Covering Fraudulent Impersonation
Impersonating a supervisor in order to fraudulently convince a subordinate to transfer funds is one of a bevy of emerging cyber risks. Getting cover for a loss stemming from the practice is still a dicey business.
Many cyber policies might not cover such a loss, and underwriters disagree on whether more traditional crime/fidelity coverages do either. But attempts are underway to bridge the gap.
Beazley’s new fraudulent instruction endorsement, for example, gives existing commercial crime policyholders up to $250,000 cover against the transfer of funds as a result of instructions from a person purporting to be a vendor, client or authorized employee.
“Fraudulent instruction scams are so sophisticated that basically any business that transfers funds is vulnerable,” said Bill Jennings, who heads the Financial Fidelity/Commercial Crime Unit for Beazley in New York.
“Existing cyber and crime policies — which cover theft of data and theft of funds respectively — may not cover losses from these masqueraders, who may use authority or endearment to perpetrate a fraud,” he explained.
“Quite frankly, many companies need more than $250,000 of this coverage.” — Kevin Guillet, FINPRO Fraud Advisory Practice Leader, Marsh
This increasingly prevalent type of scam relies on an employee failing to notice a very small error in an email address, as well as their natural eagerness to please and be responsive to a superior or a client.
Victims are often tricked that the instruction is either urgent or confidential, and the instruction usually contains personal information gathered from social media or hacking in order to make it seem believable. Once the transferred funds leave the United States, they are rarely recoverable.
While the perpetrators often use cyber hacking to identify and trick their targets, cyber policies are typically focused on the theft of data rather than money.
That’s why, according to Bob Parisi, cyber product leader at Marsh, it is crime/fidelity underwriters who are “bridging the gap more aggressively” when it comes to covering fraudulent impersonations.
“The cyber markets tend to take a ‘hands-off’ position on crime-related losses as they view cyber coverage as more akin to ‘virtual’ property casualty coverage,” he said.
“However, there is some potential overlap between cyber and crime/fidelity, especially in the financial institution space where insureds can enhance their crime/fidelity coverage with damage by hacker or virus endorsements that provide an element of cyber coverage.”
Kevin Guillet, Marsh’s FINPRO Fraud Advisory Practice Leader, praised Beazley for including impersonation of clients, vendors and employees under its coverage.
“Not every form covers all those constituents,” he noted, adding that while he believes certain standard industry forms do already cover against ‘employee’-to-employee instruction, this is often disputed by underwriters.
In an attempt to help protect its clients, Marsh has developed proprietary language introducing ‘computer and telephonic misuse coverage’ — which includes coverage for fraudulent impersonation — into its crime policy standard wordings in London and Europe, and continues to push for acceptance of this wording by U.S. underwriters.
“While subject to underwriting and additional premium charge, another attractive feature of Beazley’s endorsement is that can provide coverage up to $250,000 without requiring ‘out-of-band authentification’ [challenging the instruction through a means other than that by which the instruction was received, such as email verification of a phone instruction],” Guillet added.
“When underwriters build in a warranty whereby there is no coverage unless all procedures are correctly followed, we question the value of that coverage because these scams typically succeed by convincing people to ignore established protocols.”
According to an Internet Crime Complaint Center (IC3) June 2014 “Scam Report,” the average amount lost in frauds of this nature is $55,000. However, IC3 claimed there has been one report of $800,000 lost, and experts said they have seen losses run into the tens of millions. The total cost to corporate America is unknown.
“Quite frankly, many companies need more than $250,000 of this coverage,” said Guillet. However, he conceded, “there is real exposure here, so you can understand why Beazley and other underwriters are approaching cautiously,” noting that while there are some underwriters who offer higher limits, some don’t want to cover fraudulent impersonation risk at all.
Beazley’s Jennings recommended that, in addition to buying insurance, companies implement staff training as well as “strong internal controls requiring call-back verification and periodic white-hat testing to confirm that controls are being followed.”
Good Times, Bad Times
The recent recession, spurred by the collapse of the real estate market, left the insurance industry exposed to the economic vicissitudes engendered by that event. The property/casualty arena was particularly impacted.
The P&C sector, mirroring the economy’s slow recovery incline, has been experiencing a minor renaissance. However, two notable CEOs, Evan Greenberg of ACE and Jay Fishman of Travelers, have recently expressed concern over evidence the industry is entering a phase of assuming a surfeit of risk as competition pressures companies to lower prices.
