Specialty Podcast: Analyzing Cyber Risks and Solutions with Crime and Fidelity

Intro (00:00):
You're listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Adam Pardi (00:08):
Welcome everyone to another edition of the Alliant Specialty Podcast. Today's topic will be crime and fidelity insurance, the emerging threats against companies and what you can do to protect yourselves against this billion dollar industry. My name is Adam Pardi, I'll be your host today. I'm a member of the Alliant Management and Professional Solutions team and former crime underwriter. Joining me as our guest is Mike Beranek. Mike is the Fidelity and Crime Practice Leader at Berkeley Crime, subsidiary of WR Berkeley, and comes to us with a wealth of knowledge in the space with over 20 years of experience. Mike, thank you for joining us today.

Mike Beranek (00:41):
Thank you for having me, Adam. I'm excited to be here.

Adam Pardi (00:44):
Absolutely. So Mike, for starters, I think some people in this space feel like crime insurance can sometimes be overlooked when evaluating management liability coverages, such as directors and officers, employee practices liability, and things like that. Some clients seem to think that employee theft or other crime losses can never happen to them, so coverage isn't always necessary. Could you provide some insight on why crime coverage specifically is so important for businesses and any current trends that you're seeing?

Mike Beranek (01:11):
Absolutely. From my perspective, crime insurance is really about trust and that's inherent to all business. But, unfortunately at times that trust is eroded by people that we put a significant amount of it into. And when they do that, that's really an unexpected event for business. They realize that erosion of trust can create problems, and oftentimes turning to carriers with specialized focused underwriting and specialized focused claims adjusting can give customers and insureds a level of ease about that. Going through this for the first time, certain things like unexpected events such as burglaries, robberies, hacking, impersonation, social engineering fraud that we'll talk in more detail about are all part of these unexpected events that insureds and customers of both of our businesses can be impacted by. That specialized team really focuses on the ability to get to the heart of the issue. What is this loss? Is it a loss to the insured?

What caused that loss? What are the details about that loss? Those are things our investigators, our claims adjusters, are involved in determining when the loss happens. But before the loss ever happens, brokers and agents are talking to underwriters about the exposures that a particular insured has and sometimes those unique exposures may or may not be addressed by a standard contract. So being able to speak intelligently to those exposures and how a contract can be adapted to fit those unique exposures, are something that we at Berkeley crime pride ourselves on and I know Alliant, especially with their focus on fidelity and crime. Just having this podcast today is an example of that focused expertise.

Adam Pardi (03:00):
Absolutely, and just touching on that coverage and the knowledge and the trust. A few key stats that I just want to throw out there, and these come from the Association of Certified Fraud Examiners, which I know we both follow closely. They estimate that organizations lose 5% of total revenue due to fraud and employee theft and the average loss of these schemes has climbed to over 1.7 million, which I think is an eye-popping stat for our listeners and definitely for our clients. One key driver in these numbers that you briefly talked about is the social engineering fraud and it really wouldn't be a real crime insurance discussion if we didn't talk about this and sort of dive into this. Can you briefly describe this coverage and what it’s really designed to protect against?

Mike Beranek (03:42):
Absolutely. Those are some shocking numbers. I sometimes lose perspective and don't remember to realize that 5% of a business's revenues lost due to fraud or dishonesty or other types of criminal activity are shocking numbers. We're facing an exposure that is most challenging to us at the current moment, as you mentioned, is social engineering fraud. It goes by many different names depending on the carrier's coverage form and the way they've written it. We call it corporate deception fraud, ISO calls it fraudulent impersonation fraud. Others call it cyber deception fraud. Really what it boils down to is a confidence scam, the age old confidence scam, that fraudsters have been running since the dawn of humanity. That tricking of individuals is really what it centers around. I think an example to best describe the exposure is an unsuspecting accounting clerk is sitting at their desk on a Friday afternoon, he's waiting to go out with his buddies drinking at 3:30 in the afternoon.

He can't wait. He gets a unexpected email from the CFO of the organization that asked to transfer 3 million to an account somewhere overseas. The unsuspecting accounting clerk vaguely remembers that he heard that the CFO was off doing some merger and acquisition business overseas and goes ahead and transfers those funds. Then comes back in on Monday morning only to realize that those funds went to a fraudster. That's the type of fraud that we're talking about that, unfortunately, is hitting more and more every day. In the United States data from the FBI and the Internet Crime Complaint Center, which track a fraud called business email compromise, of which social engineering is a subset, talks about in the period from 2013 to 2021, $14 billion in the United States has been lost to this fraud on 116,000 incidents, resulting in an average amount of roughly $125,000. It's not always your $3 million fake CFO merger and acquisition transaction call that may come in on a Friday afternoon.

It can be as innocuous as an email that you receive from a vendor that asks you to change the vendor's bank account information from a particular bank to another bank, and that should set alarm bells off in the organization to address issues that we see as significant exposures. It's really the exploitation of human desires to help and those tactics are not only used to steal money, they're also used to steal data and transfer tangible property. So don't think that one type of scam that's covered by social engineering fraud is necessarily just a fraud of embezzlement when it comes to money. It can be other things as well.

Adam Pardi (06:46):
Absolutely, and I think just one thing that you pointed out was, those stats come from the FBI and those are only things that have been reported to the FBI. Those total losses can be astronomically higher. A lot of times a company will report a loss to the insured or something, but they won't go to the FBI or they won't even want to do it publicly just because of the bad press that can be associated with it. So those numbers are definitely higher than the billions and billions that have been reported over the past few years. So obviously the question is, Mike, what are some things that you would recommend a company can do to protect themselves from these type of schemes? Obviously knowing it's very difficult to stop these.

