Banks have spent years developing protections to minimize hacking and other fraudulent activities — but how do they protect against losses from thieves pretending to be legitimate customers who use social engineering, or exploit new technologies such as mobile remote deposit capture?
Take this example: In June, Boma Robert Spero-Jack, 34, was charged with stealing thousands of dollars from Bank of America and Kroger grocery stores by using mobile banking.
Spero-Jack is accused of purchasing at least 32 Western Union money orders at multiple Kroger stores, in amounts ranging from $195 to $500. He deposited the money orders into his Bank of America checking or savings accounts via a mobile application.
Then, he returned to the Kroger store and cashed the money orders, as well as withdrew the amount of the money orders from his bank account at a local branch of Bank of America, police said. In total, Spero-Jack stole $12,620, according to police.
Social engineering schemes, on the other hand, are less technical and often involve tricking individuals into breaking normal security procedures.
John Morrissey, senior vice president and an attorney with Aon’s financial services group in New York City, said that in the last two years, a number of U.S. corporations with subsidiaries in Europe have been defrauded through the use of social engineering.
Organized crime rings go on corporate websites and social sites to glean information about the inner workings of corporations, and use voice manipulation software to imitate executives’ voices.
“For example, they get enough information to make a call to a treasury person at a subsidiary in central Europe and pretend that they are the CFO of the U.S.-based parent,” Morrissey said. “They tell the treasury person that they are in secret negotiations to buy a company in China and need for the subsidiary to wire X amount to a bank in Hong Kong that is doing business with their company’s lawyers there.
“These organized fraud rings have gotten away with as much as $20 million at a time,” he said.
Commercial crime insurers are looking closely at these losses because they weren’t on the radar when the policy language was first drafted, he said.
Cyber insurance is still a relatively new type of coverage, and policies vary dramatically, said Kevin Kalinich, Aon Risk Solutions’ global cyber practice leader. In a typical professional liability policy, the coverage trigger is alleged error, omission or negligent act of the financial institution. However, under a cyber policy, a trigger is whether the financial institution is legally responsible for a privacy breach or security breach event — regardless of negligence.
Questions of Liability
Theft by way of social engineering is increasing in frequency.
“The bad guys may call customers saying, ‘This is John at your bank. We’re upgrading your account to a higher loyalty program,’ or they email customers, using the logo and URL of the bank, telling … them they ‘can get a lower interest rate if they plug in their account number, PIN number and password,’ ” Kalinich said.
“Once the fraudster gets it, they immediately transfer as much money as possible to their own account in another country,” he said.
In such a scenario, bank customers can sue, claiming the bank should not have allowed the unauthorized transfers, he said. A customized cyber insurance policy can respond to such data breach claims to pay the defense costs and indemnity, whereas an off-the-shelf professional liability policy might not.
“As bad actors become more devious, banks need to make sure their policies are working together, so they are covered regardless of what happens.”
– Dena Magyar, vice president, Professional Risk Group, Wells Fargo Insurance
Dena Magyar, vice president at Wells Fargo Insurance’s professional risk group in Charlotte, N.C., said there are numerous social engineering scenarios. A thief could:
• Pretend to be in the bank’s information technology department when emailing employees to ask for their user names and passwords so they can upgrade the speed of the bank’s computer system;
• Impersonate a vendor sent to fix a copier at the bank branch, and then remove the copier and copy its hard drive full of records listing customer information.
• Drop a thumb drive in a bank parking lot, with a label such as “executive compensation” so that the finder will plug the drive into a bank computer, thus installing malware that provides either transaction information or access to the bank’s system.
Social engineering schemes and other types of fraud are emerging so fast that banks have to make sure their policies keep up, she said.
“Right now, we are at a very interesting point in insurance,” Magyar said. “There are different types of policies that need to be reviewed to make sure banks are adequately covered and that there are not gaps between their bankers’ professional liability, crime and network security privacy policies.
“As bad actors become more devious, banks need to make sure their policies are working together, so they are covered regardless of what happens,” she said.
When considering a bank’s protection against computer crimes, George Allport, vice president and financial fidelity product manager for the Chubb Group of Insurance Cos., said his company has historically questioned whether the bank had firewalls and intrusion detection software, and if it immediately patched known vulnerabilities.