It’s dichotomous to operate in the insurance sector and be adverse to risk. Insurance companies accept and insure risk. The immutable underpinning of all insurance is to spread the risk and obtain proper premium. Both Greenberg and Fishman have voiced concerns over the premium piece of that equation.
Assuming risk at prices below projected loss costs is ultimately a death spiral. Many notable insurers have engaged in cash flow underwriting, and paid the ultimate price for it.
Competition has a way of leveling pricing to the buyer. In the P&C arena, many buyers view insurance as a commodity. As long as the policy limits are the same, the consumer is predisposed to choose the lowest premium price. This tempts some insurance companies to “buy” market share by lowering prices.
Assuming risk at prices below projected loss costs is ultimately a death spiral. Many notable insurers have engaged in cash flow underwriting, and paid the ultimate price for it. If the past has taught us anything, it is that it’s vitally important to maintain pricing discipline despite prevailing market conditions.
Logical decisions stem from pricing discipline. Sometimes these will be distasteful, such as shrinking a company to keep it fiscally healthy. However, doing otherwise is risking not having a company extant when the economic environment rebounds.
The Counsel of Insurance Brokers & Agents reported the commercial P&C market pricing continued to soften in Q1 of 2015, with large accounts seeing the biggest price declines.
In its annual domestic insurance market analysis, Marsh opined the commercial insurance realm is expected to continue softening into 2015. Buyers can anticipate competition for their P&C programs this year with price decreases averaging between 5 and 15 percent. Barring the occurrence of a major catastrophic event, increased competition is having the impact of reducing policy costs.
Greenberg and Fishman, respectively, have indicated they’re prepared to reject business that doesn’t meet profitability objectives. Fishman stated on a call with investors that he would “draw lines in the sand” to prevent underwriting criteria from assuming dangerous pricing.
A complicating dimension is interest rates remaining at historic lows. The return on investment on insurance company funds, typically a significant source of income, is far below what it once was. This places additional pressure on revenue objectives.
The discipline of market failure is supposed to act as the keel of conscience in the various “C” suites throughout America. Returning impressive profits for 12 or 16 quarters only to have the company melt down when the wave of losses overtakes it like a trailing financial tsunami, helps no stakeholder.
What Greenberg and Fishman are preaching should be the mantra of every insurance executive across the country. Underwriting discipline is always crucial, and should be the bedrock strategy of an insurance company.
Detention Risks Grow for Traveling Employees
It used to be that most kidnapping events were driven by economic motives. The bad guys kidnapped corporate employees and then demanded a ransom.
These situations are always very dangerous and serious. But the bad guys’ profit motive helps ensure the safety of their hostages in order to collect a ransom.
Recently, an even more dangerous trend has emerged. Governments, insurgents and terrorist organizations are abducting employees not to make money, but to gain notoriety or for political reasons.
Without a ransom demand, an involuntarily confined person is referred to as ‘detained.’ Each detention event requires a specialized approach to try and negotiate the safe return of the hostage, depending on the ideology or motivation of the abductors.
And the risk is not just faced by global corporations but by companies of all sizes.
“The world is changing. We see many more occasions where governments are getting involved in detentions and insurgent/terrorist groups are growing in size and scope. It’s the right time for a discussion about detention risks.”
— Tom Dunlap, Assistant Vice President, Liberty International Underwriters (LIU)
“Practically any company with employees traveling abroad or operations overseas can be a target for a detention risk,” said Tom Dunlap, assistant vice president at Liberty International Underwriters (LIU). “Whether you are setting up a foreign operation, sourcing raw materials or equipment overseas, or trying to establish an overseas sales contract, people are traveling everywhere today for so many reasons.”
Emerging Threats Driven By New Groups Using New Tools
Many of the groups who pose the most dangerous detention threats are well versed in how to use the Internet and social media for PR, recruiting and communication. ISIS, for example, generates worldwide publicity with their gruesome videos that are distributed through multiple electronic channels.
Bad guys leverage their digital skills to identify companies and their employees who conduct business overseas. Corporate websites and personal social media often provide enough information to target employees who are working abroad.
And if executives are too well protected to abduct, these tools can also be used to identify and target family members who may be less well protected.
