Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Pandemic ushers in remote work cyber threats

Reprints
Pandemic ushers in remote work cyber threats

Embezzlement, fraud and theft crimes are a persistent threat to businesses, and the shift to remote working during the COVID-19 pandemic has heightened these risks, experts say.

Cyber-related crime is on the rise as fraudsters use social engineering techniques to exploit systems and procedures made more vulnerable by remote working, they say.

“The opportunity has never been higher for employees to turn to fraud and/or for outside fraudsters to attempt to defraud the company through various attacks, whether it be social engineering fraud attacks or hacking of their computer systems,” said Christopher Arehart, Chicago-based senior vice president, crime insurance product manager, financial lines at Chubb North America. 

The shift to working from home has fundamentally changed the way businesses operate and “some of those changes which are temporary now will become permanent over time,” adding to the risk that policyholders face, Mr. Arehart said.

Business email compromise is an emerging area of risk for crime insurers, said Reid Eanes, Los Angeles-based senior vice president and financial services practice leader at Lockton Cos. LLC.

“There’s been an increase in exposure and claims,” Mr. Eanes said.

Business email compromises are a form of social engineering fraud in which attackers impersonate a CEO or executive authorized to conduct wire transfers and induce employees to transfer money to a fake client account.

While figures for 2020 are not yet available, some 23,775 business email compromise complaints resulted in $1.7 billion in losses in 2019, according to the FBI’s Internet Crime Complaint Center (see chart). 

“Over the last few years, it’s been a popular scheme among criminals. It’s an area that crime insurers are keenly focused on in terms of underwriting, as well as limit management and deductible,” Mr. Eanes said.

Businesses are looking to add coverage for related exposures through their commercial crime insurance policies, experts say. 

Brokers are asking for higher limits for social engineering coverage, said Bill Jennings, focus group lead-crime, at Beazley PLC in New York.

“With additional underwriting, additional questions, and if we can get comfortable with the controls our insured has, we can provide additional limits like $1 million or maybe $5 million,” Mr. Jennings said. 

The price of social engineering coverage varies by risk and limit, but typically it can be added to a crime policy for an additional premium of 25% to 50%, he said. 

Agents and policyholders often struggle to find adequate capacity for social engineering coverage because it usually carries a sublimit, said Mike Henning, Chicago-based executive lines broker at Risk Placement Services Inc., the wholesale broking and managing general agency unit of Arthur J. Gallagher & Co. 

“Typically, if you have a $1 million crime policy, social engineering most times is limited to $100,000 or $250,000, or maybe $500,000, because the loss with social engineering can be very large,” he said. 

The typical crime loss is like “death by a thousand cuts,” he said. Two to three fraudulent transactions within a month can easily add up to six-figure losses, Mr. Henning said. 

Social engineering fraud coverage is typically offered at a lower limit than the overall policy, but it depends on the individual characteristics of a risk, Mr. Arehart said.

Social engineering fraud often comes down to the failure of a process and whether an employee has attempted to make a phone call or verified with their boss that a wire transfer is legitimate, he said (see related story).

There are many variations of social engineering fraud, from phishing to ransomware, said Steve Dimakos, Chicago-based managing director of BDO USA LLP. “The difficulty of these crimes is that companies can’t grasp the extent of the damage they can cause.”

When you hear of the claims amounts involved with social engineering attacks “and you think of a crime policy you begin to understand the difficulty in placement of and the cost of this type of coverage,” he said.

A growing number of commercial crime submissions come from companies that started up in the past five years and want crime and social engineering fraud coverage, said Melissa Schwartz, product manager-commercial crime at AmTrust Exec, a division of New York-based AmTrust Financial Services Inc. 

“I’ve been seeing a lot of payment service provider submissions coming in,” Ms. Schwartz said. 

“It seems like everyone wants to set up their own payment service provider app,” she said. Some well-known digital payment providers include Zelle, Stripe and PayPal. 

With so many fraud vulnerabilities during the pandemic, those types of accounts can raise underwriting concerns from a cyber, social engineering and computer theft standpoint, she said. “I usually don’t write those, but I have been seeing an uptick in those types of accounts,” Ms. Schwartz said.

Read Next