Jeff Gelles: Fighting cybercrime at small companies

Bucks County chiropractor Kevin Kita isn't quite sure how his bank account was compromised. All he knows is that both incidents, including a $12,000 theft last year, left his practice reeling for a month while the cybercrime was investigated. He could deposit but not withdraw money or pay bills - not with what appeared to be a large negative balance.

Ann Talbot, chief financial officer for a California general contractor, has a few more details about how her business was hit - perhaps because fingers briefly pointed her way after the first of two thefts, in which cyberthieves wired $100,000 to a Philippines bank. They had somehow hacked Talbot's bank login and password.

Kita and Talbot both count themselves lucky. TD Bank eventually restored Kita's losses, and Talbot's company recovered all but $29,000. But both stories illustrate the particular risks of cybercrime to businesses - a risk that Exton entrepreneur Marc Kramer aims to address through his new company, Radnor's Commercial Deposit Insurance Agency.

Kramer, 52, has started businesses before, and is the man behind Philadelphia's annual Angel Venture Fair. Where others see marketplace or regulatory failures, he sees opportunities, and that's what he saw in small business' large risks from cybercriminals' ability to suddenly loot a bank account.

Kramer's company opened last month after about two years of planning. Cofounded with retired insurance executive Dick Peterson, it markets policies designed to protect small businesses against cybercrime.

Why might you need such a policy? Kramer got the idea when he discovered something that people like Kita and Talbot have learned the hard way: Federal laws and regulations offer protections to consumers that aren't available when cybercriminals hit businesses.

To ease the transition to electronic banking, lawmakers long ago gave consumers special protections from fraudulent electronic transactions. If you pay regular attention to your bank statements, and keep close track of "access devices" such as debit cards, your losses are generally limited to $50 or, in the worst case, $500.

Big businesses have responded to the epidemic of cybercrime by adopting increasingly sophisticated antifraud systems, and can buy cybercrime insurance policies or riders to protect against risks.

But small businesses are stuck betwixt and between - without consumer-style protections, sophisticated systems, or broad insurance coverage. At a hearing last month, U.S. Rep. Chris Collins (R., N.Y.) said a recent study showed that "nearly 60 percent of small businesses will close within six months of a cyber-attack."

That's where CDIA comes in. Kramer calls its policies, offering up to $50,000 in protection for $178 a year, "an inexpensive, private-market solution" to a problem that can come out of the blue.

Talbot, for instance, suspects cyberthieves stole her company's bank logins and passwords thanks to "keylogger" programs, probably delivered via a virus when employees used company computers to explore social media.

In response, the company has turned more vigilant. For instance, it uses only dedicated computers to access bank accounts. Talbot calls that the "number-one easiest, fastest and cheapest way" to dodge keylogger risks.

Talbot's firm is also now covered by a broad cybercrime insurance policy with another company, which covered most of its second cybercrime incident - a $126,600 theft.

Kramer says his company is starting small, in part because the insurer underwriting its policies, XL Group P.L.C., wants to proceed gingerly. But his research convinced him that small businesses need protection - in part, because banks have made it clear they'll fight rather than cover sizable losses.

"Here's what I heard from banks," Kramer says. "If it's a few thousand dollars, we'll cover it. If it's $10,000, we'll split it. After that, they're on their own, because we don't have an obligation to fix it."