The truth is, around 80 percent of all fraud businesses face starts from inside the company.
That's an uncomfortable feeling they shouldn't have to deal with every day.
Not to mention the increasing deception business owners face from outside threats.
The truth is, regardless of where it starts, it's unlikely they'll see any of it coming until it's too late.
Hugh Sprowson, Senior Underwriter at Argenta, talks about the role you can help play to handle that broken trust.
Joey Giangola: He was browsing. How are you doing today, sir? Hugh Sprowson, how are you doing today, sir?
Hugh Sprowson: I'm very good, Joey. How are you?
Joey Giangola: I'm doing all right, Hugh. I want to know this. We had a chance to catch up quickly before this and I have to know, if you had to pick the best one two debut followup albums of any band, who has the best one two offering to start their career?
Hugh Sprowson: Well, I think that's an easy one for me. I'm going to have to go with Oasis. It was a very formative part of my life from when Be Here Now and Definitely Maybe came out and I just thought it was a sound unlike nothing I'd ever heard. And as you know from our conversation last week, I'm in a band now and we were trying to recreate some version of that sound ourselves, so I'd have to go with that one.
Joey Giangola: Okay. I'm a big Oasis fan myself also. I think in those formative years, I was in elementary school, junior high, and just singing Don't Look Back in Anger to myself. If you had to pick a track, what's the track? What's the number one go to Oasis track?
Hugh Sprowson: Yeah, I'll have to say probably that one, just from the reaction we get from the crowd when we play it. Our last gig was 200, 250 people and we had everyone singing along and it's just an awesome feeling. It's just an awesome feeling.
Joey Giangola: Is there any part of you that is slightly devastated that they will probably never make music again together?
Hugh Sprowson: That's an interesting one, isn't it? But I suppose with bands, there's plenty of examples of bands going on too long and losing their mojo. And I just think maybe if you can make... I know they went on longer than two albums, but if you can make two really, really great albums and perhaps not extend your popularity too long, it's better to leave a legacy like that than just carry on ad infinitum and maybe lose what made you unique in the first place. So, yeah, it is a shame, but you've got volatile personalities in any environment, I guess at some point, things are going to blow up, potentially.
Joey Giangola: Yes. We could consider it a commercial crime that they have not released anymore material, but let's talk about something that is, I guess, maybe more serious, a little more adult, a little more grown up. What is going on in the world of commercial crime? What are you seeing? What is happening there? And where do you think agents need to be paying attention?
Hugh Sprowson: Yeah, it's a very interesting time, not just in the commercial crime space, although that's obviously what we'll specifically talk about, but just in the insurance market in general. I've been in the Lloyd's Market now for 20 years and the industry for 25 years. Now, I can honestly say, I have never seen volatility and market change like it. And I think obviously, the main driver of that at the moment is the COVID pandemic. And commercial crime, I don't think is exempt from the effects of that at all. In fact, I think it's affected that particular segment of the market, perhaps in ways that maybe agents and indeed the clients are maybe not quite understanding or are only starting to understand.
We're seeing a lot more inquiries in this space and actually, I'm surprised we're not seeing more. One thing we notice in times of duress is that there's always an expectation that a crime or at least attempts on crime will increase. And that can come from multiple directions. And I think this is either what businesses are facing or discover they're facing because sometimes fraud and crime can take it's time to work its way through the system and be discovered. But I think where you've got, first of all, there's the increased moral hazard of your staff. Now, we still believe that fidelity lawsuits, as we call it in the [inaudible 00:04:00], or employee dishonesty is still probably the single most prevalent factor in the losses that we see in this space.
And when you have an environment in which obviously, there have been, unfortunately, job losses and just a general feeling that maybe jobs aren't as secure as they once were. Clearly that creates an environment in which people might be tempted to commit an act of dishonesty. It ay be driven by desperation, it may be driven by all sorts of things. Some people commit fraud just because they perceive it to be a way of getting money illegally, but I think some people do it to try and support their family, if they're in tough straits, It could be all sorts of things. Gambling problems we see, there's all kinds of things going on in people's lives that as an employer, you probably wouldn't know. So I think that's one aspect where we see the moral hazard of employees working within the businesses themselves, perhaps being tempted during this particular time of upheaval.
But also, I think particularly where we've got businesses that have had to move to remote working, none of us or a lot of us anyway, have not tested this process before. It's a challenge to see how systems are going to respond to that. I think some industries, perhaps like the insurance industry and other financial services industries, were perhaps more prepared and better set up for it, but sometimes that creates dislocation in your systems. And again, one of the things we always look at is whether there's certain controls and procedures in place, particularly over things like check signing and payment instructions, and those are being challenged in a remote working environment. It's easy enough to do when you're sitting in the same office and you can get forms signed by a colleague who works on the next desk or down the hall, but clearly when you're working remotely, that's not possible.
