Cyber Thieves Are Robbing You in New Ways. Will Your Insurance Provide Protection?

Social engineering, phishing and crypto-currency burglary all represent evolving methods of theft that challenge traditional crime and cyber policies.

By: Nationwide® | June 26, 2018

Theft is not a new threat. But it is taking on new forms in an increasingly digital world.

Cyber thieves can infiltrate organizations and execute fraud in any number of ways — through a phony email or phone call, a corrupted link, or by targeting vulnerable digital currency, to name just a few.

Businesses are reporting more security breaches and incidents of cyber fraud than ever before. According to Kroll’s 2018 Global Fraud and Risk Report, 84 percent of surveyed executives reported that their company experienced at least one instance of fraud in the previous year, while 86 percent also said their company experienced a cyber attack involving data theft.

Both of those percentages represent all-time highs.

As the frequency and nature of these incidents increase and evolve in complexity, creating insurance solutions to help companies recoup their losses resulting from the ever-changing nature of the risk is an industry-wide challenge.

“Crime insurance traditionally would cover the direct loss of funds or property resulting from theft. Cyber liability insurance would take on the indirect consequential loss to a third party,” said James Kardaras, Underwriting Director, Crime and Fidelity, Nationwide. “What they have in common is the use of a computer for illicit purposes, but there remain gaps and gray areas where much of cyber-related risk remains uninsured.”

Stand-alone cyber policies and traditional crime and fidelity policies alike traditionally did not protect against losses incurred by an employee willingly transferring funds to a fraudulent account, even if that employee was duped by hackers. The emergence of crypto-currency like bitcoin makes matters more complicated, since regulators and insurers are not sure how to qualify or quantify its value.

Social engineering, phishing, and theft of crypto-currency all represent evolving methods of theft that muddle the traditional definitions of fraud and challenge traditional notions of how crime and cyber policies will respond to such losses.

Sophisticated Social Engineering

James Kardaras, Underwriting Director, Crime and Fidelity

Social engineering fraud, also known as business email compromise, is often a focused and well-planned attack. In this case, the thief impersonates either a senior official within the target company, a vendor or a customer, emulating their style of speech from behind a fake email account.

In the phony email, the impersonator directs an employee to send valuable data or to wire a sum of money to an external account.

“Employees want to do well, either by pleasing the boss or pleasing the customer, and if the email conveys a sense of urgency, the employee may be more likely to bypass typical verification protocols to complete the request. By the time the mistake is uncovered, it’s usually too late to stop the transaction or even trace where the data or the funds have gone,” Kardaras said.

Today, social engineering schemes have evolved to include the fraudulent transfer of tangible property, wherein the perpetrator, posing perhaps as a sales executive attending a conference, asks an employee to send or reroute a shipment of goods to the show site or a nearby hotel. The thieves then intercept the shipment and make off with the goods.

“If an employee willfully completes these requests, a traditional crime and fidelity policy would not recognize this as theft and wouldn’t provide coverage,” Kardaras said. “Cyber policies would likely not respond either, since there has been no breach of the company’s network.”

Financial Phishing

Like social engineering, phishing schemes involve scammers posing as trustworthy third parties — typically a bank. But rather than inducing an internal employee to transfer funds or data, phishing emails lure recipients to click on a corrupted link under the guise that they need to update or verify their user information.

These links have served as vehicles to infect companies’ networks with malware or ransomware, but increasingly they redirect employees to copycat websites where they enter private information like company account numbers, which are then used to access funds directly.

“Financial phishing, which seeks a more direct and immediate payout, now accounts for more than 50 percent of all phishing attacks,” Kardaras said.

Attacks specifically targeting the financial institutions themselves are also becoming more common. Malevolent links sent via a phishing email can help hackers gain access to an employee’s systems.

“This technology enables hackers to gain remote access to employees’ computer terminals at banks, follow their movements, and track what type and what volume of transfers they conduct each day,” Kardaras said. They can then mimic those actions to make fraudulent transfers into their own accounts, but of a volume and size small enough not to raise any red flags.”

Crime insurance could potentially respond to protect insureds from these losses, if the risks are identified, underwritten to, and the policy wording is drafted accordingly. One problem is that many victims don’t register the fraud until it becomes significant. It is estimated that banks across Europe and the U.S. have lost hundreds of millions through these unauthorized transfers.

Crypto-Currency Theft

The emergence of bitcoin and other virtual currency makes recovering from cyber theft even more complicated. Crime and fidelity policies will typically cover the loss of money, securities or property, but virtual currency does not fall within traditional definitions under these insurance policies.