The explosion of new groups who pose the most dangerous risks are generally classified into three categories:
Insurgents – Detentions by these groups are most often intended to keep a government or humanitarian group from delivering services or aid to certain populations, usually in a specific territory, for political reasons. They also take hostages to make a political statement and, on occasion, will ask for a ransom.
In other cases, insurgent groups detain aid workers in order to provide the aid themselves (to win over locals to their cause). They also attempt prisoner swaps by offering to trade their hostages for prisoners held by the government.
The most dangerous groups include FARC (Colombia), ISIS (Syria and Iraq), Boko Haram (Nigeria), Taliban (Pakistan and Afghanistan) and Al Shabab (Somalia).
Governments – Often use detention as a way to hide illegal or suspect activities. In Iran, an American woman was working with Iranian professors to organize a cultural exchange program for Iranian students. Without notice, she was arrested and accused of subversion to overthrow the government. In a separate incident, a journalist was thrown in jail for not presenting proper credentials when he entered the country.
“Government allegations against detainees vary but in most cases are unfounded or untrue,” said Dunlap. “Often these detentions are attempts to prevent the monitoring of elections or conducting inspections.”
Even local city and town governments present an increased detention risk. In one recent case, a local manager of a foreign company was arrested in order to try and force a favorable settlement in a commercial dispute.
Ideology-driven terrorists – Extremist groups such as Boko Haram and ISIS are grabbing most of today’s headlines with their public displays of ultra-violence and unwillingness to compromise. The threat from these groups is particularly dangerous because their motives are based on pure ideology and, at the same time, they seek media exposure as a recruiting tool.
These groups don’t care who they abduct — journalist, aid worker, student or private employee – they just need hostages.
“The main idea here is to shock people and show how governments and businesses are powerless to protect their citizens and employees,” observed Dunlap.
Mitigating the Risks
Even if no ransom demands are made, an LIU kidnap and ransom policy will deliver benefits to employers and their employees encountering a detention scenario.
For instance, the policy provides a hostage’s family with salary continuation for the duration of their captivity. For a family who’s already dealing with the terror of abduction, ensuring financial stability is an important benefit.
In addition, coverage provides for security for the family if they, too, may be at risk. It also pays for travel and accommodations if the family, employees or consultants need to travel to the detention location. Then there are potential medical and psychological care costs for the employee when they are released as well as litigation defense costs for the company.
LIU coverage also includes expert consultant and response services from red24, a leading global crisis management assistance firm. Even without a ransom negotiation to manage, the services of expert consultants are vital.
“We have witnessed a marked increase in wrongful detentions involving the business traveler. In some regions of the world wrongful detentions are referred to as “business kidnappings.” The victim is often held against their will because of a business dispute. Assisting a client who falls victim to such a scheme requires an experienced crisis management consultant,” said Jack Cloonan, head of special risks for red24.
Without coverage, the fees for experienced consultants can run as high as $3,000 per day.
Given the growing threat, it is more important than ever to be well versed about the country your company is working in. Threats vary by region and country. For example, in some locales safety dictates to always call for a cab instead of hailing one off the street. And in other countries it is never safe to use public transportation.
LIU’s coverage includes thorough pre-travel services, which are free of charge. As part of that effort, LIU makes its crisis consultants available to collaborate with insureds on potential exposures ahead of time.
Every insured employee traveling or working overseas can access vital information from the red24 website. The site contains information on individual countries or regions and what a traveler needs to know in terms of security/safety threats, documents to help avoid detention, and even medical information about risks such as pandemics, etc.
“Anyone who is a risk manager, security director, CFO or an HR leader has to think about the detention issue when they are about to send people abroad or establish operations overseas,” Dunlap said. “The world is changing. We see many more occasions where governments are getting involved in detentions and insurgent/terrorist groups are growing in size and scope. It’s the right time for a discussion about detention risks.”
For more information about the benefits LIU kidnap and ransom policies offer, please visit the website or contact your broker.
Liberty International Underwriters is the marketing name for the broker-distributed specialty lines business operations of Liberty Mutual Insurance. Certain coverage may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds and insureds are therefore not protected by such funds. This literature is a summary only and does not include all terms, conditions, or exclusions of the coverage described. Please refer to the actual policy issued for complete details of coverage and exclusions.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty International Underwriters. The editorial staff of Risk & Insurance had no role in its preparation.