Cyber Risks

Unauthorized Access

Sophisticated security breaches have banks scrambling for customized cyber coverage.
By: | December 1, 2013 • 7 min read

Banks have spent years developing protections to minimize hacking and other fraudulent activities — but how do they protect against losses from thieves pretending to be legitimate customers who use social engineering, or exploit new technologies such as mobile remote deposit capture?

Take this example: In June, Boma Robert Spero-Jack, 34, was charged with stealing thousands of dollars from Bank of America and Kroger grocery stores by using mobile banking.

Spero-Jack is accused of purchasing at least 32 Western Union money orders at multiple Kroger stores, in amounts ranging from $195 to $500. He deposited the money orders into his Bank of America checking or savings accounts via a mobile application.

Then, he returned to the Kroger store and cashed the money orders, as well as withdrew the amount of the money orders from his bank account at a local branch of Bank of America, police said. In total, Spero-Jack stole $12,620, according to police.

Social engineering schemes, on the other hand, are less technical and often involve tricking individuals into breaking normal security procedures.

John Morrissey, senior vice president and an attorney with Aon’s financial services group in New York City, said that in the last two years, a number of U.S. corporations with subsidiaries in Europe have been defrauded through the use of social engineering.

Organized crime rings go on corporate websites and social sites to glean information about the inner workings of corporations, and use voice manipulation software to imitate executives’ voices.

“For example, they get enough information to make a call to a treasury person at a subsidiary in central Europe and pretend that they are the CFO of the U.S.-based parent,” Morrissey said. “They tell the treasury person that they are in secret negotiations to buy a company in China and need for the subsidiary to wire X amount to a bank in Hong Kong that is doing business with their company’s lawyers there.

Advertisement




“These organized fraud rings have gotten away with as much as $20 million at a time,” he said.

Commercial crime insurers are looking closely at these losses because they weren’t on the radar when the policy language was first drafted, he said.

Cyber insurance is still a relatively new type of coverage, and policies vary dramatically, said Kevin Kalinich, Aon Risk Solutions’ global cyber practice leader. In a typical professional liability policy, the coverage trigger is alleged error, omission or negligent act of the financial institution. However, under a cyber policy, a trigger is whether the financial institution is legally responsible for a privacy breach or security breach event — regardless of negligence.

Questions of Liability

Theft by way of social engineering is increasing in frequency.

“The bad guys may call customers saying, ‘This is John at your bank. We’re upgrading your account to a higher loyalty program,’ or they email customers, using the logo and URL of the bank, telling … them they ‘can get a lower interest rate if they plug in their account number, PIN number and password,’ ” Kalinich said.

“Once the fraudster gets it, they immediately transfer as much money as possible to their own account in another country,” he said.

In such a scenario, bank customers can sue, claiming the bank should not have allowed the unauthorized transfers, he said. A customized cyber insurance policy can respond to such data breach claims to pay the defense costs and indemnity, whereas an off-the-shelf professional liability policy might not.

R12-13p38-39_05Tech.indd“As bad actors become more devious, banks need to make sure their policies are working together, so they are covered regardless of what happens.”
— Dena Magyar, vice president, Professional Risk Group, Wells Fargo Insurance

 

Dena Magyar, vice president at Wells Fargo Insurance’s professional risk group in Charlotte, N.C., said there are numerous social engineering scenarios. A thief could:

• Pretend to be in the bank’s information technology department when emailing employees to ask for their user names and passwords so they can upgrade the speed of the bank’s computer system;

• Impersonate a vendor sent to fix a copier at the bank branch, and then remove the copier and copy its hard drive full of records listing customer information.

• Drop a thumb drive in a bank parking lot, with a label such as “executive compensation” so that the finder will plug the drive into a bank computer, thus installing malware that provides either transaction information or access to the bank’s system.

Social engineering schemes and other types of fraud are emerging so fast that banks have to make sure their policies keep up, she said.