“If an organization using these virtual currencies suffers a loss of virtual currency, depending on the policy’s definitions, it is possible that such a loss would not be covered if it is not included within the policy’s definitions of money, securities or property,” Kardaras said.

Additionally, the fluctuating value of bitcoin would make it difficult for underwriters to evaluate the risk associated with a bitcoin store, and to determine exactly how much a claim is worth in the event bitcoin is stolen. Nonetheless, it is estimated that more than $1 billion worth of virtual currency has been stolen over the past decade.

As bitcoin grow more legitimate and widespread, so likely will the corresponding risk of crypto-currency theft.

Bridging the Shortfall of Coverage Solutions

Traditional crime and fidelity policies were crafted by the Surety and Fidelity Association of America in the 1990s, and much of their language has not been updated to reflect modern-day risks.

Various carriers have attempted to address and clarify the gray areas in crime and cyber coverage via exclusionary or enhancement endorsements attached to the policy. A cyber policy may typically exclude, for example, losses incurred via fraudulent funds transfer stemming from a social engineering scam. Similarly, traditional crime policies may explicitly exclude any coverage for digital currencies.

These new endorsements and policy wording providing affirmative coverage for these evolving risks seek to seal the gaps and eliminate the confusion emanating from the complex and rapidly-developing cyber exposures.

“For commercial firms, Nationwide may offer protection for fraudulently-induced funds transfers resulting from social engineering scenarios where such losses would not be picked up by traditional policies,” Kardaras said.

“For financial institutions, we offer a separate, computer crime policy form updated with language that may protect businesses from email compromise as well as any unauthorized access to company funds resulting from a virus or malware. Protection for crypto currency losses are underwritten on a case-by-case basis.”

In recognition of the complexity and challenges that the growing cyber-theft landscape presents, Nationwide’s fidelity and cyber liability teams work together to offer insureds complementary coverage.

“We don’t work in silos,” Kardaras said. “We work hand in hand to offer coverage that meets the spectrum of our customers’ needs, from first-party crime to computer fraud and third-party liability and everything in between.”

To learn more, visit https://mls.nationwideexcessandsurplus.com/fs/products/commercial-crime/.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Nationwide. The editorial staff of Risk & Insurance had no role in its preparation.

Nationwide, a Fortune 100 company, is one of the largest and strongest diversified insurance and financial services organizations in the U.S. and is rated A by A.M. Best and A+ by Standard & Poor’s.

How a Carrier Partner Can Help Navigate a Challenging Management and Professional Liability Market

A combination of a choppy economy with increased claims frequency and severity could lead to rate increases in the Management & Professional Liability market.

Rates in the management & professional liability (M&PL) markets were on the rise from 2020 to early 2023 and are now falling rapidly.

M&PL divisions manage a number of different insurance products including management liability (D&O), professional liability (E&O), employment practices liability (EPL), fiduciary liability policies, cyber, etc. In 2023 and into 2024, a big influence on the marketplace has been the extremely aggressive and softening public company D&O market.

Though these rates have been softening for management liability, that may change over the next few years as companies continue to adjust their business models motivated by economic uncertainty. Layoffs were up nearly 200% last year, Forbes reported, even as other recession indicators, like the inflation rate, improved. A recession could lead to an increased claim activity and force carriers to raise rates.

“Whenever there is a meaningful downturn in the economy, we tend to see claim frequency pop up,” said George Schalick, Jr., senior vice president of the Management and Professional Liability Division at Philadelphia Insurance Companies (PHLY).

With continued fiscal uncertainty, businesses potentially already burdened with pandemic-related claims should seek a carrier with a long history in M&PL products. They will provide much-needed risk management guidance and be better positioned to support their insureds during market fluctuations.

Why Insureds Might See an Uptick in M&PL Claims

George Schalick, Jr., Senior Vice President of the Management and Professional Liability Division, Philadelphia Insurance Companies

The current soft market might come as a bit of a surprise as it does not track with previous underwriting cycles and economic conditions. Afterall, many privately held and non-profit organizations struggled during the early days of the pandemic with shutdowns and rapidly declining revenues. But the Government assistance programs, like the Paycheck Protection Program loans, helped keep many afloat during the tough times.

“During COVID many organizations stopped doing business until they were able to sort out all of the health and safety challenges,” Schalick said. “They were forced to lock down, but then all the government assistance programs allowed them to keep people employed. The increased volume of claims we anticipated we would see coming from the lockdowns and restrictions that were imposed upon businesses in the U.S. didn’t manifest at first.”

“Just because there wasn’t an onslaught of reported claims at the beginning of the pandemic, doesn’t mean the circumstances that would give rise to a claim being reported didn’t occur. Courts and the judicial system were closed or slowed and now that they are back open, we’re starting to see the circumstances that occurred during the COVID lockdowns becoming claims today,” Schalick said. “Litigation is progressing.”

