Risk in the News
Five Ways to Protect Your Company Against Social Engineering Fraud
Based on the amount of times Cyber breach have been in the news lately, I doubt anyone needs convincing that Cyber security and Cyber risk are a primary concern for most business owners and C-suites; and for good reason.
The Financial Crimes Enforcement Network (FinCEN) released a report, Manufacturing and Construction Top Targets for Business Email Compromise, noting that it received 14,000 suspicious activity reports in 2018 related to business email compromises, which is more than double of what they reported in 2016. Manufacturing and Construction were the most targeted sectors, accounting for 25% of all reported Business Email Compromise (BEC) incidents in 2018.
Fraudulent vendor invoices accounted for 39%, nearly half, of all business email scams in 2018. Generally, these scam messages attempt to impersonate vendors or management level employees to dupe the recipient into a wire-transfer or payment of a false invoice.
The reason these types of social engineering scams are being utilized by malicious individuals is because they are effective and staff members fall for them.
Insurance coverage for these types of scams can be purchased with either your Crime or Cyber Liability policies, but the limits are often inadequate for the exposures.
Risk Management is key here. Companies should be encouraged to implement ways to mitigate losses relating to scams so that the sub-limits on their Cyber/Crime policies aren’t the only option for protection.
Below are some of the ways to mitigate Social Engineering/Fraudulent Email Scams:
- Educate your staff - Continually provide training to your staff to identify fraudulent emails/requests that prompt them to click links, download attachments and, most importantly, transfer funds;
- Implement strong policies and procedures – Develop and train staff on simple procedures to follow regarding transfer of funds. The most simple example is to have employees verbally confirm direction from management to transfer funds or pay large vendor invoices before they rush to do so;
- Spam filtering – Relying on Outlook’s junk mail filtering is not enough to stop most spam or malicious messages from getting into your inbox. Enterprise companies should be utilizing enterprise solutions from reputable technology providers to stop spam before it reaches your server;
- Manage social network profiles – Sophisticated “hackers” will study up on their targets by “stalking” their social media accounts. Valuable information could be gleaned from watching online activity and used later to trick staff into doing something they shouldn’t.
- Purchase insurance – As I mentioned earlier, social engineering/funds transfer fraud endorsements can usually be added to, both, Cyber and Crime policies. However, this should not be the only line of defense.
Please contact us if you more information on Social Engineering risk mitigation strategies or want help with your Cyber Liability coverage.
Cyber Risk & Insurance - Trends in Coverage and Claims
Risk & Insurance magazine recently published an article, “Here’s What’s Happening With the U.S. Cyber Market”, reporting on the trends that emerged in the Aon 2019 Cyber Insurance update. Both are a worthwhile read noting there is a bit of a slowdown in the overall premium growth and insurers will focus their efforts on converting the Small to Medium Enterprise (SME) market into clients.
The Aon report notes that 68% of all claims are for first party claims experienced by insureds and according to the 2018 Cost of a Data Breach Study (Global Overview) report, cyber claim cost per compromised record is now $148 per record. At that rate it doesn’t take a large data breach to start racking up the costs to mitigate losses and comply with state reporting requirements.
We think that every business should qualify and quantify their cyber exposure by, both, performing an internal cyber review and going through the underwriting process to obtain a quotation on cyber coverage. Our associates regularly help our clients better understand a variety of business risks, including cyber risk. Please feel free to contact me if you would like to discuss a particular issue or a comprehensive Risk Management Assessment.
Hurricane Joaquin Preparedness
As the National Weather Service is reporting of Hurricane Joaquin intensifying to an extremely dangerous category 4 storm, I wanted to reach out to you to let you know that our team is here and ready to help. Whether you need to understand coverage or need assistance in preparing a contingency plan, the ALS team is here for you.
Here are some useful links to sites that provide some simple tips to help you maintain your safety and minimize the potential for damage to your home and/or business.
I would also like to share a very important lesson I learned from my own experience during Hurricane Sandy, sump pumps run on electricity, so if the power goes out, the pump stops working which can pose a significant problem to those of us with basements prone to flooding. Getting a back-up generator is one way to mitigate that risk.
As both a life-long risk manager and a business owner, I would be remiss if I didn’t bring up the importance of having a comprehensive disaster recovery plan in place as part of your business strategy.
- Make sure your employees know what to do in case you need to close your office due to lack of power, flood or other hurricane related issues
- Confirm your network has backup power or applications are accessible if the building loses power
- If your office is inaccessible, forward office phones to mobile devices
- Ensure email is stored and accessible if the company servers go offline
As we all are I am hopeful that the storm will pass us by, but while being positive and optimistic is good, being proactive and prepared is much more effective.
Stay safe!
Managing Political Risk
I wanted to take a moment and share with you an interesting article I recently read in CFO Magazine (The Rise of Political Risk); which clearly identifies the increased political risk doing business in today’s global economy brings and how it could adversely impact a multi-national company’s financials and reputation. This is clearly demonstrated by the experience companies are having in Africa, South America and Russia. As noted in the article, various coverages may be purchased in the private market to mitigate a company’s physical and financial asset exposure.
