In order to solve a problem, we need to accept that it’s there. This principle is common sense – and it certainly applies to insurers’ fight against financial crime, says Dennis Toomey, global head of insurance fraud at BAE Systems.
Fraud perpetrated against insurers by outsiders was, until relatively recently, a dirty secret that most kept to themselves. Organisations were reluctant to admit falling prey to fraudsters for fear of both attracting more criminal attempts and causing irreparable reputational damage.
But as the prevalence of fraud across the industry grew, professionals began tentatively sharing their experiences with peers. With the fact that this was actually an industry-wide problem laid bare, the fightback began.
This evolution is well exemplified in the cash-for-crash phenomenon in the UK. What began as a collection of anecdotal evidence grew to give a picture of a wider problem, with the accompanying realisation that the industry was under consistent and often coordinated attack.
The next step was to start sharing relevant data – and from that came the determination to coordinate a comprehensive response. The result was the birth of the Insurance Fraud Bureau in 2006.
Fraud perpetrated by outsiders is only part of the industry’s criminal problem, however. The under-reporting of internal fraud would suggest that the lessons of the past have not always been learnt.
Although there are occasional cases reported in the media, industry insiders believe that the problem is much more prevalent than these infrequent reports would suggest.
This is despite the fact that insider fraud is almost certainly another facet of the wider organised fraud problem, with individuals being placed as employees or existing staff being recruited by criminal gangs to facilitate fraud from within.
With insider fraud, it appears, the same reputational fears are preventing insurers from speaking openly about what is a market-wide problem.
And the pattern of under-reporting appears to be repeating itself in the realm of cyber crime.
Only 54% of IT security departments did or would report a ransomware attack to law enforcement, according to a 2016 global survey by IT security firm Sentinel One. Indeed only 61% were even willing to report an incident to their own board.
It is widely accepted that cyber attacks are among the most under-reported types of financial crime. And it would appear that reluctance to report them stems from a fear of drawing attention to weaknesses in an organisation’s defences and thus potentially inviting further attacks. Here again there is fear of reputational damage, with insurers concerned that admitting to being breached by a cyber attack could make customers reluctant to entrust their finances and data.
A cyber equivalent of the IFB may not be straightforward or even conceivable, but the fact remains that to strengthen the fightback against financial crime, it is first necessary to admit the extent of the problem.
The IFB is just one model from around the world showing that reporting crime and collating data works. Insurers must now join all the dots to reveal the complete picture of the criminal threat. This means overcoming the instinctive reaction, based on misplaced fear and shame, to sweep the problem under the carpet.