Added to the delayed pandemic litigation is a concern over newer claims that might be filed as the country inches toward an economic downturn. Though a recession was avoided in 2023, experts think a soft dip could occur in 2024, with 76% of economists saying there’s a 50% or less chance of an economic downturn this year — that almost always results in more management liability claims.

“During the Great Recession in 2008, we saw an almost immediate spike in claims because of the economic conditions and the pressure it placed on organizations. They were making personnel changes with significant belt tightening almost immediately.” Schalick said.

What’s in Store for M&PL Policy Rates in 2024?

Despite an uptick in claims and increased economic uncertainty, management liability rates haven’t increased, resulting in market-wide pricing levels that may not meet the increased pressure of rising settlements and jury verdicts.

“Rates are going the other direction and settlement values are not falling,” Schalick said.

The mismatch between rates, claim frequency and severity is, in part, because carriers experiencing the dramatic soft market in the public D&O market are seeking premium gain in the private and non-profit market.

“In the public company market, the rates have been decreasing significantly. The rates were increasing in the private, not-for-profit market, and rightfully so, but there’s a desire to supplement overall mid-size D&O for carriers who also write private not-for-profit, and they see that as an opportunity to aggregate premium,” Schalick said. “So the always competitive landscape in the private, not-for-profit market has dramatically increased in the last 18 to 24 months.”

Still, companies of all sizes and types should be concerned about management liability rates in the future. Legal system abuse is resulting in increases in both the amount of litigation and the size of verdicts plaintiffs are receiving.

Certain areas of the country are particularly vulnerable to this type of legal system abuse. As a result, insureds in these localities are likely to be vulnerable to rate increases.

“The environment is so positive for the plaintiff that forces premium increases so carriers are able to stay in that market long term,” Schalick said.

Why a Tenured Carrier Partner Can Help Insureds Navigate An Uncertain Market

It’s clear that insureds are facing an uncertain M&PL market over the next few years. Fortunately, carriers with a long history in the M&PL space will be there to offer stability.

Philadelphia Insurance Companies has been supporting this market for 35 years. PHLY is committed to offering long-term rate stability, even as economic and claims trends start to push premiums upwards. They have an appetite for all sorts of companies, large and small, for-profit and nonprofit alike.

“We’ve been at this game for a long time and are one of the most tenured underwriters in this space,” Schalick said. “We like to stay very consistent.”

PHLY has worked with both for-profit and non-profit on management liability policies. With dedicated M&PL teams throughout the company’s 13 regions, PHLY provides the support agents and brokers are looking for on behalf of their clients. The teams know their regions well and can respond to local trends. They’re also dedicated to making the renewal process as easy as possible for their partners and policyholders.

“We have real confidence in our results, so we focus a lot on making the renewal experience as painless as possible for all agents and insureds,” Schalick said.

The company is also investing in tools to help insureds avoid losses. Earlier this year, they launched a new online risk management platform, PHLYGateway, which offers resources for insureds on how to create an employee handbook and trainings on issues such as recognizing workplace sexual harassment and discrimination.

If insureds have questions, they can consult a Best Practices Help Line, provided via the platform. That way, they can get on the spot risk management guidance to help them prevent claims.

To learn more, visit: https://www.phly.com/mplDivision/managementLiability/default.aspx.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Philadelphia Insurance Companies. The editorial staff of Risk & Insurance had no role in its preparation.

More from Risk & Insurance

Why Litigation Financing Should Be Driving the Industry Toward E&S Coverage to Buffer the Blows of Social Inflation

Legal Spotlight: Johnson & Johnson and the Cancer/Talc Connection, NextGen Healthcare Hit with Fraud Claims and More

Moving with Controlled Optimism

What The Institutes’ Pete Miller Has Learned One Season Into the Predict & Prevent Podcast

Sponsored Content by Nationwide

Cyber Thieves Are Robbing You in New Ways. Will Your Insurance Provide Protection?

Sophisticated Social Engineering

Financial Phishing

Crypto-Currency Theft

Bridging the Shortfall of Coverage Solutions

Share this article!

Trending Stories

Rising Star Abby Flaherty of Risk Strategies Details Her Entertainment Brokering Journey and How Industry Tragedy Has Impacted Coverage

Planck’s Leandro DalleMule Discusses the Ethics of AI in Insurance

3 Keys to Combat ‘Big Brother’ Fears with Safety Technology

2024 RIMS President David Arick Shares How COVID and AI Have Changed the Risk Management Space