Sponsored Content by Nationwide

Cyber Thieves Are Robbing You in New Ways. Will Your Insurance Provide Protection?

Social engineering, phishing and crypto-currency burglary all represent evolving methods of theft that challenge traditional crime and cyber policies.
By: | June 26, 2018 • 6 min read

Theft is not a new threat. But it is taking on new forms in an increasingly digital world.

Cyber thieves can infiltrate organizations and execute fraud in any number of ways — through a phony email or phone call, a corrupted link, or by targeting vulnerable digital currency, to name just a few.

Businesses are reporting more security breaches and incidents of cyber fraud than ever before. According to Kroll’s 2018 Global Fraud and Risk Report, 84 percent of surveyed executives reported that their company experienced at least one instance of fraud in the previous year, while 86 percent also said their company experienced a cyber attack involving data theft.

Both of those percentages represent all-time highs.

As the frequency and nature of these incidents increase and evolve in complexity, creating insurance solutions to help companies recoup their losses resulting from the ever-changing nature of the risk is an industry-wide challenge.

“Crime insurance traditionally would cover the direct loss of funds or property resulting from theft. Cyber liability insurance would take on the indirect consequential loss to a third party,” said James Kardaras, Underwriting Director, Crime and Fidelity, Nationwide. “What they have in common is the use of a computer for illicit purposes, but there remain gaps and gray areas where much of cyber-related risk remains uninsured.”

Stand-alone cyber policies and traditional crime and fidelity policies alike traditionally did not protect against losses incurred by an employee willingly transferring funds to a fraudulent account, even if that employee was duped by hackers. The emergence of crypto-currency like bitcoin makes matters more complicated, since regulators and insurers are not sure how to qualify or quantify its value.

Social engineering, phishing, and theft of crypto-currency all represent evolving methods of theft that muddle the traditional definitions of fraud and challenge traditional notions of how crime and cyber policies will respond to such losses.

Sophisticated Social Engineering

James Kardaras, Underwriting Director, Crime and Fidelity

Social engineering fraud, also known as business email compromise, is often a focused and well-planned attack. In this case, the thief impersonates either a senior official within the target company, a vendor or a customer, emulating their style of speech from behind a fake email account.

In the phony email, the impersonator directs an employee to send valuable data or to wire a sum of money to an external account.

“Employees want to do well, either by pleasing the boss or pleasing the customer, and if the email conveys a sense of urgency, the employee may be more likely to bypass typical verification protocols to complete the request. By the time the mistake is uncovered, it’s usually too late to stop the transaction or even trace where the data or the funds have gone,” Kardaras said.

Today, social engineering schemes have evolved to include the fraudulent transfer of tangible property, wherein the perpetrator, posing perhaps as a sales executive attending a conference, asks an employee to send or reroute a shipment of goods to the show site or a nearby hotel. The thieves then intercept the shipment and make off with the goods.

“If an employee willfully completes these requests, a traditional crime and fidelity policy would not recognize this as theft and wouldn’t provide coverage,” Kardaras said. “Cyber policies would likely not respond either, since there has been no breach of the company’s network.”

Financial Phishing

Like social engineering, phishing schemes involve scammers posing as trustworthy third parties — typically a bank. But rather than inducing an internal employee to transfer funds or data, phishing emails lure recipients to click on a corrupted link under the guise that they need to update or verify their user information.

These links have served as vehicles to infect companies’ networks with malware or ransomware, but increasingly they redirect employees to copycat websites where they enter private information like company account numbers, which are then used to access funds directly.

“Financial phishing, which seeks a more direct and immediate payout, now accounts for more than 50 percent of all phishing attacks,” Kardaras said.

Attacks specifically targeting the financial institutions themselves are also becoming more common. Malevolent links sent via a phishing email can help hackers gain access to an employee’s systems.

“This technology enables hackers to gain remote access to employees’ computer terminals at banks, follow their movements, and track what type and what volume of transfers they conduct each day,” Kardaras said. They can then mimic those actions to make fraudulent transfers into their own accounts, but of a volume and size small enough not to raise any red flags.”

Crime insurance could potentially respond to protect insureds from these losses, if the risks are identified, underwritten to, and the policy wording is drafted accordingly. One problem is that many victims don’t register the fraud until it becomes significant. It is estimated that banks across Europe and the U.S. have lost hundreds of millions through these unauthorized transfers.

Crypto-Currency Theft

The emergence of bitcoin and other virtual currency makes recovering from cyber theft even more complicated. Crime and fidelity policies will typically cover the loss of money, securities or property, but virtual currency does not fall within traditional definitions under these insurance policies.

“If an organization using these virtual currencies suffers a loss of virtual currency, depending on the policy’s definitions, it is possible that such a loss would not be covered if it is not included within the policy’s definitions of money, securities or property,” Kardaras said.

Additionally, the fluctuating value of bitcoin would make it difficult for underwriters to evaluate the risk associated with a bitcoin store, and to determine exactly how much a claim is worth in the event bitcoin is stolen. Nonetheless, it is estimated that more than $1 billion worth of virtual currency has been stolen over the past decade.

As bitcoin grow more legitimate and widespread, so likely will the corresponding risk of crypto-currency theft.

