Prepare to be hacked
“There are only two types of companies: those that have been hacked and those that will be.” – Former FBI Director Robert Mueller, 2012
This renowned quote continues to ring true and, as envisaged by Mueller “they are converging into one category: companies that have been hacked and will be hacked again.” With that in mind, PwC’s 2018 Global Economic Crime and Fraud Survey – where 49% respondents indicated that their companies had been the victim of fraud or economic crime within the past two years - presents a useful reminder to the insurance and reinsurance community of potential crime losses and the importance of careful underwriting in this area.
As we know from experience, and as confirmed by the PwC Survey, the direct monetary loss resulting from fraud can be significant - 39% of respondents reported losses over US$100,000. However, the ultimate cost to a business can vastly outweigh the direct monetary loss, with 46% of respondents stating that the cost of investigations and other interventions exceeded the amount directly lost to the fraud itself.
In view of these figures, more and more insureds will be turning to insurers for protection and indemnity as part of their risk management and impact limitation strategies. Early response and intervention by insurers, for example, by appointing their preferred loss adjustors, may reduce such investigation costs.
Non-monetary damage resulting from fraud can be just as substantial. CEOs and executive management are perceived as accountable by stakeholders, resulting in damage to:
- Business relations
- Relations with regulators
- Brand reputation.
A comprehensive and tailored insurance coverage can assist in minimising this non-monetary damage by providing support to the business by way of early confirmation of indemnity and/or other assistance such as PR costs indemnification. Such benefits are likely to be key to insureds when choosing their coverage and insurance provider, even if this coverage may warrant a higher premium in the first instance.
In spite of the above, and despite an apparent increase in awareness of the risks of fraud, “Only 54% of global organisations [that responded] said they have conducted a general fraud or economic crime risk assessment in the past two years. … One in ten respondents had not performed any risk assessments at all in the past two years” (PwC Survey).
An insured’s recognition of the fraud risks facing their business is of vital concern to underwriters, as such recognition will be key to the management of - and safeguarding against - those risks which, in theory, should translate to fewer claims.
We recommend that insurers and brokers consider the following points when approaching this increasingly demanding line of business:
- Ask prospective insureds whether they have carried out any type of fraud or economic crime risk assessment in the past two years. If they have:
- What type of assessment was it? Was it general or did it focus on anti-money laundering or cyber-attack vulnerability?
- What were the results? Can the risk assessment document be provided?
- Would the insured benefit from a ‘first response’ service and/or would a ‘first response’ service reduce costs, including investigation expenses, in the event of a claim?
- Provide ‘added-value’ services to insureds, such as conducting risk assessments or training, offering alerts and updates on economic crime and fraud trends and tips on protection from fraud.
- Educate clients via the collating and sharing of information regarding claim trends so that they are alive to possible breaches or attacks.
- Consider whether the insured may require additional cover for investigation costs.
In the event of a claim:
- Be mindful of the potential business impact of the loss beyond the funds lost in the fraud itself.
- Notification to insurers should be made promptly.
- Consider whether the insured wishes, or is obliged, to notify any relevant authorities such as the police, National Crime Agency or Information Commissioner.
While it is almost universally accepted that companies cannot prevent a cyber fraud attack taking place, it is possible to limit the damage that is suffered. Asking the correct questions prior to inception and having clear strategies in place if an attack occurs can reduce the monetary and reputational damage to a company as well as simplifying the claims process itself.