In 2010 a company tried to sue their bank for $400,000+ in losses as a result of Cybercrime. The lawsuit was not successful and the company had to eat the loss. Now an appeals court ruling came out that the company may have to pay the bank's legal fees. As these rulings continue to come down the message is resounding that companies are responsible for losses. There will soon be so much case law and precedence set that it will be hard to get a ruling another way. Banks are not responsible since they are simply holding your money, you have control over what happens to it, in the courts eyes.
Some of the Cybercrime theft takes place over years, not days. Slowly trickling money out of a business or person until it finally gets noticed. We all remember the movie Office Space where they were going to siphon off fractions of pennies into an account. When this happens you may certainly be held culpable of the loss as it is viewed that you missed it and therefore at fault too.
Assessments go a long way to help give you some cover. In the event something happens at your company you will need to show you were taking steps to protect yourself.