Fraudsters salivate at the mere thought of accessing the goldmine that is insurance company data. Just like banks, they have extensive data sets that criminals aspire to expose, including private customer details and payment information. Perhaps here more than in any other business sector, trust is everything. A data breach or fraud event is bad news for any company. In the insurance business, it could damage a company’s hard-won reputation.
Cyberattacks, external fraud and insider fraud events are increasing as insurance companies look to migrate to integrated digital platforms. The insider threat in particular has presented itself as extremely problematic within an increasingly hybrid work environment. With that in mind, Bottomline recently convened a roundtable featuring ten senior professionals from the insurance sector. The discussion was wide-ranging and candid, covering problems stemming from the insider threat and concerns about how to address it. Here are five key points I took away from the event:
- Adapting to the hybrid work environment: It is impossible to expect all employees to police themselves while working from home. Some companies are revisiting their policies regarding device monitoring and access to sensitive information at home, especially via mobile phones, where screenshots or pictures can be taken of sensitive data. Internal data breaches are a top concern, confirming our sense of the current situation.
- Identifying the fraudsters: As one attendee put it: “You would notice if someone walked out of the office with a huge printout of confidential data.” However that is rarely the reality in the digital workplace, with the threats being as digital in nature as the company. All attendees agreed that detecting the fraud in the first instance is one of the most challenging issues. In one example, lag times between resignation and actual employee departure dates provide the opportunity to take data for personal gain. An automated, digital breadcrumb approach around detection scenarios would certainly be more effective and insurance companies asked for more guidance on that front.
- Respecting Privacy: Attendees were unanimous in their desire to provide an element of deterrence for all future employees and to warn the wider community about potential bad actors who could cause financial and reputational damage. However there was also a lot of sensitivity around creating a culture of suspicion. Concerns were expressed about respecting individual employee privacy if presented with evidence of potential fraud. This is a legitimate concern, however there are also ways to tactfully communicate processes when it comes to accessing sensitive data. Some attendees have formed internal task forces to craft insider fraud defences, alongside engaging external partners to provide expertise around identifying fraud as a complementary approach.
- Investigations: Most insider fraud starts small and becomes more daring over time and in most cases, employees don’t have a criminal record that would flag them as high-risk individuals. So, when do you raise the red flag? I would say that performing an analysis of interactions at an application-level (rather than monitoring of employee activities) would allow insurance companies to raise alerts as early as possible and then track that employee’s behaviour within mission-critical applications in a non-invasive, compliant manner. Once confronted, suspicious employee behaviour can include red flags such as taking sick leave when the individual(s) feels the heat of being caught.
Some attendees were intimidated by the potential length and complexity of the investigation process. Unfortunately, the downside of ignoring insider fraud is huge and investigations are the key part of any defensive strategy: the aim is to use technology to make this as efficient as possible.
- Deploying technology for improved evidencing: AI and behavioural analytics were popular at the roundtable, as were cloud-based solutions. But the need to sufficiently evidence fraudulent activity as part of a criminal prosecution using technology is crucial, although attendees were concerned about the risk and complexity of adding a tech solution to their business-critical systems. This, in my opinion, comes from a lack of awareness about how technology integration can be achieved in a non-invasive fashion.
Insider and employee fraud are genuine concerns for insurance companies, Risks from such employees as well as speculative fraud attempts will persist as long as employees are working from home. A deterrence strategy is essential and should include buy-in from all departments with a shared purpose to use technology to detect, investigate and provide the valuable evidence needed to protect data and reputation and successfully prosecute. Fraud is, after all, a criminal offence.