them insight into what the best price for the company might be,” said Will Glass, threat intelligence analyst at FireEye.
“We’ve seen groups that are sponsored by nation states — or that we believe are sponsored by nation states — conducting activity leading up to and even during mergers and acquisitions.”
One high-profile case traced to China was the attempted $40-billion takeover of Canada’s Potash Corp. by Australian natural resources company BHP Billiton.
While the deal fell through for apparently unrelated reasons, an investigation revealed that a Chinese effort to derail the deal involved attacks on seven law firms, as well as Canada’s Finance Ministry and the Treasury Board.
Those third-party attacks are an area of serious concern in terms of intellectual property and M&As, said Kevin Kalinich, global practice leader, cyber/network risk, Aon Risk Solutions.
“The accounting firms and financial advisers are above average in IT security and protection of confidential information,” he said.
“But law firms, surprisingly enough, are below average.”
The Human Element
What’s complicating matters from a risk management standpoint is that attacks take various forms and are typically multi-layered. Spearphishing and social engineering often play a major role because they are consistently successful, despite companies’ attempts to alert employees to the dangers.
“The way of the hacker has always been to go after the industry or the exposure where there’s the lowest hanging fruit,” said Toby Merrill, leader of Chubb’s global cyber risk practice.
And in many companies, that means employees. Even a staffer savvy enough to question a wire transfer request might still be duped by a login scheme that looks innocuous or seems relevant to his job.
“What’s happening is that hackers are spoofing emails,” said Sweeney.
“They’re spoofing CFOs and they’re spoofing other C-level executives and pretending to be either a consultant or part of the review process … trying to extract that sensitive information by [sending] an email that looks like it’s from the CEO, that says, ‘Hey what’s the latest on our deal with company X?’ And the guy [replies] but it’s not going to the CEO; it’s going to the guy who spoofed it.”
It’s not easy to spot spoofed email, he added.
“It looks like an email from your company, with your header. It looks like it’s from your domain. It’s only if you open it up and look at the source code that you can see what’s being shown is not the actual domain its coming from and if you hit reply it’s going to go to somewhere else.”
It also works because it’s not random. Hackers do their homework and understand how their targets operate. They know when to send emails and who to send them to, and what internal procedures are in place so that they can get around them.
FIN4, a large cyber crime ring tracked extensively by FireEye, was so good at duping people that it didn’t even bother using malware.
It focused on capturing usernames and passwords to email accounts. FIN4 would craft convincing phishing lures, most often sent from other victims’ email accounts and through hijacked email threads.
Spoofing emails have successfully snared some risk managers, CTOs and CFOs.
According to FireEye’s Glass, the group would “send an email to someone in a target company and it would say, ‘Hey check out this financial investment forum — there’s some guy on here badmouthing the company. You might want to take a look.’ ”
Hackers set it up so that when the link was clicked, it would request their email login and password in order to view the content. The hackers could then take those login credentials and continue their campaign, both within the organization and laterally to external organizations.
It’s worth noting that risk management is directly in the crosshairs for this kind of attack.
C-suite executives, legal counsel and anyone involved in the risk, regulatory or compliance functions of a company are prime targets. If you have any connection to sensitive information, they’re looking for a way to get their hands on it.
And experts say that such attacks have successfully snared some risk managers, CTOs and CFOs.
There is plenty that still needs sorting out in terms of the coverage options available to insure against such losses. The toughest pill to swallow, said Kalinich, is that the loss of value is not covered by cyber insurance, nor is it covered by any other type of insurance.
“That’s a really important factor,” he said.
“The actual value of a trade secret, the actual value of a patent, the actual value of intellectual property, is not covered. [In the case of an M&A loss,] not even a crime policy would cover that.”
A D&O policy might be triggered if the stock dropped following a failed M&A, but a company would be challenged to relate the event to a cyber hack, or to quantify the impact of the hack on the failed transaction, experts said.
Still, said Kalinich, there are certainly losses that could be covered by cyber insurance, especially if an attack were to result in business interruption, or if it caused damage to the system that required remediation, or forensic investigation.
