Cyber-fraud More Than Just a Cost of Doing BusinessIt May Be Deadly Business
Insurance Experts' Forum, November 30, 2009
While most of us will never hear about it, security experts have been telling us for years that some banks and other large companies have been quietly paying protection money to criminal syndicates who would otherwise bring down or seriously compromise their computer systems. The victimized institutions have apparently accepted such extortion as a given, and are looking at it as just another cost of doing business.
But can any insurer, broker or other company really afford to be so cavalier about what is happening, even if we’re not talking about extortion? According to former prosecutor and FBI agent Chris Swecker, the answer is clearly no. Swecker, who is the founder of Chris Swecker Enterprises, pointed out in a recent interview with me that, “The potential to commit fraud is magnified on the Internet,” adding that cyber crime is a low-risk and profitable undertaking. “Law enforcement authorities aren’t likely to arrest some guy in Romania who is part of a hacking syndicate,” he said.
Obviously, fraud is a huge concern for insurers, which is why they devote so many resources and so much money to preventing it. Yet many insurers acknowledge that below a certain dollar threshold, they don’t find it profitable to pursue fraudulent activity. The dollar amount undoubtedly varies from insurer to insurer, but I have been told that carriers generally set the limit between $3,000 and $5,000. Any losses that come about as a result of fraud that nets a lesser amount are routinely ignored, and written off as a cost of doing business.
That sounds like good business, but it fails to acknowledge that a man (or a company) may just as easily die from 1,000 cuts as from a single mortal wound. Swecker noted that, “Terrorist financing and criminal actions (like fraud) often intersect.” He said that much of the funding for terrorist activity worldwide comes from the proceeds of such activity.
“Fraud funds terrorists,” he explained. “They perpetrate banking or credit card fraud, then use the proceeds to turn around and hurt us again.” In some cases, he noted, terrorists will hire hackers to commit such crimes in order to fatten their own nefarious coffers.
That really puts a whole new light on the idea of allowing smaller crimes to continue, doesn’t it? Certainly, banking or credit card transactions are an important part of what takes place in the insurance industry, and if it were just a matter of focusing on bigger fish, I would have no problem with that approach. If, on the other hand, cyber-criminals are perpetrating many “small” frauds, then turning around and using the accumulated funds to endanger American lives both here and abroad, I have a huge problem with that.
What can we do? Swecker suggested that modern fraud sniffing software can help detect patterns of network-based fraud activity that originates in places like Russia, Egypt and Romania. Such software employs aggressive analytics along with a case management system that seeks to manage workflow and to raise red flags.
Will insurers and others have to spend more money to do this? Absolutely. Then again, what is it worth to your organization to thwart a well-planned series of “small” events that could end up hurting the company overall and—more important—might well cost American lives?
No one can require us to raise our level of vigilance to this level. But can we afford not to?
Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.
Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at firstname.lastname@example.org.
The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.
Add Your Comments...
If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.
You must be registered to post a comment. Click here to register.