However, insurance is only one tool to mitigate risk. In addition, every company needs to ask itself what it can do to mitigate its exposures at an operational level. This should include developing and engaging in a risk assessment for any country in which an organization is considering doing business. This should include evaluating the security, political, and regulatory environment. Essentially, this is a risk review of a country so that senior management can clearly identify the risks of each country and how to best avoid losses. Once you’ve planned the mitigation activities, an estimation of resultant residual exposure will provide a good view of whether or not conducting business in that country fits your company’s risk appetite. As a company, this is something that we recommend and is a skillset in which we excel.
To survive in the global economy, a company needs to adapt its risk management strategies to the ever-changing business environment or risk missing an opportunity or suffering a loss.
If you have any questions or need help in minimizing the risks associated with doing business around the world, please feel free to contact The ALS Group for more information.
TRIA Blocked
Last night the Congress failed to pass bill, S.2244 for the renewal of the Terrorism Risk Insurance Act more commonly known as TRIA.
This is a major setback for the country, as the Act is a backstop for the insurance industry as a whole. Unless Congress takes immediate action and approves the Act, the whole country will be left without TRIA coverage effective January 1, 2015.
We are closely monitoring the situation and are currently exploring alternative for our clients on a case by case basis.
If you have any questions on this vital issue or would like to discuss possible alternatives please reach out to us and we can walk you through the impact this will have on your organization.
TRIA Reauthorization Update
As some of you may have heard the Senate Banking Committee unanimously approved the Terrorism Risk Insurance Program Reauthorization Act (TRIA) yesterday. This Act extends existing TRIA for an additional seven years, which will afford certainty to commercial property developers and contribute to further economic growth and job creation.
I thought you might find the article “Senate Banking Committee Passes TRIA Reauthorization” interesting as it provides a good background and summary of the Act and Reauthorization timeline and proposal.
If you would like to know more about the TRIA act, please do not hesitate to contact Albert Sica at 732.395.4251 or [email protected].
Safeguard your Business Against Cybercriminals
Cyber crime and liability from data breaches has been in the news almost daily. The article in July 5th edition of the Wall Street Journal goes through the sad story of a small business owner who was “robbed” of $1.2M of cash due to a virus embedded in the company’s data system.
Cyber crime against small to medium sized businesses is on the rise, and it is more important than ever to closely scrutinize the risk mitigation steps that are taken – both insurance and non-insurance related. Several months ago I wrote to you about a similar article that appeared in CFO Magazine and it seems the trend is not letting up.
The risk from data breaches, cyber crime and general vulnerabilities the company may experience due to a breach of security can range from theft of assets (as in the case of poor Mr. Kellson) to a breach of private third party data (which might trigger an obligation under State affirmative notification laws (state by state summary).
In most cases the Company’s internal IT staff should seek specialized IT Support that will analyze IT security measures from infrastructure to employee practices. With almost everyone carrying a smart phone these days, the possibilities for data/privacy breaches to happen and then go “viral” are easier than ever. The Reputation Risk that a company can suffer from such a breach can be devastating.
The insurance marketplace can provide very sophisticated products to mitigate many of these risks but, like any insurance product, if you really need it, it is likely the insurance will not be available. The first step is to seriously and methodically consider the sources of a breach and work through mitigating that risk.
Taking a proactive approach to these cyber and data risks is a prudent way to prospectively lower the Company’s Total Cost of Risk (TCoR) and add another measure to insulate the company from very real threats that can have a material effect on the financial health of the company.
Please feel free to contact Albert Sica to discuss any concerns you may have in this area and to structure a program to work through the risk identification and mitigation process.
Click to read the full article “Cybercriminals Sniff Out Vulnerable Firms”.
DOL 401(k) Rule Changes – Plan Administrator Beware!
The recent article in the Wall Street Journal, 401(k) Plans Step Into the Sunshine, goes into a great deal of detail regarding the changes in the Department of Labor rules on 401(k) fee plan disclosures and the caution employers and plan administrators must exercise while administering these plans.
We think that these changes will attract a great deal of attention from plan participants and can potentially result in an increase in Fiduciary Liability claims.
Fiduciary Liability insurance is a fairly inexpensive coverage that can be an effective tool used to mitigate a company’s Total Cost of Risk. This coverage responds to a breach of fiduciary duty (or perceived breach) by plan fiduciaries.
Click here to read the Wall Street Journal article, 401(k) Plans Step Into the Sunshine.
We’ve addressed this issue on our blog in the past. Most recently in January of 2011, before the Department of Labor rule requiring full fee disclosure. Read the blog post 401(k) Plan Fee Disclosure – Let the Games Begin.
If you would like to know more about the measures that can be taken to mitigate risk in this area or to better understand Fiduciary Liability coverage, please do not hesitate to contact Albert Sica. He can be reached at 732.395.4251 or [email protected]
Cyber Crime Warfare Strategy – Employee Awareness
In Monday’s (October 31, 2011) Wall Street Journal there was a curious article explaining many security breaches resulting from unsuspecting employees. It also touches on another huge problem: The trend to share more and more personal data on social networking sites.
Breaches of private information can be a serious assault on any business framework and wreak havoc on business security resources. Risk awareness and transparency are good risk mitigation measures to lower prospective Total Cost of Risk (TCoR).
We suggest awareness plans to remind employees about security measures already in place and to caution against the obvious.
For more cyber risk advice or to discuss how a methodical approach to risk management can protect your firm contact Albert Sica at 732.395.4251 of [email protected].