Culture of Awareness
At a minimum, any company engaging in mergers or acquisitions activity should separate that information from the rest of the corporate environment, said experts. M&A activity should have a segmented network and a dedicated file server, and all documents should be encrypted.
BAE’s Sweeney also recommended that related communications with people outside of the organization be restricted to a VPN for added security.
Additionally, all third-party involvement should receive a high level of scrutiny.
Said Sweeney, “You’ve got to look at everybody who’s going to have access to the information, and say, ‘When was the last time you had a cyber assessment? How can we make sure that you’re not going to be the conduit through which people find out this information?’
“That’s where people are getting hacked,” he said. “They’re not getting hacked right in the center. They’re getting hacked by the people on the periphery who are trying to do their best.”
Internally, Glass said, it’s a good practice to follow the law of least access — give people access to the information that they need to do their jobs and nothing more. But that’s just a start.
Hackers figured out that humans are easier to crack than code, so comprehensive staff training should be the foundation of a solid cyber security strategy.
Some companies use internal phishing campaigns to help manage the human side of the risk. Employees who are duped and click on bogus links are redirected to a page revealing their mistake and letting them know they’ll be required to do mandatory extra training.
Experts universally agreed that these risks cannot be foisted onto the laps of IT or risk management alone. Boards must be educated and involved, and there must be enterprise-wide collaboration for a company to develop any level of effective defense against cyber espionage.
Make sure you’re speaking the board’s language, said Nick Rossman, senior program manager, threat intelligence with FireEye. “They don’t care about malware, they just want to know what you’re asking them to invest.
“So I think it’s easiest when you have a big scope of data and a partner who can get you a strategy forecast” to help justify decisions about investments, he said.
“In the past, [IT and data systems] were considered kind of a back-office priority, kind of like having enough printer toner or enough chairs,” said FireEye’s Glass.
“It was an enabling function of the company but not really core to the business. Now every company is an IT company whether they realize it or not.
“Maybe Coca-Cola keeps its recipe in a safe somewhere, but everybody else, for the most part, is keeping their information online or in databases or even in the cloud, because the efficiencies that can be derived from that model are so great.
“In order to make sure that those efficiencies continue, we’ve got to make sure that companies are looking at all the risks inherent with putting all of that information online.” &
Think You Don’t Need Environmental Insurance?
“I don’t work with hazardous materials.”
“My industry isn’t regulated by the EPA.”
“We have an environmental health and safety team, and a response plan in place.”
“We’ve never had an environmental loss.”
“I have coverage through my other general liability and property policies.”
These are the justifications clients most often give insurers for not procuring environmental insurance. For companies outside of sectors with obvious exposure — oil and gas, manufacturing, transportation — the risk of environmental damage may appear marginal and coverage unnecessary.
“Environmental insurance is not like every other insurance,” said Mary Ann Susavidge, Chief Underwriting Officer, Environmental, XL Catlin. “The exposure is unique for every operation and claims don’t happen often, so many businesses view coverage as a discretionary purchase. But the truth is that no one is immune to environmental liability risk.”
Every business needs to be aware of their environmental exposures. To do that, they need a partner with the experience to help them identify exposures and guide them through the remediation claims process after an incident. The environmental team at XL Catlin has been underwriting these risks for 30 years.
“Insureds might not experience this type of claim every day, but our environmental team does,” said Matt O’Malley, President, North America Environmental, XL Catlin. “We’ve seen what can happen if you’re not prepared.”
Susavidge and O’Malley debunked some of the common myths behind decisions to forego environmental coverage:
Myth: My business is not subject to environmental regulations.
Reality: Other regulators and business partners will require some degree of environmental protection.
Regulatory agencies like OSHA are more diligent than ever about indoor air quality and water systems testing after several outbreaks of Legionnaires disease.
“The regulators often set the trends in environmental claims,” Susavidge said. “In the real estate area it started with testing for radon, and now there’s more concern over mold and legionella.”
Multiple hotels have been forced to shut down after testing revealed legionella in their plumbing or cooling systems. In addition to remediation costs, business interruption losses can climb quickly.
For some industries, environmental insurance acts as a critical business enabler because investors require it. Many real estate developers, for example, are moving into urban areas where their clients want to live and work, but vacant lots are scarce. Those still available may be covering up an urban landfill or a brownfield.
