Companies Failing to Use Technology to Fight Fraud

While an increasing number of malicious actors are using technology to perpetrate fraud, the vast majority of companies are not using the technological resources available to fight it. According to KPMG’s new report Global Profiles of the Fraudster, technology significantly enabled 29% of the 110 fraudsters analyzed in North America and 24% of the 750 fraudsters analyzed worldwide. What’s more, 25% of frauds that hinged on the use of technology were detected by accident rather than safeguards or analytics, compared to just 10% spotted by accident in cases where the criminals did not use technology.

Indeed, proactive data analytics was not the primary means of detection in any North American cases and was only used to detect 3% of fraudsters worldwide. In North America, the most common means of detecting fraud were: tip offs and complaints, management review, accidentally, suspicious superiors and internal audit.

KPMG found that weak internal controls contributed to 59% of frauds in North America. Companies are failing to focus on strengthening controls, the firm reported, despite the increasing threat of newer types of frauds, such as cyber fraud and continued traditional forms of wrongdoing.

“In addition to ensuring internal controls are thoughtfully designed, companies should deploy effective training and instill a culture of integrity so that controls are properly executed,” said Phillip Ostwalt, partner and Global Investigations Network Leader at KPMG LLP. “Companies should also adopt new controls as their risk profiles change. Ongoing risk assessments can help cost-constrained companies ensure they are properly investing in such controls.”

Who are these fraudsters?

  • 65% are between ages 36 and 55
  • 39% are employed by the victim organization for over six years, most in operations, finance or office of the chief executive
  • 42% operate in groups and 52% of collusive frauds involved external parties

Check out the infographic below for more of the study’s findings:

Profiles of the Fraudster InfographicFraudster Infographic Women

California’s New Localized Water Controls a Step Forward

With higher levels of rain and snowfall over the winter, California’s water situation has eased in some areas, prompting the state to initiate new water conservation rules, adopted on May 18 and in effect June 1 through January 2017. The regulations give control over water usage to local communities, which means more restrictions in some areas than in others. In Northern California, winter precipitation has filled some reservoirs, while drought conditions persist in Southern California.

The previous rule—enacted in April 2015 by Gov. Jerry Brown, who issued an Executive Order mandating a 25% reduction of urban water usage from 2013 levels over a nine-month period—saw a savings of about 424 billion gallons. That followed a failed year-long effort to achieve a voluntary 20% reduction in water usage, with statewide conservation results averaging between just 7% and 12%.

The State Water Resources Control Board explained that the new approach replaces the percentage reduction-based water conservation standard with a localized approach. The emergency regulation requires that urban water suppliers ensure that at least a three year supply of water would be available to their customers in case of drought conditions. Suppliers that would face shortages under three additional dry years are now required to meet a conservation standard equal to the amount of a shortage. A water agency that projects it would have a 10% supply shortfall, for example, would have a mandatory conservation standard of 10%. The regulation also makes previously passed water-wasting rules permanent, including no hosing of sidewalks, washing cars without a hose nozzle, or watering lawns within 48 hours of measurable rainfall.

“El Nino didn’t save us, but this winter gave us some relief,” Water Board Chair Felicia Marcus said in a statement. “It’s a reprieve though, not a hall pass, for much if not all of California. We need to keep conserving, and work on more efficient practices, like keeping lawns on a water diet or transitioning away from them. We don’t want to cry wolf, but we can’t put our heads in the sand either.”

Will Sarni, director and practice leader of water strategy at Deloitte, agrees with the direction the state is taking on conservation.

While it may appear that restrictions are being eased, which could send the message that things are going back to business as usual, “It’s not business as usual, but local entities are being given more control,” Sarni said. “My view is that water is ultimately a local issue, so providing greater flexibility and decision-making at the local level that aligns with an overall strategy within the state, or nation, makes sense.”

The model of local management actions that roll up to a regional entity have successfully been adopted in other parts of the country, he said, explaining that states do work together. One example is the Delaware River Basin Commission, which is an entity that has a say in how water is managed in the Delaware River. Other examples include the Great Lakes Commission and the Colorado River Compact. “So cooperating on water is actually more common than not,” Sarni said.

Drought1

Drought 2

Beware of Coverage Gaps for Social Engineering Losses

Social engineering is the latest cyberrisk giving companies fits and large financial losses. A social engineering loss is accomplished by tricking an employee of a company into transferring funds to a fraudster. The fraudster sends an email impersonating a vendor, client, or supervisor of the company and advises that banking information for the vendor/client has changed or company funds immediately need to be wired at the “supervisor’s” direction. The email looks authentic because it has the right logos and company information and only careful study of the email will reveal that the funds are being sent to the fraudster’s account. Unsuspecting and trusting employees unwittingly have cost their companies millions of dollars in connection with social engineering claims.

