Sponsored Content by Nationwide

Cyber Thieves Are Robbing You in New Ways. Will Your Insurance Provide Protection?

Social engineering, phishing and crypto-currency burglary all represent evolving methods of theft that challenge traditional crime and cyber policies.
By: | June 26, 2018 • 6 min read

Theft is not a new threat. But it is taking on new forms in an increasingly digital world.

Cyber thieves can infiltrate organizations and execute fraud in any number of ways — through a phony email or phone call, a corrupted link, or by targeting vulnerable digital currency, to name just a few.

Businesses are reporting more security breaches and incidents of cyber fraud than ever before. According to Kroll’s 2018 Global Fraud and Risk Report, 84 percent of surveyed executives reported that their company experienced at least one instance of fraud in the previous year, while 86 percent also said their company experienced a cyber attack involving data theft.

Both of those percentages represent all-time highs.

As the frequency and nature of these incidents increase and evolve in complexity, creating insurance solutions to help companies recoup their losses resulting from the ever-changing nature of the risk is an industry-wide challenge.

“Crime insurance traditionally would cover the direct loss of funds or property resulting from theft. Cyber liability insurance would take on the indirect consequential loss to a third party,” said James Kardaras, Underwriting Director, Crime and Fidelity, Nationwide. “What they have in common is the use of a computer for illicit purposes, but there remain gaps and gray areas where much of cyber-related risk remains uninsured.”

Stand-alone cyber policies and traditional crime and fidelity policies alike traditionally did not protect against losses incurred by an employee willingly transferring funds to a fraudulent account, even if that employee was duped by hackers. The emergence of crypto-currency like bitcoin makes matters more complicated, since regulators and insurers are not sure how to qualify or quantify its value.

Social engineering, phishing, and theft of crypto-currency all represent evolving methods of theft that muddle the traditional definitions of fraud and challenge traditional notions of how crime and cyber policies will respond to such losses.

Sophisticated Social Engineering

James Kardaras, Underwriting Director, Crime and Fidelity

Social engineering fraud, also known as business email compromise, is often a focused and well-planned attack. In this case, the thief impersonates either a senior official within the target company, a vendor or a customer, emulating their style of speech from behind a fake email account.

In the phony email, the impersonator directs an employee to send valuable data or to wire a sum of money to an external account.

“Employees want to do well, either by pleasing the boss or pleasing the customer, and if the email conveys a sense of urgency, the employee may be more likely to bypass typical verification protocols to complete the request. By the time the mistake is uncovered, it’s usually too late to stop the transaction or even trace where the data or the funds have gone,” Kardaras said.

Today, social engineering schemes have evolved to include the fraudulent transfer of tangible property, wherein the perpetrator, posing perhaps as a sales executive attending a conference, asks an employee to send or reroute a shipment of goods to the show site or a nearby hotel. The thieves then intercept the shipment and make off with the goods.

“If an employee willfully completes these requests, a traditional crime and fidelity policy would not recognize this as theft and wouldn’t provide coverage,” Kardaras said. “Cyber policies would likely not respond either, since there has been no breach of the company’s network.”

Financial Phishing

Like social engineering, phishing schemes involve scammers posing as trustworthy third parties — typically a bank. But rather than inducing an internal employee to transfer funds or data, phishing emails lure recipients to click on a corrupted link under the guise that they need to update or verify their user information.

These links have served as vehicles to infect companies’ networks with malware or ransomware, but increasingly they redirect employees to copycat websites where they enter private information like company account numbers, which are then used to access funds directly.

“Financial phishing, which seeks a more direct and immediate payout, now accounts for more than 50 percent of all phishing attacks,” Kardaras said.

Attacks specifically targeting the financial institutions themselves are also becoming more common. Malevolent links sent via a phishing email can help hackers gain access to an employee’s systems.

“This technology enables hackers to gain remote access to employees’ computer terminals at banks, follow their movements, and track what type and what volume of transfers they conduct each day,” Kardaras said. They can then mimic those actions to make fraudulent transfers into their own accounts, but of a volume and size small enough not to raise any red flags.”

Crime insurance could potentially respond to protect insureds from these losses, if the risks are identified, underwritten to, and the policy wording is drafted accordingly. One problem is that many victims don’t register the fraud until it becomes significant. It is estimated that banks across Europe and the U.S. have lost hundreds of millions through these unauthorized transfers.

Crypto-Currency Theft

The emergence of bitcoin and other virtual currency makes recovering from cyber theft even more complicated. Crime and fidelity policies will typically cover the loss of money, securities or property, but virtual currency does not fall within traditional definitions under these insurance policies.

“If an organization using these virtual currencies suffers a loss of virtual currency, depending on the policy’s definitions, it is possible that such a loss would not be covered if it is not included within the policy’s definitions of money, securities or property,” Kardaras said.

Additionally, the fluctuating value of bitcoin would make it difficult for underwriters to evaluate the risk associated with a bitcoin store, and to determine exactly how much a claim is worth in the event bitcoin is stolen. Nonetheless, it is estimated that more than $1 billion worth of virtual currency has been stolen over the past decade.

As bitcoin grow more legitimate and widespread, so likely will the corresponding risk of crypto-currency theft.

Bridging the Shortfall of Coverage Solutions

Traditional crime and fidelity policies were crafted by the Surety and Fidelity Association of America in the 1990s, and much of their language has not been updated to reflect modern-day risks.

Various carriers have attempted to address and clarify the gray areas in crime and cyber coverage via exclusionary or enhancement endorsements attached to the policy. A cyber policy may typically exclude, for example, losses incurred via fraudulent funds transfer stemming from a social engineering scam. Similarly, traditional crime policies may explicitly exclude any coverage for digital currencies.

These new endorsements and policy wording providing affirmative coverage for these evolving risks seek to seal the gaps and eliminate the confusion emanating from the complex and rapidly-developing cyber exposures.

“For commercial firms, Nationwide may offer protection for fraudulently-induced funds transfers resulting from social engineering scenarios where such losses would not be picked up by traditional policies,” Kardaras said.

“For financial institutions, we offer a separate, computer crime policy form updated with language that may protect businesses from email compromise as well as any unauthorized access to company funds resulting from a virus or malware. Protection for crypto currency losses are underwritten on a case-by-case basis.”

In recognition of the complexity and challenges that the growing cyber-theft landscape presents, Nationwide’s fidelity and cyber liability teams work together to offer insureds complementary coverage.

“We don’t work in silos,” Kardaras said. “We work hand in hand to offer coverage that meets the spectrum of our customers’ needs, from first-party crime to computer fraud and third-party liability and everything in between.”

To learn more, visit https://mls.nationwideexcessandsurplus.com/fs/products/commercial-crime/.

 SponsoredContent

BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Nationwide. The editorial staff of Risk & Insurance had no role in its preparation.




Nationwide, a Fortune 100 company, is one of the largest and strongest diversified insurance and financial services organizations in the U.S. and is rated A+ by both A.M. Best and Standard & Poor’s.

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.

Advertisement




That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.

Advertisement




Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]