Cyber Risk

High Net Worth’s Unique Cyber Challenges

Emerging cyber risk is a challenge for everyone these days, but for high net worth individuals and families, the challenges can be even greater.
By: | September 12, 2017 • 6 min read

High net worth individuals have a bigger attack surface,” said Martin Hartley, executive vice president and chief operating officer of PURE Group of Insurance Companies. “They have more devices, they travel more, they may have domestic staff. There is just a greater attack surface for someone targeting them to get through.”

Advertisement




Wealth attracts theft, but the lifestyles of the better off make them targets as well. They tend to embrace technology, from computer-enhanced toys to a vast array of smart home devices, most of which are Wi-Fi enabled, presenting opportunities for would-be cyber thieves.

“With all of the smart home technology, [criminals can] hack into your thermostat, which now gives them access to the rest of your network and … the phones, iPads, and computers that family members do their banking on,” said Lisa Lindsay, executive director at the Private Risk Management Association. The latest gadgets or apps may still have unknown bugs or weaknesses, as well.

Domestic staff and frequent entertaining can both lead to sharing passwords, which makes networks less secure.

“Children of the high net worth will have phones earlier,” said Kim Lucarelli, senior vice president and director of personal client management at Oswald Companies. “They may have them at 10, 11 years old.” Children that age are less likely to understand the importance of good cyber hygiene, and more likely to develop bad habits that will be difficult to unlearn when they get older.

The wealthy tend to travel more. Using unknown networks to control remote devices or conduct financial transactions, especially abroad, puts home networks, sensitive financial information, or even accounts themselves at risk.

Lisa Lindsay, executive director, the Private Risk Management Association

“People think all the time, ‘Everything I do at home I can do remotely,’ and that is true,” said Heather Posner, director of high net worth at Burns & Wilcox. “But … how do you make sure you’re secure? Whether you’re paying bills, filing your taxes, changing your thermostat, setting your alarm, what kind of exposure are you opening yourself up to if you’re not doing that in a secure manner?”

Lindsay agrees. “People have to know public Wi-Fi common sense,” she said. “They’re sitting in a hotel lobby in Rome transacting financial matters. It’s crazy. You shouldn’t even do that [in the U.S].”

Other risks arise from technological advances of another sort. Cyber criminals drive through neighborhoods to access vulnerable home networks, and experts are increasingly concerned about the use of drones, which would allow criminals to detect and hack into networks remotely from a mile or two away, including networks not accessible from the street.

The ultimate goal of those hackers is, of course, simple. “Without a doubt, it is theft of funds from their bank account, through a variety of different means,” said Hartley. “ … That is the highest risk facing high net worth individuals.”

“High net worth individuals have a bigger attack surface. They have more devices, they travel more, they may have domestic staff … more transactions are occurring.” —Martin Hartley, executive vice president and chief operating officer, PURE Group of Insurance Companies

Identity theft or the use of stolen login info to access accounts can be devastating and disruptive, but in those cases the financial institution may accept liability. However, criminals can also use information gleaned from social media accounts, with or without stolen personal information, to craft sophisticated social engineering scams.

Social media posts made while traveling often provide details that make fraudulent correspondence so convincing, and the distance between family members can make fake pleas for money more believable and urgent.

Hartley routinely sees cases where thieves have used information stolen or gleaned from social media to create utterly convincing correspondences instructing personal assistants to transfer often vast sums of money.

“The bank is not liable,” said Hartley. “They say, ‘We followed our protocols. It was your personal assistant, who is an authorized bank user, who wired the money out of the account.’ That money is gone.”

“This is the nature of an evolving risk,” he said. “Today we have $10,000 worth of coverage for this kind of loss,” although PURE will soon roll out new coverage with much higher limits.

Defamation Claims

The fastest growing liability claim, according to a claim supervisor at Chubb, is online defamation, said Oswald’s Lucarelli.

Advertisement




These claims often have to do with negative reviews on Yelp or other online platforms.

While such a claim may be picked up by a traditional liability policy, Lucarelli sees the potential for coverage gaps.

“If it’s deemed an intentional act there may not be coverage,” she said, adding, “The coverage really is more around bodily injury … Mental anguish isn’t a loss that’s likely covered.”

And coverage under a traditional liability policy maybe not be a sure thing. “AIG calls their coverage ‘silent,’” she said. Meaning maybe they’ll cover it, maybe they won’t.

Ambiguous language typically leans in the client’s favor, but Lucarelli hopes the industry will trend toward more explicit coverage.

