Legal and Ethics
An organization should have a process for developing new policies and procedures that support preventing, detecting, and responding to an insider threat. The organization should also have a process for periodically reviewing existing policies and procedures. Such policies should form the basis for employee screening, monitoring, discipline, termination, and legal action regarding insider activity.
Without defined insider threat policies and procedures, it can be difficult to discipline, terminate, or prosecute employees who engage in insider threat activity. To be effective, defined policies and procedures must be routinely and consistently enforced. In most cases, the organization must also communicate these policies to employees.
<p>Insider Threat policy requirements:</p>
- Pervasive system of checks and balances
- Clear guidelines for acceptable use
- Ongoing monitoring
- Protocols for threat information sharing
- Defined intellectual property ownership guidelines
- Documented employee conduct and performance standards
- Documented policies for employee management during restructuring
- Documented procedures for employee screening/onboarding/separation
- Established protocols for reporting and responding to employee grievances
An employee was employed as president and manager of the victim organization, a financial institution, for 17 years. For at least 15 years, the employee embezzled funds from the victim organization. As a function of her job, the employee had access to and could internally control loans and check writing. The employee misused this access to write multiple checks to herself, including checks written as “add-ons” to existing loans belonging to others without their knowledge or consent, checks posted as “share withdrawals” from other member accounts, and internal checks from other member’s accounts. To conceal the activity, the employee created fraudulent teller entries and also purposefully failed to post many of the checks written to herself to the organization’s records.
The employee used multiple accounts to perpetrate the fraud, including the accounts of family members, a non-profit, and another organization. The employee was able to embezzle money from the non-profit account because she was a board member of the non-profit and had sole signatory authority at the financial institution.
The employee refinanced her mother-in-law’s existing vehicle loan several times and kept the extra funds. She did this by making unauthorized advances for a new loan, which she then rolled into her mother-in-law’s existing loan. There were no loan documents to support any of the loans made or modified, only the canceled checks evidenced the loan advances.
The incident was detected after the organization performed a forensic audit of its financial records, which revealed detailed spread sheets and bond claims that evidenced the employee’s illegal transactions. One month after the incident was discovered, the employee resigned, citing health problems.
The U.S. Attorney’s Office declined to prosecute the employee, in lieu of local charges. However, local charges were never brought against the employee because she was gravely ill at the time. The employee admitted to defrauding her mother-in-law, but denied responsibility for the other fraudulent activities. The employee, who filed for bankruptcy after the incident, made an agreement with the financial institution to pay $355 a month toward the money stolen from her mother-in-law, approximately $22,000.
- A policy supporting appropriate checks and balances would prevent a single employee from having the ability to carry out such long-term fraud and abuse.
- An appropriate employee monitoring process, that applies to all employees, would allow a financial institution to potentially identify unusual or inappropriate transaction activity early.
- A policy on when to initiate an internal investigation and/or involve law enforcement supports the proper collection and preservation of critical evidence for use in follow on disciplinary or legal proceedings.
- Engaging your legal team early in the process of creating or refining of your insider threat program policies can go a long way to protecting your company from undetected and long-term fraud and theft.