The insurance industry has woken up to the growing criminal threat, with increasing amounts of resource – both time and money – invested in the building of appropriate defences. However, Dennis Toomey, global director of counter fraud analytics and operations at BAE Systems, highlights that much of that investment has focused on the external threat, with only rudimentary efforts directed towards the equally potent risk posed by crimes committed or facilitated from within.
While the criminal threat remains either misunderstood or poorly managed, criminal gangs will continue to breach insurers’ defences by placing agents within the workforce or directly recruiting genuine employees.
The reality is that the construction of cyber defences or anti-fraud programmes that neglect the malicious-insider threat is leaving insurers exposed. There is little point building a front door fit for a bank vault if the back door has been left wide open.
Insider fraudsters not only steal customer data and facilitate the payment of fraudulent claims, but they have also been known to act as intelligence officers for criminal enterprises.
In the US, anti-fraud investigators have discovered the existence of brochures detailing what particular insurers will pay in a claim and even which specific claims handlers are most likely to part with the most. The collation of this level of detail has almost certainly been done with the aid of criminal insiders.
Employees are, in fact, some of the most common facilitators of fraud, with junior employees involved in 39% of cases, ex-employees committing 34% and senior or middle management 27%, according to a recent study by Kroll.
Even if a company is fortunate enough to escape active criminal agents operating within its organisation, the threat of accidental collusion is ever present. It takes only one employee innocently clicking on the wrong link of a malicious email to penetrate even the toughest of cyber defences.
Thankfully there are measures available to companies so they can start to identify the malicious (and accidental) operatives. Key among these is the smart use of analytics.
Some organisations are beginning to apply the analytics tools they use elsewhere in their business to human resources data, trying to identify suspicious behaviour, spot accidental weak links and even predict which individuals may be susceptible to the temptations of crime.
The percentage of companies employing user-behaviour analytics tools has risen significantly, from 42% in 2017 to 94% in 2018, according to software firm CA Technologies.
Clearly the adoption of this level of employee monitoring requires care and a cultural shift – nobody wants to resort to Big Brother tactics. Rather than dismiss the idea however, insurers should focus on implementing these tools in a way that brings employees on board through a wider company culture of ‘security first’.
Insurers are right to build secure defences against financial crime and to invest in doing so. But they must ensure that they are comprehensive. Underestimating the very real insider threat – and the tools on offer to help root it out – risks leaving that back door jammed wide open.