Mike Beranek (07:22):
Yeah, I don't know that we're ever going to stop them completely, but we can take steps to mitigate or prevent a series of them from happening against a particular insured. Just at a high level, awareness, having this call today, I noticed in the email that we used to set up this, you had a little blurb in your disclaimer email about transferring funds and who you should contact - auditors, bankers, everybody involved in these kinds of transactions - is promoting awareness. Training is really important by the part of insureds, from a penetration testing perspective, from online class perspective, IT controls, multifactor authentication on email, email filtering, using forward, not reply - as simple as that, so you don't fall trap to a misspelled email address that came into you that you thought was a trusted vendor, customer or employee. I think the most important though really centers around policies and procedures that the organization can implement, limit the number of people who can change vendor or employee bank account information, have changes approved by a robust second set of eyes, don't have a rubber stamps approval process, and most importantly implement authentication of these requests. If that unsuspecting accounting clerk had just took the time, maybe to contact somebody else in the organization and confirm that the request was legitimate, possibly that fraud could have been averted. So those types of verification steps are really important things that we're looking for as underwriters and are hoping our insurers are implementing and doing, and to the vast majority they have.

Adam Pardi (09:02):
That's awesome. One key takeaway from that is really slow down. If you take your time, you follow procedures that could be in place, it can mean a world of difference. And one thing to note on that is these are professionals that are doing this. These are companies that have trained employees, obviously not legal companies, but they're trained employees. They know what they're doing and they're going to adapt. So, what Mike said earlier, it's going to be hard to really get rid of this completely because it's such an environment in which people can make money quick and easy. And we cited the FBI report earlier, there's been a trend with utilizing custodial accounts held at financial institutions where it's not just vendor emails requests for W2s or gift cards, and a lot of these have dealt with crypto, obviously an emerging trend in the marketplace and worrisome. Mike, what are some things that you're seeing in the digital asset space in crime insurance and how is the market responding to these threats?

Mike Beranek (09:57):
That's a great question, Adam. The correlation between using cryptocurrency in some of these scams isn't lost on us, but there are legitimate uses for digital assets and cryptocurrencies and that's been a real difficult topic for the industry. We've really wrestled with that for a number of years now and I think the reaction that you've seen from the marketplace is very measured. It's interesting that with one capital base, the left big toe can be taking volatile risk while the right pinky finger can be extremely conservative and frankly, fidelity and crime has been a very mature, profitable line of business for many capital providers and insurance companies. And the industry's unwillingness to upset the cash-cow nature of this particular line has contributed some of that measured or conservative reaction. I think you have to think about the historical perspective of crime coverage being a first-party exposure.

We, historically, have not covered intangible assets such as digital currencies, secrets, things of that nature because of the volatile valuations involved in them and many times the subsequent third-party liability suits that result from that. So things like the intellectual property insurance has stepped up to take care of some of those exposures. Cyber liability insurance has stepped up to take care of some of those exposures. It's really about continuing to learn and educate ourselves as to some of these exposures that we're seeing out there on the digital asset and cryptocurrency space. So I would anticipate slow movement by the market.

Adam Pardi (11:39):
Absolutely, and I think the market is sort of with you on that. It's difficult enough for one person to understand, let alone a company to fully underwrite to it and move on from there. So we touched on social engineering fraud. We touched on digital assets. What else, if anything, is ahead in the crime insurance market that you foresee in 2023 and beyond?

Mike Beranek (12:00):
Yeah, it's really an evolutionary market. It's not a revolutionary market. You're not going to see dramatic change. We're very historically mature, I referenced that earlier. We're like the Maytag salesperson of the insurance industry. You buy a crime policy and you put your washer and dryer away and you hopefully don't need another one for another 10 or 15 years. So, there's not dramatic change coming to the fidelity and crime industry itself. We are seeing a slight softening in the market. I think that's a bigger driver of the overall insurance market except for say the property market, which we see some hardening in, in the current environment. The other things that I think concern me, or that I wonder what's ahead, are things like managing bad precedents set by results oriented courts. We've seen some bad judgements in the court system as of late and adapting and adjusting to that is a constant for all insurance and underwriters and carriers out there, but especially for the fidelity and crime industry. If I had a crystal ball, I would envision some morphing or melding potentially of some cyber and crime exposures. We've seen that more so from the cyber market, take up some of the traditional crime exposures and add them on to their policies. But we seem to see more and more packaging of risk amongst one particular carrier. So that's my crystal-ball vision.

Adam Pardi (13:22):
Absolutely, that's super helpful. And Mike, thank you for all this and this very useful and timely information. As mentioned at the beginning of the podcast, Mike is the leader of Berkeley crime, which is a specialized team that focuses on this exact type of insurance. Can you tell us a little more about Berkeley crime and the offerings and expertise that separate you guys from the marketplace?

Mike Beranek (13:42):
Yeah, I think our standalone nature of focused fidelity and crime is unique in the marketplace. Many of our competitors underwrite crime, but they'll do it as part of a package P&C product. But we're really unique in that we've got 19 focused underwriters that all they do all day long is underwrite fidelity and crime. We've got five focused claims professionals managing adjustment of claims. We're the 10th largest writer in the United States when it comes to fidelity and crime by a GWP perspective. What I'd like to leave everybody with besides that tidbit of passion that I mentioned earlier is Berkeley crime is unique in the marketplace as a standalone fidelity and crime carrier. We appreciate our relationship with Alliant and if you have questions specifically about fidelity and crime, don't hesitate to ask people like Adam who can get in contact with myself to try to address your unique, specific crime needs.

Adam Pardi (14:41):
Absolutely, and with that, I think that's all we have for today's podcast. Thank you again, Mike, for your time. Thank you everyone for tuning in to another edition of the Alliant podcast series. We hope you found this information useful and informative as you evaluate your insurance needs in 2023 and beyond.