Does it seem like there is a new data security breach headline every time you read the news?
- “Insurance Startup Leaks Sensitive Customer Health Data”
- “IRS Scam Leverages Hacked Tax Preparers, Client Bank Accounts”
- “Insurance company hacked – client personal data possibly breached”
- “If you shopped at these 15 stores in the last year, your data might have been stolen”
Cybercriminals and other fraudsters make a full-time job out of finding new ways to commit fraud. They are regularly evolving their techniques to exploit system or process gaps that give them access to sensitive personal data. From there, they may use the data to take over client accounts, possibly your clients’ accounts!
Account takeover (ATO) fraud is a growing risk to you and your clients. ATO fraud is a form of identity theft where a third party gains access to some unique details (e.g., passwords, log in credentials, etc.) of a user’s accounts. They commonly use phishing attacks, spyware, or malware scams to obtain the personal data. By posing as the real customer, fraudsters may alter account data, withdraw funds, make purchases, and use the information to access other accounts. For example, it is not unheard of for a producer’s email box to be hacked as a result of a phishing attack, providing a fraudster enough information about a client and his assets to call a carrier and impersonate the client. In 2017, ATO fraud tripled and resulted in $5.1 billion in losses.
Maintaining relationships built on trust and preserving your reputation are important to you. As part of their overall experience, consumers expect to be increasingly confident in your ability to proactively keep their information secure. With consumer protection in mind, regulators commonly advise consumers to keep their information safe and to ask their financial professionals questions about their cybersecurity controls. An example of this can be found in this piece from the Minnesota Department of Commerce: https://goo.gl/doq8kG. Clearly, you don’t want vulnerabilities in your email, customer relationship management software, or another system to be the cause of one or more of your clients becoming an ATO victim.
While insurance carriers and other financial services companies have anti-fraud detection controls in place, an all-hands-on-deck approach is necessary to help prevent ATO fraud. There are steps you and your clients can take to help protect personal information:
- As an insurance producer, you are responsible for protecting your clients’ personal information with effective information privacy and security measures. This may include having administrative, physical, and technical safeguards in place that are reasonable for the size, nature, and complexity of your business. Are you taking reasonable precautions to ensure your clients’ personal information is kept secure and out of the hands of fraudsters? Is your staff regularly trained on this topic? To help protect your data, contact us for your own copy of a popular CyberSecurity Guide from one of our leading insurance carriers.
- Call your client to verify any withdrawal requests received, especially by email. If you or your staff facilitate or process a fraudulent request, you may be responsible for any losses and/or subject to potential disciplinary action.
- Discuss the following considerations with your clients to help protect their assets against ATO risk:
- EFT Authorizations: Have your clients submit Electronic Funds Transfer (EFT) Authorizations with their receiving bank account information to their carriers or other asset companies. Proactively submitting electronic transfer instructions may reduce withdrawal request processing time, especially in those urgent situations when your clients need funds promptly. In addition, having a valid EFT authorization on file provides the carrier a document for comparing signatures and bank information against future withdrawal forms received, especially suspicious and/or fraudulent withdrawal forms.
- Online account registration: Have your clients establish online account registrations with their asset companies using strong passwords as well as secure email and contact information. It is easier for fraudsters to create a new online account in their victim's name than hacking into an existing, secure one.
- Include you: Ensure your clients involve you in withdrawal requests from your asset companies. When you are in the loop, you can inform them of related considerations such as potential surrender charges, fees, tax implications, etc. Most fraudsters avoid involving their victim’s producer in an ATO attempt because the producers know their clients.
- Technical measures: Ensure your clients are utilizing effective device and internet security protocols such as running anti-virus and malware updates, changing their passwords regularly, using secure connections, etc.
- Additional resources: More information on identity theft and protection may be found on the “Identity Theft” page of the FTC Consumer Information site (https://goo.gl/x2ziW2).
Ann Arbor Annuity Exchange
 Whittaker, Zack. “Insurance Startup Leaks Sensitive Customer Health Data.” Zero Day. 24 May 2018. Web. Accessed on 17 Jul 2018 at https://www.zdnet.com/article/insurance-startup-leaks-sensitive-customer-health-data/
 “IRS Scam Leverages Hacked Tax Preparers, Client Bank Accounts.” Krebs on Security. 19 Feb 2018. Web. Accessed on 17 Jul 2018 at https://krebsonsecurity.com/2018/02/irs-scam-leverages-hacked-tax-preparers-client-bank-accounts/comment-page-1/
 Adriano, Lyle. “Insurance company hacked – client personal data possibly breached.” Insurance Business America. 29 May 2018. Web. Accessed on 17 Jul 2018 at https://www.insurancebusinessmag.com/us/news/cyber/insurance-company-hacked--client-personal-data-possibly-breached-101866.aspx
 Green, Dennis and Hanbury, Mary. “If you shopped at these 15 stores in the last year, your data might have been stolen.” Business Insider. 14 Jul 2018. Web. Accessed on 17 Jul 2018 at http://www.businessinsider.com/data-breaches-2018-4
 Pascual, Al, Marchini, Kyle, Miller, Sarah. “2018 Identity Fraud: Fraud Enters a New Era of Complexity.” Javelin Strategy and Research Report. 6 Feb 2018. Web. Accessed on 17 Jul 2018 at https://www.javelinstrategy.com/coverage-area/2018-identity-fraud-fraud-enters-new-era-complexity#
This material is designed to provide general information on the subjects covered and it is not intended to provide specific legal advice. Please note that Ann Arbor Annuity Exchange and its representatives do not give legal advice. You are encouraged to seek legal counsel as necessary for your particular situation. Producers are responsible for meeting the regulatory requirements in the states they conduct business.
Registered Representatives and Investment Adviser Representatives should follow the requirements of the carriers they represent and their broker/dealer and registered investment adviser, respectively.
Designed for Financial Professionals.