Commercial Crime

Katie Sohatski: So fraud happens at all companies, big and small. Whilst it's true, the larger multinational companies will have larger value losses, even a relatively small amount of theft will have potentially devastating consequences on an SME who are, especially in the current economic climate, reliant on and counting every penny. We've seen examples from churches, restaurants, scout groups who have suffered a negative financial impact as a result of fraud. Even a low value fraud can have wide-reaching ramifications such as impacting payroll, supplier payments or hard earned cash balances. It's also true that smaller firms often don't have the resource or expertise to deal with a fraud once it's discovered. This adds confusion and complexity to an already stressful situation which can drag out a resolution.

Simon Bailey: Whilst it's true that technology will be used to enhance and improve sophisticated risk management controls, some of the same technologies can be used to target companies' infrastructure. We've seen examples of this recently through the manipulation of VPN software, a technique that's used to protect companies against network intrusion. The criminals are now emulating VPN login software and getting employees to enter their passwords and to circumvent their security. Once the criminals are in the network, they can lie dormant, they can view communication channels, emails, and they can collect and harvest this data to cause a loss directly to the company itself or to their downstream suppliers or their customers. So therefore, technology is only as strong as the persons implementing it. Unlike with social engineering techniques, they target the weakest part of the infrastructure which tends to be the employees. The criminals are always trying to stay one step ahead by developing their technologies, and therefore it's incumbent on the company to engage their employees with training and awareness programmes. We've also seen examples recently of this sophistication in play, where criminals have used AI to develop video software or voice recognition software, which has been targeted directly to companies and significant sums of money have been lost through these two reasonably modern techniques. And we anticipate this becoming a lot more prevalent going forward as the sophistication and criminals develop their techniques.

Katie Sohatski: So many people think that a commercial crime policy will only respond where the police have been involved and or the person involved has been caught. Current commercial crime policies do not require the involvement of law enforcement for coverage to be effective. You don't have to specifically name the persons involved, but just prove to a reasonable degree that it was an employee that's committed the act against you. Obviously, from an external party perspective, these can often be faceless individuals sitting in a basement on the other side of the world, making detection almost impossible.

Simon Bailey: A loss directly impacts the company's bottom line, and this may make it harder for them to make payments to suppliers. It might delay their payroll. In some of the more severe cases, they may actually be forced to make some redundancies. It can also impact a company with regards to expansion or regards to M&A or product development, so lots of additional impacts that a customer might face. There are also some abstract reasons following a loss such as the reputation. If a company has suffered a financial loss, particularly a large one, they may be viewed by their peers as a bit of a soft touch. That may make it harder for them to trade with companies. They may not be seen to want to do business with a company that suffered a financial loss as well, so reputationally there's an impact, and there may also be a more abstract reason around employee morale. Employees may be implicated, it might be their close friends or somebody they've worked with for many years that may have been implicated in the fraud, and this can be damaging from a personal side of things. There's a human involvement and impact as well. So that's why commercial crime policy is so important, not just to cover the direct financial loss against the hard earned profits, it's these additional factors as well that come into play that a company may not be necessarily aware of when it comes to what is covered under a crime policy.

Katie Sohatski: So it's not the auditor's role to detect fraud, but merely investigate and present the accuracy of numbers they have analysed. An auditor's role is looking in the rearview mirror. If they detect something, it's likely to be post event and too late, so it's not a good upfront mitigator. We've seen examples where documents have been manipulated internally, going undiscovered for several audit cycles, highlighting just how difficult fraud can be to detect. If there has been a sophisticated fraud involving the manipulation of receipts or invoices involving a mid or senior manager, it can be incredibly hard to pinpoint a specific fraud act. In these scenarios, frauds can go undetected for longer periods, increasing the amount stolen. Like other risk management protocols, compliance and audit should be used as part of fraud prevention tools, but not solely relied upon.

Simon Bailey: Whilst frauds can be complex, we're seeing an increase in more old fashioned low tech fraud events, things like theft of physical stock and inventory, expense manipulation and invoice manipulation, and in general, much more opportunistic frauds. So whilst companies are quite rightly focused on the increased sophistication of fraud techniques, they need to be just as mindful on the low tech opportunistic frauds that can be just as damaging.

Simon Bailey: So whilst strong controls might be in place, employees or criminals from outside the company may find a way to circumvent them through using sophisticated techniques or internal measures such as employee fraud involving collusion or just abusing their position.

So often it can be an innocent mistake by an employee, by clicking on a link or opening an email attachment that wasn't expected, that can actually cause these controls to break down.

There's a couple of ways we can dispel this myth. Firstly, in our experience, employees have been responsible for some of the largest incidents by both frequency and severity. The main reason for this is the recent socioeconomic pressures we've all been experiencing recently, such as the cost of living crisis and inflation. This has made employees much more desperate and also made them more susceptible to manipulation.

The role of an employee has also shifted in fraud now, following the rise of social engineering techniques. They become the unwitting participant in a fraud if they're clicking on a malicious link or malicious email.