“While we still ask for that type of information, there is also a growing emphasis on addressing and underwriting this risk as a management issue,” Allport said. “We are taking a broader focus when looking at the risk.”
Chubb’s underwriters will soon be asking banks to detail the percentage of their IT budget that has been devoted to security in the current year, and whether those percentages will change in the coming year, he said.
Chubb’s underwriters will also be asking about the knowledge and oversight of security matters at the board level; the number of employees devoted to the implementation and maintenance of security mechanisms; and the top security challenges that the bank may face in the coming year.
“We want to know how the bank verifies that employees have been trained and have learned something from that training,” Allport said. “For instance, are the companies that are contracted to conduct the training doing it online? If so, then a month after training, they need to send employees a bogus email to see if they fall for it.”
The Human Element
Oliver Brew, vice president of professional liability for Liberty International Underwriters in New York City, said the carrier had a payment services client that, through social engineering, suffered fraud on its prepaid debit cards.
The thief, pretending to be a retailer, called the payment company — the retailer’s store card provider — and baited the customer service representative into giving the security credential to reload the card. Very quickly the payment company was out over $200,000.
“It’s the human element that is the most vulnerable. Social engineering is taking on new flavors almost every day,” Brew said.
There’s phishing, the practice of acquiring user data by sending out bogus emails, and then there’s spear phishing, where thieves use credentials, including email addresses, to specifically target people based on behavioral patterns, he said.
“For example, [assume a Bank of America] customer frequently went to Macy’s to buy jeans,” Brew said. “Then a fraudster sends them emails as if they are from BofA regarding their recent Macy’s transaction. A lot of marketing partners at banks that have bank customer information can be the targets of hacking.”
Banks need to have their marketing partners that have access to their customer data demonstrate that their systems are at least as secure as the bank’s systems, he said.
As part of its process, LIU’s underwriters verify whether banks perform background checks to ensure that bank employees are not vulnerable to extortion, blackmail or coercion, Brew said. Red flags would be a bad credit history or a criminal history, particularly in financial crime.
David Hallstrom, vice president and practice leader, Information Risk at CNA in Chicago, said banks have to be vigilant about their controls. Financial institutions need to go beyond intrusion technology and train their staff how to spot social engineering attempts, regardless of where they originate, he said.
“They always need to be mindful that there can also be internal attempts from someone in the inside of the bank,” Hallstrom said.
While cyber protection products typically cover security breaches and the costs to notify bank customers, such policies don’t necessarily cover fraudulent credit card purchases, such as when someone gets access to credit card data and uses the information to buy goods or services, or to steal money, said John Kerns, executive managing director, Financial Services at Beecher Carlson in New York City.
Lloyd’s of London has been able to cover this type of fraud, but it’s very expensive, he said.
“Banks need to work with their brokers to do a gap analysis to understand their risks,” Kerns said. “There was a point in time when all the mortgage refinancing was going on, there was a lot of mortgage fraud and a fair amount of losses at banks.
“Now,” he said, “the digital world has created the ability for fraudsters to multiply deposits, so banks don’t know what’s real and what’s not.”
A Not-So-Microscopic Risk
Why don’t lifeguards wear white stuff on their noses anymore?
We’re more aware of the dangers of sun exposure than ever before. You’d think folks exposed to the sun would want the best protection possible. And you’d be right. The thing is, a thick layer of white zinc oxide is no longer the best thing going … because of nanotechnology.
Nanotechnology is the understanding and control of matter at dimensions between approximately 1 nanometer and 100 nanometers, according to the U.S. National Nanotechnology Initiative. One nanometer is one-billionth of a meter. For comparison purposes, if a marble were a nanometer in diameter, then one meter would be the diameter of the Earth.
At the nanoscale level — down to 1/100,000th the width of a human hair — materials exhibit different properties than what is detectable in the everyday “macroscopic” world.
For example, nanomaterials can have greater strength, lighter weight and greater chemical reactivity than their larger-scale counterparts. Scientists have learned how to rearrange atoms of carbon, silver, titanium, silicon, gold and zinc to leverage these nanoscale superpowers — not just in the laboratory, but efficiently enough, and at low enough cost, to enable commercial manufacturing.
That’s why new fabrics are more stain-resistant, why tennis rackets and bicycle frames are lighter and stronger than ever before, why food containers can help keep food fresher even longer. It’s why lifeguards no longer wear those unfashionable white sunblock smears.
