The insurance industry continues to treat cyber attacks and fraud as two independent problems. However, Dennis Toomey, global director of counter fraud analytics and operations at BAE Systems, argues they are in fact one and the same – and until the sector treats them as such, it will always be playing catch-up.
The criminal threats facing insurers are sophisticated, global and ever growing. The worldwide cost of fraud could be as high as £3.2trn a year, according to consultancy group Crowe. What’s more, companies globally could incur $5.2trn (£4.1trn) in costs and lost revenue from cyber-attacks over the next five years, say estimates from Accenture.
These figures help us at least begin to understand the scale of the threat faced. But the very fact that there is almost always a clear demarcation made between cyber crime and fraud highlights what is a fundamental issue in the fight against financial crime.
Criminals are increasingly collaborating, using cyber tactics to perpetrate fraud and deploying proceeds from that fraud to fund other criminal enterprises. Meanwhile the insurance industry continues to treat cyber attacks and fraud as two independent problems. They are in fact one and the same – and until we treat them as such, I fear we will always be playing catch-up.
There are two fundamental reasons for this false distinction: cultural and data silos. Working with insurance companies we see a lack of collaboration across the very teams tasked with protecting those companies.
The compliance team might be working on an insider fraud case, the anti-fraud team on an external fraud incident and the IT security team on a hacking attempt. Each team has its own processes, forms of investigation, data resource and analysis. This means they almost never stop to think that the three cases might be linked, that the same criminal network might have attacked their company from three different angles.
The result is not only a missed opportunity to share resources and intelligence, but also, I would argue, a dangerous oversight that constitutes a fundamental misunderstanding of the threat insurers face today.
And the problem extends beyond a lack of internal communication and collaboration. The siloed approach to tackling financial crime can also be seen in the way insurers store and analyse their data.
Legacy software systems play their part in this issue, but we also often find data and the application of analytics limited to specific and individual lines of business.
Criminals, on the other hand, are much less rigid in their approach. They will go wherever vulnerabilities exist and rewards are highest – and that can be anywhere in an insurer’s book of business.
It’s important that insurers can monitor activity – both internally and externally – right across their portfolios. Data analytics, like other technological solutions, must be fully integrated and used broadly across an organisation to maximise potential. Ideally this integrated approach should be applied to all aspects of a company’s defence.
For example, the vast majority of insurers perform cyber penetration testing. But how many perform fraud penetration testing? The answer is far fewer, though the services to perform such tests exist. And how many perform cyber and fraud penetration testing as one exercise? I would be surprised if there are any, yet in reality it offers the most effective way of tackling this threat.
Insurers must approach financial crime challenges in the same way the crimes themselves are perpetrated – as a unified rather than a fragmented exercise.
This is the kind of thinking and approach the insurance industry requires, but we cannot expect anti-fraud or security teams to deliver it single-handedly. The ability, and I would argue the responsibility, to create a broader more systematic approach lies at the top of an organisation.
The fight against financial crime is hampered by the lack of a broad level of technical understanding of anti-fraud measures or IT security at board level in most insurance companies.
That is not intended as a criticism. It is simply a statement of fact. If insurers are ever to keep pace with criminals, they must start bringing more of this expertise to play at board level, tasking their most senior executives with more personal responsibility for the creation of a company-wide response to the threat.
Because it is only when the responsibility for defending a company against criminal attack is assumed at the highest level that cultural and digital collaboration will become a strategic imperative.
And it is only then that insurers will be able to create the coordinated response necessary to meet an increasingly integrated and sophisticated criminal threat.