And I think fraudsters are well aware of that and they will since take advantage. So I think in the current climate, there is an increased risk. I think there is, as I say, this it's very febrile environment created specifically by COVID. And I think that will undoubtedly mean that businesses at this point in time are more susceptible to a crime, a theft, a forgery, a fraud, a cyber event, than perhaps was the case at other times. So it's definitely a risk that I think businesses should be considering. I think it's a very critical risk to a lot of businesses. I'm not sure it's one that they always place at the top of their agenda, but I guess if I can put one message over today, it's maybe that perhaps it should be.
Joey Giangola: Well, you had mentioned that it sometimes takes time for the crime to filter its way through the business. Do you have any sort of average amount of time that it takes, once a crime has started within the business to where it actually surfaces?
Hugh Sprowson: Yeah, sure. So clearly for the more basic physical losses, if some stock gets stolen or there's a cash theft, clearly that's discovered fairly quickly, but I think the more complex frauds, particularly one where employees, at the end of the day, and I hate to go back to it. I'm not accusing all employees of being fraudulent actors by any means, but they tend to be the ones who not only know how best to extract money illegally from the business, but also how to cover it up. And I would say commonly for the larger frauds, you could easily be talking two, three years for something to eventually come to light. And often, it sounds really, really strange, one of the questions we will always ask and it's tough in the U.S. because of labor laws, is whether employees are taking their vacation allowance every year.
And sometimes people look a bit askance at us and wonder why we're so concerned about whether employees are taking vacation or not, but still, I think the most common why these frauds are discovered is when somebody has to leave the business either for vacation or for other reasons, someone else has to take over their position and they find that there's been some suspicious activity going on. So that's the reason we ask. And I think again, if the practice of the business is not to enforce that rule and not to insist on that happening, then sometimes, it can take long time. And we've already seen 15, 20 years of systemic theft going on, but remained undetected all that time.
Joey Giangola: Yeah. It's pretty intense. You don't want to... So I guess, I always wondered why they stress taking vacation. Now, I know. I had actually never put two and two together, but there's actually a reason for it, outside of wanting you to recharge your batteries. They just want to double check everything.
Hugh Sprowson: Right. And I think there are various question sets in all classes of business that we ask. And as I say, that is one of the standard questions. It's tough in the U.S. because unlike in this country, where we get a considerable allowance of vacation, the U.S. standard seems to be ten days of which five days tends to get taken at one time. Although, you do stock up on public holidays a lot more than we do. I have noticed that.
Joey Giangola: Well, you got to make up for it somewhere. Right, Hugh?
Hugh Sprowson: I guess.
Joey Giangola: Well, let me ask you this though. You had mentioned it not being at the top of the list. What do you think is preventing that awareness into it being much more higher priority for businesses than it is?
Hugh Sprowson: Well, I don't know. And again, I think maybe this is the job of the agents out there. I think businesses, I think, especially in these current straitened times, it's all about cost and what they perceive they will get back for that cost. And I do understand that the premium we charge for these products will only add to that cost. But I think your assets as a business, as well as your people, if you're a retail outlet and you've got stock in warehouses, that's an asset to you. That's something you want to sell to generate revenue. And if that was stolen, that's money coming out of your pocket. And I think often, people will think about the physical side of damage, flood, and fire, and that kind of risk, but if someone gets in a lorry full of mobile phones or iPads and drives off with that, that could be considerably more devastating than a small fire.
So I think maybe it's just a matter of perception. I think sometimes clients have driven down the road of, "Well, I'll only buy what I have to buy, whether that's statutory or whatever it might be to protect my employees," but I think you have to look at what such an event could do to your business and the damage it may cause. And sadly, what we see a lot of the time, we only have people coming to us and applying for this insurance when the problem's already happened. And of course, as a buyer, that is the worst position you can possibly be in. You're now submitting an application with a theft or a fraud or a whatever it might be on your record. And clearly, you're then not going to see the benefit of a premium and a retention level that you would have done, had you taken the action to buy the policy before the event.
So I guess it's one of those things where it depends what's important to you. It depends how your priorities sit, in terms of protecting your assets, but at the end of the day, my view would be the commercial crime policy, significantly protects your assets. And at the end of the day, that is what generates value for your business. So I really see a major value in this product and whilst we don't tend to see the huge losses, perhaps that are generated more on the financial services side of the book that we have, nevertheless, a lot of the commercial entities that buy the crime products are much smaller. So they're much less able to withstand the fraud or the problem when it comes along.