Some high net worth carriers have bolstered their cyber offering. Lucarelli said it’s a good start, citing a new coverage from AIG called Family Cyber Edge, which includes coverage for data restoration, cyber extortion and ransomware, crisis management for reputational harm, as well as cyber bullying expenses. “They’ve done a good job rolling a lot of these coverages into one endorsement.”

Still, Lucarelli sees unmet demand for more specific cyber bullying liability coverage. “We interviewed 300 people and most said, ‘If you offer coverage that defines this and you even put a cap a limit on it of, say, $250,000, I’ll buy it.’ ”

Kim Lucarelli, senior vice president and director, personal client management, Oswald Companies

The new, higher-limit coverage PURE will be rolling out in coming months — which will include high-limit coverage for social engineering and cyber fraud losses — utilizes a new approach to cyber security. PURE is partnering with the cyber security firm Rubica for active cyber monitoring.

Coverage will be contingent on having an app installed on each of the insured’s devices. All data will be sent via VPN to Rubica’s cloud, which will use pattern recognition, a constantly updated list of known trouble spots, and AI to flag problems.

“They’re actively monitoring where data packages are being sent and identifying if they go off somewhere they shouldn’t. Then they can shut them off,” said Hartley.

Rubica’s model could be game changing. By monitoring the data itself, Rubica can detect problems regardless of how they are introduced, and avert them before they are executed.

PURE has such confidence in its efficacy that it will be offering coverage limits that would previously been considered prohibitive.

Ultimately, however, the most important aspect of cyber coverage for the high net worth lies in assessing and minimizing cyber risk. “So many people are looking for that,” said Lucarelli. “‘Just give me 10 great tips to make myself more secure.’”

“People want to know how to best prevent this sort of thing, not deal with it after it’s occurred,” agreed Hartley. “The gap between smart risk behavior and not smart risk behavior is one of just simply not knowing.” &

Jon McGoran is a novelist and magazine editor based outside of Philadelphia. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Absence Management

Establishing Balance With Volunteers

It’s good business to allow job-leave for volunteer emergency responders, whether or not state laws apply.
By: | January 10, 2018 • 7 min read

If 2017 had a moniker, it might be “the year of the natural disasters,” thanks to a phenomenal array of catastrophic or severe events— hurricanes, tornadoes, wildfires, ice storms and floods.

Advertisement




Combined with smaller-scale fires and other emergencies, these incidents tax the resources of local and state emergency services, often prompting the need to call volunteer emergency responders into action.

But as lean as most organizations are already running, volunteer activities can sometimes cause friction between employees and employers. Handling conflicts the wrong way can potentially lead to legal headaches, harm employee morale and batter a company’s reputation.

State by State Variations

Most employers are aware of the various federal and state leave laws protecting their employees, including family and medical leave, pregnancy leave and military leave. But leave laws that protect the livelihoods of volunteer emergency responders are more likely to fly under the radar of some HR managers and risk managers.

Such laws don’t exist in every state, but more than 20 states do have some type of law in place to protect volunteers including emergency responders, firefighters, disaster workers, medical responders, ambulance drivers or peace officers.

Marti Cardi, vice president of Product Compliance for Matrix Absence Management

The laws vary broadly. Nearly all specify that such leave be unpaid, and that employees disclose their volunteer status to employers and provide documentation for each leave. But there is a spectrum of variations in terms of what may trigger an eligible leave. Some, for instance, apply for any emergency that prompts a call from the volunteer’s affiliated responder group. Others may require a government declaration of emergency for the law to be triggered.

While many of the laws do not explicitly require employers to let employees leave work when called to an emergency during a shift, most specify that an employee may be late or even miss work entirely without facing termination or any other adverse employment action.

Some states mandate a maximum number of unpaid leave days that a volunteer can claim. But others may place more significant burdens on employers. In California, for instance, employers with 50 or more employees are required to grant up to 14 days of unpaid leave for training activities in addition to any leave taken to respond to emergency events. For multistate employers, keeping on top of what obligations may apply in each circumstance can be a challenge.

Significant Risks

Large or mid-sized employers may rely on absence management providers to keep them in compliance. For smaller employers though, it may be as simple as looking up a state’s law via Google to find out what’s required. However, checking in with the state department of labor or the company’s attorney may be the best way to get the correct facts.

“I would caution that just because you don’t find something [on the internet], it doesn’t mean it’s not there,” said absence management and employment law attorney Marti Cardi, vice president of Product Compliance for Matrix Absence Management.

For example, Cardi said, an obscure Texas law provides job-protected leave for volunteer ham radio operators called into service during an emergency.