Nanoscale technology is already more than a decade old, and — to put it mildly — its potential is tremendous. But nanotech products are lightly regulated, and their long-term effects are not well understood.
Products using nanotech may one day zap tumors or enable more effective treatments for cardiovascular illness or Parkinson’s disease. They could improve the performance, resiliency and longevity of our transportation infrastructure while reducing cost. They could transform our energy future by making batteries last longer, and enable solar panels to produce many times more energy. Nanotechnology could make it easier for us to bring clean drinking water to millions in need around the world.
No wonder nanotech is growing fast — so quickly, in fact, that reliable data is hard to find and may be out of date by the time it is published.
There are more than 5,400 nanotech firms globally. The consumer products inventory at www.nanotechproject.org lists more than 1,300 products using nanotechnology, produced in 30 different countries, that are commercially available.
Every state in the United States has at least one nanotech manufacturer, with California leading the pack. Nanotechnology is already in our food, medicines, clothes, cosmetics, sunscreens, pesticides, electronics, homes, sports equipment, cars, airplanes, water, air and land. Nanotechnology is everywhere.
But, little has been spent studying short- or long-term effects, and early tests indicate potential risks such as cellular or genetic damage. Some nanoproducts pass through the skin and are distributed throughout the body, with unknown effects. Nanomaterials may be able to breach landfill barriers as well.
The U.S. Food and Drug Administration has released draft food and cosmetic guidance, but there are few labeling requirements, and many manufacturers have failed to test the safety of their products.
In April 2013, the National Institute for Occupational Safety and Health (NIOSH) recommended that occupational exposures to carbon nanotubes and carbon nanofibers be controlled to reduce a potential risk of certain work-related lung effects. According to NIOSH, recent results from experimental animal studies with rodents indicate that exposure to carbon nanotubes and carbon nanofibers may pose a respiratory hazard if inhaled.
Several studies have linked carbon nanotubes to mesothelioma. That has echoes of an emerging risk from decades gone by: asbestos.
An Underwriting Challenge
Insurers are already at risk. Standard policies don’t specifically exclude nanotech, and it’s not clear whether courts in all jurisdictions would apply a policy’s pollution exclusion. Few insurance applications ask about nanomaterials. Nanotechnology could well be the underwriting challenge of the next hundred years.
Even though data is in short supply, actuaries have been tackling the challenge presented by nanotechnology.
Drawing on the lessons learned from the notorious exposures of asbestos and pollution, property/casualty actuaries are helping insurers prepare to handle new emerging risks like nanotechnology by assisting with the development of new policy language and encouraging underwriting discipline.
Actuaries can also help integrate pricing, planning and reserve setting to manage the underwriting cycle.
Actuarial work is, fundamentally, the analysis of relevant information to develop estimates of future financial implications. Just because nanotech-related insurance data has yet to emerge, that doesn’t mean there is a complete lack of relevant information.
As with the emerging risk of climate change, analysis begins with scientific findings — and by applying the expertise of the subject matter experts in the insurance world. Actuaries involved with coverage of nanotech processes and products use work such as that presented in Nanotechnology Safety, edited by Ramazan Asmathulu, a Wichita State University associate professor who focuses on nanomaterials.
Then, most importantly, actuaries apply a sound analytical structure to address the problem. Framing the issues in a logical manner involves the use of techniques such as lifecycle analysis and expert elicitation to supplement available data and develop preliminary estimates.
Also important is the regulatory environment. As asbestos litigation evolved, it was perhaps unexpected developments such as the 1965 Restatement of Torts that proved the most troublesome.
An analysis of current regulations, in the United States and abroad, can provide context for initial product design and rate estimates. But it will be important, in this quickly changing landscape, to remain alert for changes in the legislatures and the courts.
Insurers are wise to be alert to new sources of risk — but not all apparently emerging issues do, in fact, emerge. Our reaction time as an industry, however, has improved. New opportunities are quickly tackled while at the same time managing, and pricing for, the inherent risks.
The insurance industry can be an important enabler of new industries and technologies such as the ones nanoprocesses have already brought to market, and the many more applications yet to be discovered. Like the lifeguard watching over the pool, insurers seek to make money without getting burned. That’s why it’s important to think ahead, assess the risks and put the right protections in place.