Joey Giangola: Yeah, that's another aspect of we're kind of conditioned to buy the things that we can see and touch and have a little more tangibility to them. And that's the other thing, fascination about people being obsessed with buying the coverage that they might actually be less likely to actually have a claim on. What's the frequency at which a business might be at risk for some type of fraudulent event or something like that?
Hugh Sprowson: It's really hard to say because clearly, some businesses are going to be more susceptible than others depending on their size and the type of industry that they're in. I'm going to answer that question a round-about way because one of the phenomenons that we've seen in the past five years is the advent of what's been termed "social engineering fraud." I don't actually like that term at all because I think it's extremely misleading, but let's call it fraudulent payment instructions. And this is something that simply wasn't around five or six years ago. We write a fairly large book of title and escrow businesses in the U.S. and that was where we first became aware of it in 2015. The real estate industry and the escrow industry were, I think I can safely use the word "ambushed" by it by social engineering, which really had never come across anyone's radar before.
And as with all these things, it proliferated outwards into other areas of the economy. And I can pretty safely say that just about any industry you want to talk about was either a risk of this happening or it did actually happen to them across financial services, education sector, healthcare, it was absolutely rife and it's still going on today. And I just think that's probably one example of this idea of, "Well, we hear this all the time, but it will never happen to us. It will never happen to us because we know the people we deal with. Our director signs every check." And it's not enough, Joey. We've seen it, yeah. I'm sure you do know your vendors. I'm sure you do know your counterparties, but these fraudsters are so clever. I have seen some of the email traffic between a business and the fraudster before the loss happens.
And it's actually quite scary in some ways. They've clearly sat on the email for a time and watched conversations go on, so that when they actually forward the fraudulent email, there's some really personal stuff in there sometimes about maybe your football team, or your daughter's name, or did you go to that gig at the weekend? They put all this stuff in to make it look very genuine and people are duped all the time. I think partly because people by nature are trusting, but again, I think in the escrow industry, I think now there's a massive awareness of it. I think the training has been really good. I think the whole industry mobilized in exciting ways in the financial services sector, but I still don't think that's the case for small businesses.
I still think that they don't have the systems and the checks and balances and the controls to fight this, in a way that perhaps other industries can throw resources behind it. And I still think they're very susceptible to this fraud and we see it happen all the time. And maybe it's only $10,000, maybe it's only $15,000, which to a larger business would not be a lot, but to a small mom and pop type shop, that's a lot of money. And sometimes that's precisely the reason that fraudsters will target them because they rely on the fact that there's only one or two people really taking control of transactions and therefore, there is less eyes scrutinizing the transaction when it goes through. So I think that's another reason why we afford social engineering cover within our forms and again, I think that's one specific example of where our industry has responded to a global problem.
Joey Giangola: Yeah, so would you say that that's probably the number one threat that businesses, maybe small businesses, are at risk for these days, is that type of deception around payments?
Hugh Sprowson: Yeah, I think so. Going back to what I said before, I still think employee fraud, generally speaking, I would always say is the biggest cause of loss, the most frequent cause of loss, but if you're talking about frauds perpetrated on the business by third parties, yeah, I would absolutely say that is probably number one at the top of the risk register at this point in time.
Joey Giangola: So I'm curious where you would define this policy and another popular new policy, cyber. Where do you see these passing the baton? Where does one stop, where does one begin? Where do they overlap? Because they're often lumped in together, but yet, they serve very different things.
Hugh Sprowson: Yeah. In my head, the distinction was always very clear. I've been on the financial line side of the market for a number of years and actually, in a bond forms, we always go cyber coverage, except nobody called it that then because that wasn't a cool word to bandy around, but we called it computer fraud. And that's been around since the '70s or '80s, but I think the distinction, as I say, in my head was very clear. The crime market was set up to cover physical assets. And I think that's money, securities, stock in the case of small businesses or even medium sized businesses. And the cyber market was always set up to cover data. It was the intangible assets that may be held by a business, maybe on their computer servers, but we never covered things like loss of personal data.
We never covered business interruption. So I suppose if I put it in a nutshell, I would say tangible versus intangible, but there is a crossover because we would give cover for intangible. Clearly, a lot of people now hold money and securities in electronic form, so if it was an intangible asset, but that still had a monetary or a Fiat value, then I think that could [inaudible] be considered under a crime policy. But as I say, generally speaking for me, the distinction is property and money versus data. And that really was where the distinction should fall. Now, you're absolutely right. There is a lot of blurring of lines and we do see crossover and social engineering is a perfect example of that. I still don't think the cyber market and the crime market can agree on who should be covering that.