But the crime policy doesn't just respond to the employee threat, it is now also moving towards the external threat as well. This can come from social engineering attempts from people on the other side of the world, or from suppliers acting in collusion with employees or any kind of bad actors operating outside of the company's sphere of influence.

Jennifer: Hi, I'm Jennifer Wells, I'm the Head of Crime. I'm here with Jake McCanney, our Cyber Trading Underwriter, and we're going to attempt to demystify the crossover between cyber insurance and crime insurance. The fraud landscape is continually changing, but what we are seeing is theft, moving away from physical means to virtual means by a computer, hence the birth of cyber insurance. So, Jake, can you comment a little bit about what's covered under the cyber policy?

Jake: One of the things that I think is a very kind of difficult challenge, particularly with cyber, is the way that we phrase cyber-crime. Because cyber-crime insinuates that we've got a lot of the cover is on that one little add-on right at the end when in reality, hacking into someone's business, whether that's for data exfiltration through ransom for extortion, anything like that is a crime. It is illegal to hack businesses, but the fact that's covered under the core covers instead of the crime, I think leads to a lot of confusion. So, the cover itself, or what cyber's designed to do in itself is its main purpose, is mainly as a service to make sure that we're protecting our customers in the event of something going wrong. Whether that's kind of a data breach, could be human error, or it could be a third party, looking to gain access to extort through phishing, whatever the circumstances are. The real kind of key aspect of the insurance is to fix that. So that's bringing in those kind of third-party experts for IT incident response, the forensics, the legal teams, the kind of notification to the ICO, the full kind of wraparound support that you get with all of our experts and then that kind of cyber-crime as we call it, which is actually just socially engineered stolen funds. It's just not quite as catchy as cyber-crime. That's just an additional aspect to make sure that we're protecting as much of the cover as we possibly could, rather than what might be a more comprehensive and rounded crime policy, which I think is something a bit different, if that's something you want to go on with.

Jennifer: So, you're right, the crime policy is much more, it's much wider, more encompassing, policy. And the crux of the cover comes in two main forms. So external crime, which you've touched on there, and the method, that's committed would be where your cyber policy kicks in. And the second element of crime, is the internal fraud element, which often gets overlooked by companies, that one of their biggest risks is their own employees. So, the social engineering aspect of cover is in the press and the news articles. I mean it's, it's relevant from a business sense, but also from a personal sense. So, there's a lot of, activity socially around how to protect yourself. So, if you migrate that towards, your company where you're working, those controls should exist there as well. So, to move away from the theft of goods and assets as a physical means, to a digital form of crime where the theft is conducted by computer means, so that will still mean the crime policy will protect the insured against loss of assets or money, but it doesn't cover the means of the attack. So, it won't cover the damage to computer systems; the hacking event itself, that's where the cyber policy kicks in. So, there is a fractional crossover of cover, but I think it's more widely expected that one or other of the policies will respond to both events, whereas that's just not the case. The crime policy really is covering the outcome of whatever cyber event that is. So, whether it's hacking or phishing or social engineering of some description, the crime policy is there to pick up the loss of actual goods or actual money, that goes missing, that is not picked up by the cyber policy generally. So that's really complete balance sheet protection. In a real-world situation can you give me an example?

Jake: Yeah, of course. So, I think a really good example of where there's the separation would come down to something like a manufacturer. So, in the instance that you've got an attacker gaining access via whatever means, phishing, social engineering through business email compromise, what could happen essentially if the machinery was turned off, potentially data subjects’ information was released online. There's an issue in terms of getting this network back up and running as well as potentially stolen money from their own bank account. Where the cyber would kick in essentially would be that immediate instant response, getting people on the ground looking at those computer systems, making sure that those massive machinery tools which now are of all automated electric manufacturing plants would be turned back on, get that production line running again, cover the business interruption of the downtime, make sure that there's an investigation into what an attacker might have seen, what information they might have stolen, and if that information's been released. It could include the negotiation in terms of the ransom, it could include the ransom itself if the insured chose to go down that route. And what we would be doing is really just looking to get the insured back up and running and getting the stolen information back if possible, or notifying data subjects, making sure that everyone's aware of what's gone on and that there's no ongoing negative impact to either the insured, the insured's clients, or employees or whoever's information has been lost. And making sure that the required bodies such as the ICO are notified and aware of everything that's gone on. Where do you see the crime really as taking over from that?

Jennifer: So, another example would be if the intent of the fraudster was to steal money, the fraudster might purport to be a supplier, request the bank account details to be changed, and then our insured would be paying money directly into the fraudster's bank account rather than paying the supplier that was due. So essentially that's when the crime policy would be triggered. We would investigate and the funds would be reimbursed to the client as part of the claim. One key thing to remember is that the threat of the internal crime has not gone, it's just been added to by a bigger threat of external crime. So your crime policy will provide cover for both elements, the internal and the external, and we'll reimburse you for any funds lost due to fraud.

Jake: So it seems really clear that for an insured to be fully protected against crime, whether that's internal or external, online or offline, that they need to have both cyber and crime policies in place that will dovetail really nicely together and ensure that the cyber can be there to bring in that incident, immediate instant response and all the support to bring them back into place and the crime can be there to reimburse any stolen monies or lost goods.