“Right now, we are at a very interesting point in insurance,” Magyar said. “There are different types of policies that need to be reviewed to make sure banks are adequately covered and that there are not gaps between their bankers’ professional liability, crime and network security privacy policies.

“As bad actors become more devious, banks need to make sure their policies are working together, so they are covered regardless of what happens,” she said.

When considering a bank’s protection against computer crimes, George Allport, vice president and financial fidelity product manager for the Chubb Group of Insurance Cos., said his company has historically questioned whether the bank had firewalls and intrusion detection software, and if it immediately patched known vulnerabilities.

“While we still ask for that type of information, there is also a growing emphasis on addressing and underwriting this risk as a management issue,” Allport said. “We are taking a broader focus when looking at the risk.”

Chubb’s underwriters will soon be asking banks to detail the percentage of their IT budget that has been devoted to security in the current year, and whether those percentages will change in the coming year, he said.

Chubb’s underwriters will also be asking about the knowledge and oversight of security matters at the board level; the number of employees devoted to the implementation and maintenance of security mechanisms; and the top security challenges that the bank may face in the coming year.

Advertisement




“We want to know how the bank verifies that employees have been trained and have learned something from that training,” Allport said. “For instance, are the companies that are contracted to conduct the training doing it online? If so, then a month after training, they need to send employees a bogus email to see if they fall for it.”

The Human Element

Oliver Brew, vice president of professional liability for Liberty International Underwriters in New York City, said the carrier had a payment services client that, through social engineering, suffered fraud on its prepaid debit cards.

The thief, pretending to be a retailer, called the payment company — the retailer’s store card provider — and baited the customer service representative into giving the security credential to reload the card. Very quickly the payment company was out over $200,000.

“It’s the human element that is the most vulnerable. Social engineering is taking on new flavors almost every day,” Brew said.

There’s phishing, the practice of acquiring user data by sending out bogus emails, and then there’s spear phishing, where thieves use credentials, including email addresses, to specifically target people based on behavioral patterns, he said.

“For example, [assume a Bank of America] customer frequently went to Macy’s to buy jeans,” Brew said. “Then a fraudster sends them emails as if they are from BofA regarding their recent Macy’s transaction. A lot of marketing partners at banks that have bank customer information can be the targets of hacking.”

Banks need to have their marketing partners that have access to their customer data demonstrate that their systems are at least as secure as the bank’s systems, he said.

As part of its process, LIU’s underwriters verify whether banks perform background checks to ensure that bank employees are not vulnerable to extortion, blackmail or coercion, Brew said. Red flags would be a bad credit history or a criminal history, particularly in financial crime.

David Hallstrom, vice president and practice leader, Information Risk at CNA in Chicago, said banks have to be vigilant about their controls. Financial institutions need to go beyond intrusion technology and train their staff how to spot social engineering attempts, regardless of where they originate, he said.

“They always need to be mindful that there can also be internal attempts from someone in the inside of the bank,” Hallstrom said.

Advertisement




While cyber protection products typically cover security breaches and the costs to notify bank customers, such policies don’t necessarily cover fraudulent credit card purchases, such as when someone gets access to credit card data and uses the information to buy goods or services, or to steal money, said John Kerns, executive managing director, Financial Services at Beecher Carlson in New York City.

Lloyd’s of London has been able to cover this type of fraud, but it’s very expensive, he said.

“Banks need to work with their brokers to do a gap analysis to understand their risks,” Kerns said. “There was a point in time when all the mortgage refinancing was going on, there was a lot of mortgage fraud and a fair amount of losses at banks.

“Now,” he said, “the digital world has created the ability for fraudsters to multiply deposits, so banks don’t know what’s real and what’s not.”

Katie Kuehner-Hebert is a freelance writer based in California. She has more than two decades of journalism experience and expertise in financial writing. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.

Advertisement




That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.

Advertisement




Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]