Cardi said employers should task HR to investigate the laws in each state the company operates in, and to ensure that supervisors are educated about the existence of these laws.

“If a supervisor is told by one of his or her employees, ‘Sorry I’m not coming in today … I’ve been called to volunteer firefighter duty for the [nearby region] fire,’” she said, you want to be sure that the supervisor knows not to take action against the employee, and to contact HR for guidance.

“Training supervisors to be aware of this kind of absence is really important.”

Advertisement




An employer that does terminate a protected volunteer for responding to an emergency may be ordered to pay back wages and reinstate the employee. In some cases, the employee may also be able to sue for wrongful termination.

And of course, “you don’t want to be the company in the headlines that is getting sued because you fired the volunteer firefighter,” she added.

If an employer bars a volunteer from responding, the worst-case scenario may be a third-party claim. Failure to comply with the law could give rise to a claim along the lines of “‘If you had complied with your statutory obligation to give Jane Doe time to respond, my loved one would not have died,’” explained Philadelphia-based Jonathan Segal, partner at law firm Duane Morris and managing principal of the Duane Morris Institute.

“That’s the claim I think is the largest in terms of legal risk.”

Even if no one dies or is seriously injured, he added, “there could still be significant reputational risk if an individual were to go to the media and say, ‘Look, I got called by the fire department and I wasn’t allowed to go.’”

The Right Thing to Do

What employers should be thinking about, Segal said, is that whether or not you have a legal obligation to provide job-protected leave for volunteer responders, “there’s still the question of what are the consequences if you don’t?”

Employee morale should be factored in, he said. The last thing any company wants is for employees to perceive it as insensitive to their interests or the interests of the community at large.

“Sometimes employers need to go beyond the law, and this is one of those times,” — Jonathan Segal, partner, Duane Morris; managing principal, Duane Morris Institute

“How is this going to resonate with my employees, with my workforce, how are people going to see this? These are all relevant factors to consider,” he said.

There’s an argument to be made for employers to look at the bigger picture when it comes to any volunteer responders on their payroll, said Segal.

“Sometimes employers need to go beyond the law, and this is one of those times,” he said. “Think about the case where’s there’s not a specific state law [for emergency responders] and you say to a volunteer, ‘No, you can’t leave to deal with this fire’ and then people die. You as an employer have potentially played a role, indirectly, because you didn’t allow the first responder or responders to go,” he said.

The bottom line is that “it’s the right thing to do, even if it’s not required by law,” agreed Cardi.

“I feel that companies should have a policy that they’re not going to discipline or discharge someone for absences due to this kind of civic service, subject to verification of course.”

Clear Policy

While most employers do strive to be good corporate citizens, it goes without question that employers need to guard their own interests. It’s not especially likely that volunteer responders will try to take advantage of the unpaid leave allowed them, but of course, it could happen.

That’s why it’s important to have policies that are aligned with state laws. Those policies could include:

  • Notifying the company of any volunteer affiliations either upon hire or as soon they are activated as volunteers.
  • Requiring that employees notify a supervisor as soon as possible if called to an emergency (state requirements vary).
  • Requiring documentation after the event from the head of the entity supervising the volunteer’s activities.

If at some point it becomes excessive – someone has responded to emergencies five times in nine weeks, then it’s time to examine the specifics of the law and have a discussion with the employee about what’s reasonable, said Segal. It may also be time to ask specifics about whether the person is volunteering each time, or are they being called.

Advertisement




In some cases, the discussion may need to be about finding a middle ground, especially if an employee has taken on an excessively demanding volunteer role.

“We encourage volunteers to pick the style that best fits their schedule,” said Greta Gustafson, a representative of the American Red Cross. “Disaster volunteers can elect to respond to disasters locally, nationally, or even virtually, and each assignment varies in length — from responding overnight to a home fire in your community to deploying across the country for several weeks following a hurricane.

“The Red Cross encourages all volunteers to talk with their employers to determine their availability and to communicate this with their local Red Cross chapter.”

Segal suggests approaching it as an interactive dialogue — borrowing from the ADA. “Employers may need to open a discussion along the lines of ‘I need you here this week because this week we have a deliverable on Friday and you’re critical to that client deliverable,’” he said, but also identify when the employee’s absence would be less critical.

No doubt there will be tough calls. An employer may have its hands full just trying to meet basic customer needs and need all hands on deck.

“That may be a situation where you say, ‘First let me check the law,’” said Segal. If there’s a leave law that applies, “then I’m going to need to comply with it. If there’s not, then you may need to balance competing interests and say, ‘We need you here.’” &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]