But when companies look to their traditional insurance program, they are usually met with the unhappy surprise that they do not have coverage for such a loss. Most assume that the loss will be covered by the crime/fidelity policy that nearly all companies have. Insurers, however, have denied coverage for social engineering claims under those policies, claiming that the loss did not result from “direct” fraud. Insurers contend that the crime policy applies only if a hacker penetrates the company’s computer system and illegally takes money out of company coffers. In the case of a social engineering claim, company funds have been released with the knowledge and “consent” of an employee, albeit the employee has been induced by fraud to release the funds. Policyholders and insurers are currently litigating the scope of coverage under traditional crime policies nationally with mixed results.

Some crime policies also contain exclusions that may pose specific barriers to social engineering claims. For example, many traditional crime policies contain a “voluntary parting” exclusion that bars coverage for losses that arise out of anyone acting with authority who voluntarily gives up title to, or possession of, company property. In addition, some insurers have put overly broad exclusions on crime policies that are directed toward eliminating coverage for many cyber risks, including social engineering claims.

Given the prevalence of social engineering claims and the clear market for companies looking to insure against such risks, some insurers have begun to offer an endorsement that provides coverage for social engineering claims. The coverage may be subject to a sublimit and may include coverage for some, but not all, social engineering risks. The coverage also might be subject to additional exclusions. Like all insurance policies, the precise words of the endorsement matter and, therefore, should be carefully reviewed.

Finally, and most important of all, social engineering coverage will not automatically be added to a company’s policy and not all insurers will provide such coverage. Therefore, companies should review their current insurance program with their insurance professionals and experienced coverage counsel to determine whether they have appropriate coverage that is in line with the market for social engineering claims.

Check out “6 Tips to Minimize the Risks of Social Engineering Fraud” from Risk Management.

EgyptAir Flight MS 804 Crash Confirmed, Killing 66

Egyptian authorities believe they have found debris from EgyptAir Flight MS 804, but the search remains on for the wreckage of the Airbus A320 traveling from Paris to Cairo that vanished from the radar and crashed into the Mediterranean early this morning.

According to the Greece’s defense minister, Greek controllers attempted to contact the aircraft when it crossed through the country’s airspace but could not get a response. The plane made “sudden swerves” before dropping from 37,000 to 15,000 feet and disappearing from radar. The small commercial jet was about half full, carrying 66 passengers from a range of nations, including 30 from Egypt, 15 from France, two Iraqis, and one person each from Britain, Belgium, Kuwait, Saudi Arabia, Sudan, Chad, Portugal, Algeria and Canada.

egyptair map reuters

No cause has been officially identified, but many security analysts and government officials believe that an act of terrorism may have downed the plane. There were no documented red flags before the plane disappeared: local weather was good, the plane was on its fifth flight of the day, the pilot and copilot had logged a significant amount of flying experience, and Greek aviation officials said the pilots did not mention any issues.

According to Reuters, Egyptian Prime Minister Sherif Ismail said it was too early to rule out any possible explanation, and French President Francois Hollande told reporters, “No hypothesis can be ruled out, nor can any be favored over another.” Egypt’s civil aviation minister said a terrorist attack was more likely than a technical failure, however. Two U.S. officials told CNN that the government is operating on an initial theory the flight was taken down by a bomb, but cautioned this is not yet supported by a “smoking gun.” No terrorist groups have yet claimed responsibility for the crash.

As Time noted:

Egypt has been the victim of terrorism in the skies relatively recently. Last October, a Metrojet charter plane filled with Russian tourists crashed into the Sinai Desert shortly after taking off from the Egyptian Red Sea resort of Sharm el-Sheikh, headed to St. Petersburg, Russia. All 224 passengers died in the crash. Investigators quickly speculated that a home-made bomb had been placed aboard the aircraft and in February the Islamic State, or ISIS, claimed responsibility, saying that it had indeed smuggled an explosive device aboard the aircraft.

In March, a passenger aboard an EgyptAir plane flying from Alexandria to Cairo hijacked the plane wearing a fake suicide belt, an incident that raised deep concerns among aviation authorities about the anti-terrorist measures in place on EgyptAir flights, and at Egyptian airports.

Beyond the region, a number of high-profile losses have hit the aviation industry as a whole over the past two years, including the disappearance of Malaysia Airlines flight MH370 and the crash of MH17, a Boeing 777 shot down over Ukraine. As we reported at the time, however, crashes actually continue to decrease. While the insured losses from a plane crash can be significant, the capacity in the aviation insurance market has continued to keep rates stable and relatively low.

In the terrorism insurance market, recent losses have also not yet borne out a concrete impact on rates or capacity. While some European markets have recently reduced their underwriting appetite, terrorism coverage has primarily broadened, with significant capacity and rates that remain relatively low.

As Business Insurance recently reported, the terror attacks in Paris and Brussels have prompted an increase in the take-up rate for event coverage to add to buyers’ terrorism insurance programs. Tim Davies, head of sabotage and terrorism at London specialty insurer Sompo Canopius, told the magazine that many buyers have been adding liability and event cancellation coverage, prompted by the continued relatively low rates. Despite the spike in attacks in Europe, Richard Sawyer, director and head of North American terrorism at Aon Risk Solutions, told AM Best last week that rates for terror coverage should remain relatively stable unless the frequency of attacks escalates.