Vulnerable and Oblivious: Cyber Risk in High Net-Worth Personal Lines

Although some small businesses still need convincing, the commercial community is generally starting to accept cyber insurance as a necessary business practice.

You can’t say the same of cyber insurance in personal lines. Given the potential payoff of hacking a company compared to an individual, that makes complete sense—until you consider the high net-worth market.

“A lot of people today have focused on commercial aspects of cyber, but as a consumer, you face many of these same challenges,” says Eric Cernak, vice president for reinsurer Munich Re America.

From phishing attacks on bank and medical accounts to tax and insurance fraud, “folks with higher income and more assets—whether they’re financial or physical or something else—are more of a target for cybercriminals because they have more to lose,” points out Jessica Groopman, independent industry analyst and IoT adviser. “If you’re talking about a celebrity, for example, they’re going to be more attractive to a hacker than someone who’s renting a studio apartment.”

“For typical people, it might not be worth that level of effort,” Cernak agrees. “But if you’re talking about high net-worth people, criminals get very creative with how they can monetize some of these attacks. You almost have to be a little bit paranoid, because that’s the only way you’re going to even come close to defending yourself.”

According to Julie Conroy, research director at Aite Group, financial institutions are seeing 100% year-over-year increases in application fraud. “That’s because there is so much data in the hands of criminals right now, and they’re using it,” she says.

Even more alarming, the sophistication of cybercrime against individuals is increasing at similar rates. “We used to see that somebody would just steal a credit card,” recalls Christie Alderman, vice president, client product and service manager at Chubb. “Now, we see situations like people stealing your medical identification and your insurance coverage, and going to get medical services under your name. Now their blood type’s on your records. It’s become a lot more complex.”

Or, “you hear about successful attacks on health care providers where criminals get ahold of 80 million records that have full identity information, including social security numbers,” Conroy says. “They then turn around and use that to open new lines of credit in the names of all those people. And it takes a long time for consumers to notice—the way most of them find out is they get that pink collections slip in the mail when the criminals have decided it’s time for them to disappear and move on to greener pastures.”

The main cyber-related vulnerability at the individual level is the same as it’s been for years: Consumers refuse to adopt best practices when it comes to technology. When Aite Group surveyed consumers in seven countries about the ways in which they engage in their own personal financial protection, it found that the majority still use the same username and password for some or all of their online relationships.

“It didn’t surprise me, but with all these headlines about breaches, it’s a bit disheartening,” Conroy says. “That just makes it so easy for the bad guys.”

Why? If a cybercriminal obtains your username and password in one hack, the first thing they’ll do is upload those credentials into automated bots and direct them against as many online properties as possible, Conroy explains: “When they find one where it works, then they maximize their opportunity. That’s one of the major attack sectors we’re seeing. As I talk to both e-commerce merchants and banks, the rash of resulting account takeover is incredibly painful right now.”

And consumers are no smarter about their smartphones. Although mobile malware is on the rise—Aite Group cites less than 1 million related incidents in the first quarter of 2014, compared to nearly 2.5 million in the fourth quarter of 2015—the majority of consumers in the U.S. do not have antivirus or antimalware software on their smartphones. Similarly, many do not use any form of authentication on their mobile device: While 55% of U.S. consumers use a pin and 35% use a touch ID or other fingerprint biometric, 18% use none at all.

“Consumers don’t treat these devices like the very powerful computers that they are,” Conroy explains. “We’re seeing a rapidly growing trajectory of malware directed against that mobile phone environment. There’s lots of malware out there targeted to mobile environments, so if it’s not properly secured, that could grant great access to all the information that’s flowing through.”

“You probably don’t think of the ways in which you’re necessarily being hacked already,” Alderman agrees. “A lot of people already have a lot of vulnerability.”

For example, “a lot of the apps you’re downloading may be sharing information with third parties, and it’s not entirely clear what those third parties are doing with that information,” Alderman points out. “You have to be aware when you’re accepting terms and conditions on your app of where your information is going. Maybe it’s access to contact information, maybe it’s permission to turn on your camera at any time—sometimes it even allows for things like ambient listening. There are some really serious vulnerabilities if you’re not paying attention.”

And smartphones aren’t the only devices that are susceptible to cyberattacks—smart home systems, which high net-worth individuals are more likely to purchase, have similar vulnerabilities. For details on how cybercriminals can use the Internet of Things to attack affluent individuals, keep an eye on IAmagazine.com and upcoming editions of the Markets Pulse e-newsletter.

Jacquelyn Connelly is IA senior editor.