Bridging the Shortfall of Coverage Solutions

Traditional crime and fidelity policies were crafted by the Surety and Fidelity Association of America in the 1990s, and much of their language has not been updated to reflect modern-day risks.

Various carriers have attempted to address and clarify the gray areas in crime and cyber coverage via exclusionary or enhancement endorsements attached to the policy. A cyber policy may typically exclude, for example, losses incurred via fraudulent funds transfer stemming from a social engineering scam. Similarly, traditional crime policies may explicitly exclude any coverage for digital currencies.

These new endorsements and policy wording providing affirmative coverage for these evolving risks seek to seal the gaps and eliminate the confusion emanating from the complex and rapidly-developing cyber exposures.

“For commercial firms, Nationwide may offer protection for fraudulently-induced funds transfers resulting from social engineering scenarios where such losses would not be picked up by traditional policies,” Kardaras said.

“For financial institutions, we offer a separate, computer crime policy form updated with language that may protect businesses from email compromise as well as any unauthorized access to company funds resulting from a virus or malware. Protection for crypto currency losses are underwritten on a case-by-case basis.”

In recognition of the complexity and challenges that the growing cyber-theft landscape presents, Nationwide’s fidelity and cyber liability teams work together to offer insureds complementary coverage.

“We don’t work in silos,” Kardaras said. “We work hand in hand to offer coverage that meets the spectrum of our customers’ needs, from first-party crime to computer fraud and third-party liability and everything in between.”

To learn more, visit https://mls.nationwideexcessandsurplus.com/fs/products/commercial-crime/.

 SponsoredContent

BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Nationwide. The editorial staff of Risk & Insurance had no role in its preparation.




Nationwide, a Fortune 100 company, is one of the largest and strongest diversified insurance and financial services organizations in the U.S. and is rated A+ by both A.M. Best and Standard & Poor’s.

2018 Risk All Stars

Stop Mitigating Risk. Start Conquering It Like These 2018 Risk All Stars

The concept of risk mastery and ownership, as displayed by the 2018 Risk All Stars, includes not simply seeking to control outcomes but taking full responsibility for them.
By: | September 14, 2018 • 3 min read

People talk a lot about how risk managers can get a seat at the table. The discussion implies that the risk manager is an outsider, striving to get the ear or the attention of an insider, the CEO or CFO.

Advertisement




But there are risk managers who go about things in a different way. And the 2018 Risk All Stars are prime examples of that.

These risk managers put in gear their passion, creativity and perseverance to become masters of a situation, pushing aside any notion that they are anything other than key players.

Goodyear’s Craig Melnick had only been with the global tire maker a few months when Hurricane Harvey dumped a record amount of rainfall on Houston.

Brilliant communication between Melnick and his new teammates gave him timely and valuable updates on the condition of manufacturing locations. Melnick remained in Akron, mastering the situation by moving inventory out of the storm’s path and making sure remediation crews were lined up ahead of time to give Goodyear its best leg up once the storm passed and the flood waters receded.

Goodyear’s resiliency in the face of the storm gave it credibility when it went to the insurance markets later that year for renewals. And here is where we hear a key phrase, produced by Kevin Garvey, one of Goodyear’s brokers at Aon.

“The markets always appreciate a risk manager who demonstrates ownership,” Garvey said, in what may be something of an understatement.

These risk managers put in gear their passion, creativity and perseverance to become masters of a situation, pushing aside any notion that they are anything other than key players.

Dianne Howard, a 2018 Risk All Star and the director of benefits and risk management for the Palm Beach County School District, achieved ownership of $50 million in property storm exposures for the district.

With FEMA saying it wouldn’t pay again for district storm losses it had already paid for, Howard went to the London markets and was successful in getting coverage. She also hammered out a deal in London that would partially reimburse the district if it suffered a mass shooting and needed to demolish a building, like what happened at Sandy Hook in Connecticut.

2018 Risk All Star Jim Cunningham was well-versed enough to know what traditional risk management theories would say when hospitality workers were suffering too many kitchen cuts. “Put a cut-prevention plan in place,” is the traditional wisdom.

But Cunningham, the vice president of risk management for the gaming company Pinnacle Entertainment, wasn’t satisfied with what looked to him like a Band-Aid approach.

Advertisement




Instead, he used predictive analytics, depending on his own team to assemble company-specific data, to determine which safety measures should be used company wide. The result? Claims frequency at the company dropped 60 percent in the first year of his program.

Alumine Bellone, a 2018 Risk All Star and the vice president of risk management for Ardent Health Services, faced an overwhelming task: Create a uniform risk management program when her hospital group grew from 14 hospitals in three states to 31 hospitals in seven.

Bellone owned the situation by visiting each facility right before the acquisition and again right after, to make sure each caregiving population was ready to integrate into a standardized risk management system.

After consolidating insurance policies, Bellone achieved $893,000 in synergies.

In each of these cases, and in more on the following pages, we see examples of risk managers who weren’t just knocking on the door; they were owning the room. &

____________________

Risk All Stars stand out from their peers by overcoming challenges through exceptional problem solving, creativity, clarity of vision and passion.

See the complete list of 2018 Risk All Stars.

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]