Cyber Risk

High Net Worth’s Unique Cyber Challenges

Emerging cyber risk is a challenge for everyone these days, but for high net worth individuals and families, the challenges can be even greater.
By: | September 12, 2017 • 6 min read

High net worth individuals have a bigger attack surface,” said Martin Hartley, executive vice president and chief operating officer of PURE Group of Insurance Companies. “They have more devices, they travel more, they may have domestic staff. There is just a greater attack surface for someone targeting them to get through.”

Advertisement




Wealth attracts theft, but the lifestyles of the better off make them targets as well. They tend to embrace technology, from computer-enhanced toys to a vast array of smart home devices, most of which are Wi-Fi enabled, presenting opportunities for would-be cyber thieves.

“With all of the smart home technology, [criminals can] hack into your thermostat, which now gives them access to the rest of your network and … the phones, iPads, and computers that family members do their banking on,” said Lisa Lindsay, executive director at the Private Risk Management Association. The latest gadgets or apps may still have unknown bugs or weaknesses, as well.

Domestic staff and frequent entertaining can both lead to sharing passwords, which makes networks less secure.

“Children of the high net worth will have phones earlier,” said Kim Lucarelli, senior vice president and director of personal client management at Oswald Companies. “They may have them at 10, 11 years old.” Children that age are less likely to understand the importance of good cyber hygiene, and more likely to develop bad habits that will be difficult to unlearn when they get older.

The wealthy tend to travel more. Using unknown networks to control remote devices or conduct financial transactions, especially abroad, puts home networks, sensitive financial information, or even accounts themselves at risk.

Lisa Lindsay, executive director, the Private Risk Management Association

“People think all the time, ‘Everything I do at home I can do remotely,’ and that is true,” said Heather Posner, director of high net worth at Burns & Wilcox. “But … how do you make sure you’re secure? Whether you’re paying bills, filing your taxes, changing your thermostat, setting your alarm, what kind of exposure are you opening yourself up to if you’re not doing that in a secure manner?”

Lindsay agrees. “People have to know public Wi-Fi common sense,” she said. “They’re sitting in a hotel lobby in Rome transacting financial matters. It’s crazy. You shouldn’t even do that [in the U.S].”

Other risks arise from technological advances of another sort. Cyber criminals drive through neighborhoods to access vulnerable home networks, and experts are increasingly concerned about the use of drones, which would allow criminals to detect and hack into networks remotely from a mile or two away, including networks not accessible from the street.

The ultimate goal of those hackers is, of course, simple. “Without a doubt, it is theft of funds from their bank account, through a variety of different means,” said Hartley. “ … That is the highest risk facing high net worth individuals.”

“High net worth individuals have a bigger attack surface. They have more devices, they travel more, they may have domestic staff … more transactions are occurring.” —Martin Hartley, executive vice president and chief operating officer, PURE Group of Insurance Companies

Identity theft or the use of stolen login info to access accounts can be devastating and disruptive, but in those cases the financial institution may accept liability. However, criminals can also use information gleaned from social media accounts, with or without stolen personal information, to craft sophisticated social engineering scams.

Social media posts made while traveling often provide details that make fraudulent correspondence so convincing, and the distance between family members can make fake pleas for money more believable and urgent.

Hartley routinely sees cases where thieves have used information stolen or gleaned from social media to create utterly convincing correspondences instructing personal assistants to transfer often vast sums of money.

“The bank is not liable,” said Hartley. “They say, ‘We followed our protocols. It was your personal assistant, who is an authorized bank user, who wired the money out of the account.’ That money is gone.”

“This is the nature of an evolving risk,” he said. “Today we have $10,000 worth of coverage for this kind of loss,” although PURE will soon roll out new coverage with much higher limits.

Defamation Claims

The fastest growing liability claim, according to a claim supervisor at Chubb, is online defamation, said Oswald’s Lucarelli.

Advertisement




These claims often have to do with negative reviews on Yelp or other online platforms.

While such a claim may be picked up by a traditional liability policy, Lucarelli sees the potential for coverage gaps.

“If it’s deemed an intentional act there may not be coverage,” she said, adding, “The coverage really is more around bodily injury … Mental anguish isn’t a loss that’s likely covered.”

And coverage under a traditional liability policy maybe not be a sure thing. “AIG calls their coverage ‘silent,’” she said. Meaning maybe they’ll cover it, maybe they won’t.

Ambiguous language typically leans in the client’s favor, but Lucarelli hopes the industry will trend toward more explicit coverage.

Some high net worth carriers have bolstered their cyber offering. Lucarelli said it’s a good start, citing a new coverage from AIG called Family Cyber Edge, which includes coverage for data restoration, cyber extortion and ransomware, crisis management for reputational harm, as well as cyber bullying expenses. “They’ve done a good job rolling a lot of these coverages into one endorsement.”

Still, Lucarelli sees unmet demand for more specific cyber bullying liability coverage. “We interviewed 300 people and most said, ‘If you offer coverage that defines this and you even put a cap a limit on it of, say, $250,000, I’ll buy it.’ ”

Kim Lucarelli, senior vice president and director, personal client management, Oswald Companies

The new, higher-limit coverage PURE will be rolling out in coming months — which will include high-limit coverage for social engineering and cyber fraud losses — utilizes a new approach to cyber security. PURE is partnering with the cyber security firm Rubica for active cyber monitoring.

Coverage will be contingent on having an app installed on each of the insured’s devices. All data will be sent via VPN to Rubica’s cloud, which will use pattern recognition, a constantly updated list of known trouble spots, and AI to flag problems.

“They’re actively monitoring where data packages are being sent and identifying if they go off somewhere they shouldn’t. Then they can shut them off,” said Hartley.

Rubica’s model could be game changing. By monitoring the data itself, Rubica can detect problems regardless of how they are introduced, and avert them before they are executed.

PURE has such confidence in its efficacy that it will be offering coverage limits that would previously been considered prohibitive.

Ultimately, however, the most important aspect of cyber coverage for the high net worth lies in assessing and minimizing cyber risk. “So many people are looking for that,” said Lucarelli. “‘Just give me 10 great tips to make myself more secure.’”

“People want to know how to best prevent this sort of thing, not deal with it after it’s occurred,” agreed Hartley. “The gap between smart risk behavior and not smart risk behavior is one of just simply not knowing.” &

Jon McGoran is a novelist and magazine editor based outside of Philadelphia. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.

Advertisement




That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.

Advertisement




Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]