Fraud insurance for asset managers - what is it and should I buy it?

Background

Fraud Insurance was originally created in the early 20th century in response to the rapid booming of the banking industry. Increases in the workforce meant that the risk of misconduct was heightened, and therefore an insurance product was put in place to cover direct financial loss suffered from a business as a result of employee dishonesty . This has since evolved to cover other types of fraud committed by various means, given the sophistication of technology used by criminal actors and the increase in social engineering incidents seen across all industry sectors.

What does Fraud Insurance actually cover?

A Fraud policy covers your own direct first party financial loss as a result of a fraud, such as internal/employee fraud or third party fraud.  Fraud cover differs from a PI policy which is there to cover legal liability claims, against you, by third parties.

Within an asset management context there is added complexity to how fraud policies operate as the manager can be the victim of a fraud which results in a loss to its own balance sheet but can also be liable for a loss they cause whilst providing a service to their client, the fund.  Whether a loss falls to the PI or Fraud section of the policy will depend on the precise cover within that wording, but there is clearly the potential for confusion and cross-over in determining where it is covered.  For example, if an asset manager suffers a theft of their own balance sheet money then there would be a fraud claim, however if it is their client’s money that is stolen then there would likely be a PI claim for the asset manager’s negligence and breach of duty.

Even when third party administrators are involved in processing payments this is still a surprisingly common loss in the asset management space, so we would recommend engaging with third party providers so that there in clarity in terms of who is responsible for which procedures.

If the policy is broad enough it should also include extortion cover, however a vast number of insurers are now looking to exclude this from IMI as they believe this is better suited to a Cyber policy – the primary difference between the two in this instance is that cyber policies pick up the cost of bringing in breach response experts and can also be used to cover the payment of a ransom, whereas a Fraud policy would just cover the direct financial loss, i.e. the ransom payment.  Since extortion is covered by both fraud and cyber policies there can be some overlap so it is important that these policies dovetail each other when purchased together. Care should therefore be taken to ensure that there are no gaps in coverage and that your exposures (e.g. security posture and fraud procedures) are taken into consideration and reviewed accordingly.

Losses

The release of Howden’s article on claim trends for asset managers showed that one of the top trends we are expecting to see going forward is social engineering claims. 

Social engineering is an umbrella term used to describe circumstances in which individuals are duped into paying funds to the account of a criminal actor.

One example of this that comes up regularly relates to invoices that are intercepted by criminal actors who then change the bank details and divert funds to their own accounts.  In some cases systems are infiltrated months before an attack is carried out, to monitor email traffic, learn communication and payment patterns.  Often an email diversion rule is set up so that the victim will remain completely unaware of the situation as it unfolds. 

Our claims data shows that regulatory investigation and investor complaints are still top of the table in terms of most frequent claims for asset managers, however fraud losses seem to be on the rise. According to IBM's 2023 Cost of a Data Breach report, Data breaches initiated through social engineering techniques averaged costs over $4.5 million.  This represents a 2.3% increase from the 2022 cost of USD 4.35 million. Phishing and stolen or compromised credentials were responsible for 16% and 15% of breaches,  respectively, with phishing moving into the lead spot by a small margin over stolen credentials, which was the most common vector in the 2022 report.^[1]

We are therefore keen to make sure that our clients are adequately protected from losses arising out of fraud.

Looking ahead/mitigating loss

With the risk landscape continually changing and criminal actors using increasingly sophisticated tactics Fraud insurance will need to continue to provide the appropriate cover. Insurance can be a vital tool in helping victims to prevent fraudulent activity by encouraging good practices such as call-backs to known numbers, the use of Multi-Factor Authentication (MFA), as well as helping to mitigate larger losses. Then of course the main purpose of insurance: reimbursing policyholders by paying valid claims as a last line of defence. Prevention is always better than the cure so in addition firms can help to protect themselves by ensuring staff are given access to frequent training, and implementing software to identify signs of social engineering and phishing in an ever changing environment.  As stated by Forbes, organizations' average phish-prone percentage (the percentage of users who fall victim to social engineering scams) drops from 32.4% to 5% after a year of training. ^[2]

The FCA has recently highlighted the need for financial firms to boost protection against AI scams^[3], warning that new innovations can manipulate language, audio and visual to carry out fraud. We have seen recent examples of this through the emergence of deepfake technology, which is defined as ‘a type of artificial intelligence used to create convincing images, audio and video hoaxes.’^[4] In Hong Kong, for example, a bank manager transferred $35m to criminals, believing he was communicating to a senior director he knew well, when in actual fact he was speaking to deep voice technology which was impersonating the contact.^[5]

Conclusion

Fraud (Crime) cover is not always purchased as part of IMI policies and the importance of it can sometimes be overlooked.  However, given the rise in fraud losses and potential cost efficiency in adding this cover to your policy (usually a small additional premium to include Fraud as part of your PI limit), it is certainly something we would recommend to our asset management clients, especially now that the market is in a softer cycle.  It can also be a vital tool to help feed into our clients’ risk management framework by encouraging best practices.

If you don’t already purchase Fraud cover and would like to find out more information on how it can benefit you then please do get in touch with either myself or your usual Howden contact.

Adam Coates Senior Account Executive E [email protected] M: +44 (7923) 232614