“We’re able to provide expertise on those sites and the development risks so the contractor can get comfortable working on it. It’s about allowing our clients to stay relevant in their markets,” O’Malley said. “In this case, the developer is not an insured with a typical environmental exposure. But if there is a contaminant on the worksite, they could inadvertently disperse it. In a high-population urban area, the impact could be large.”
Banks also quite often require the coverage specifically because developers are turning to these locations with higher potential environmental risk.
“Though it’s not a legal requirement, insurance is a facilitator to the deal that developers really can’t operate without,” Susavidge said.
Myth: The small environmental exposure I have would be covered under other polices.
Reality: Environmental losses can result from exposure to off-site events and are excluded by many property and casualty policies.
Environmental risks on adjoining properties can lead to major third party losses. Vapor intrusion under the foundation of one property, for example, can unknowingly underlie the neighboring properties as well. The vapor intrusion can then seep into the surrounding properties, endangering employees and guests.
In other words, your neighbor’s environmental exposure may become your environmental exposure.
O’Malley described a claim in which a petroleum pipeline burst, affecting properties and natural resources 10 miles downstream even though the pipeline was shut off two minutes after the rupture. The energy company that owns the pipeline might have coverage, but what about the other impacted organizations? Many other property policies exclude environmental damage.
Sometimes the exposure is even more unexpected. In 2005, for example, a train carrying tons of chlorine gas crashed into a parked train set sitting in the yard of Avondale Mills — a South Carolina textile plant. The gas permanently damaged plant equipment and forced the operation to shut down.
“It’s not always obvious when you have an environmental exposure,” Susavidge said.
“When there is a big loss or a pattern of losses, the casualty market will typically move to exclude it,” said O’Malley. “And that’s where the environmental team looks for a solution. Environmental coverage has been developed to fill the gaps that other coverages won’t touch.”
Myth: We already have a thorough response plan if there is an incident.
Reality: Properly handling an environmental event requires experience and expertise.
In addition to coverage, risk managers need experience and expertise on their side when navigating environmental claims.
“For many of our clients, their first environmental claim is a very different experience because the claimant is not always a typical third party – it’s a government agency or some other organization that they lack experience with,” Susavidge said. “Our claims team is made up of attorneys that have specific domain experience litigating environmental claims issues.”
Beyond its legal staff, XL Catlin’s claims consulting team and risk engineers come with specialized expertise in environmental issues. 85 to 90 percent of the team members are former environmental engineers and scientists, civil engineers, chemists, and geologists.
“Handling environmental claims requires specialized expertise with contaminants and different types of pollution events,” O’Malley said. “That’s why our 30 years of experience makes a difference.”
Thirty years in the business also means 30 years of loss data.
“That informs us as a carrier how to provide the right types of services for the right clients,” Susavidge said. “It gives us insight into what our insureds are likely to experience and help us determine what support they need.”
Insureds also benefit from the relationships that XL Catlin has built in the industry over those 30 years. When the XL Catlin team is engaged following a covered pollution event, the XL Catlin claims team can deploy seasoned, experienced third party contractors that partner with the insured to address the spill and the potential reputational risk. And they receive guidance on communicating with regulatory bodies and following proper reporting procedures.
“The value of the policy goes beyond the words that are written,” O’Malley said. “It’s the service we provide to help clients get back on their feet, so they can focus on their business rather than the event itself.”
For more information on XL Catlin’s environmental coverage and services, visit http://xlcatlin.com/insurance/insurance-coverage/casualty-insurance.
The information contained herein is intended for informational purposes only. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details. XL Catlin, the XL Catlin logo and Make Your World Go are trademarks of XL Group Ltd companies. XL Catlin is the global brand used by XL Group Ltd’s (re)insurance subsidiaries. In the US, the insurance companies of XL Group Ltd are: Catlin Indemnity Company, Catlin Insurance Company, Inc., Catlin Specialty Insurance Company, Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., and XL Specialty Insurance Company. Not all of the insurers do business in all jurisdictions nor is coverage available in all jurisdictions. Information accurate as of September 2016.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with XL Catlin. The editorial staff of Risk & Insurance had no role in its preparation.