And you will see it in both forms. They approach it in a slightly different way. And I think the crime market generally will give higher limits than the cyber market the majority of the time. But again, it just goes to show that there is still some crossover and there is some disagreement as to where the loss should fall. Personally, I don't think social engineering is a cyber loss at all. I think it is manipulation of people to act in a certain way. Just because the instruction has come in by email, that does make it a cyber loss. A cyber loss, to me, is where someone has maliciously attacked your computer system, hacked in, done damaged, stolen data. That's not what happens on a social engineering loss. It's manipulation of people and duping them into surrendering money away on a fraudulent basis.
Joey Giangola: So if you're in the agent's shoes here, is this a conversation that you would try to create separation between the two products? Or try to have a conversation with both of them at the same time, breaking down those differences and where they matter? Or do you think it's easier to keep them separate?
Hugh Sprowson: I would always advocate keeping them separate because I think we'd have to look at the policy forming question, but I think if you have well-written products on both sides, I think that distinction is quite easy to achieve. And I do think the cyber policy will afford very important coverage to a business that the crime policy does not. I'm not a cyber underwriter, but I always advocate buying that product now because I think it's established. That market is now very established, it is generally quite affordable. And again, I think for a lot of businesses, that is a considerable risk that they are running, in terms of a cyber fraud and attempted cyber fraud.
Because again, I think the more we've moved, particularly when you look at businesses that have moved into online trading, contactless cards, card-not-present transactions, there's an awful lot of business now being done offline if you like, or at least through the electronic channels that didn't exist again, 20, 25 years ago. So I think there is clear need as well for we're storing more and more data within our systems. And therefore, I think cyber is an important product, but I do think there is a distinction. As I say, I think the agent clearly needs to make sure that he's happy that that distinction does exist. And if it's not, we're quite happy to tailor coverage accordingly.
Joey Giangola: Hugh, if you had to give an agent your best line for somebody that maybe isn't as familiar selling the coverage, but they want to maybe start making it a part of the regular conversation, what's your best line that they could give off to their clients to justify the coverage. And you could put a little proper English spin on it too, if you want.
Hugh Sprowson: Well, that's a good question. I hadn't prepared for that one, Joey. So you've slightly thrown me for a loop there, but I guess the problem is always close to home. The number of times where we've seen longstanding and supposedly very loyal employees, who've turned out to be completely the opposite, is staggering. It's distressing for the businesses, it's distressing for the employer, but I think you can never... Whilst clearly, you have to operate in an environment where you trust your employees to do a good job, I think you also have to have the controls around that to help them not be tempted, really, because as I say, the problem is that anybody can get into circumstances that leads them down a dark path. And as I say, the one thing for me, is the problem is always close to home and the potential problems are always close to home. And you can never be too careful when you're talking about protecting your own assets.
And sometimes you have to protect those assets from people close to you. And it's a tough thing to think about sometimes, but at the end of the day, I reckon if I had to put a number on it, 75, 80% of the fraud we see, all either emanates from an employee or it's the employee themselves. They either enabled the theft or they committed themselves, and it's tough. And as I say, I don't take any pleasure in saying that, but I think that would probably would be the message, is just don't assume everything's okay because you work with people a long time. You have to look close to home and make sure you're happy with what you've got. But as I said before, this is I major mitigation against the risk to your assets. There is an increasing prevalence of fraud and cyber fraud and social engineering and we are seeing it all the time. And I just don't think you can ever assume you're immune from it because at some point you won't be.
Joey Giangola: Well, prepared or not, I think he pulled it off nicely. I had two more questions for you. And the first one, I want to know where your most excited about. You've been doing it a long time, this type of coverage is ever evolving, like you said, with the new social engineering threat, but where do you think there is the most potential? What do you see coming around the corner that has you excited?
Hugh Sprowson: Well, so we're really excited about opportunities in the U.S. right now. We've never had the ability or actually, the distribution really to get involved with the SME sector, which that's really our bread and butter. That's the industry environment that we like to trade with. So we're just gearing up now to really market ourselves to that segment because I still think, as I said, there's a lot of opportunity to market this product to business owners who still probably are not [inaudible] with the products and perhaps still thinking this isn't necessarily something they need. So, and as I say, I think COVID, in a way, provides maybe the stimulus and the catalyst to do that because I think, whilst I understand that the businesses have other concerns right now, I think equally, one has to think that the last thing they can equally afford is a large fraud. So I think we perceive our product to be helping those businesses become more robust as they come through this problem.
I think around the world, though, it's always exciting in other regions who are perhaps behind the buying curve, compared to the U.S. and the U.K., where perhaps, I always say, the U.S., our clients are great believers in insurances as a risk mitigation tool and always have been, so selling into U.S. is perhaps less challenging as long as you've got a product and an ethos that works, but it's just really exciting seeing other regions of the world starting to understand the value in the products we offer as well. So whilst I love coming to the U.S. and I enjoy trading with my U.S. friends and clients enormously, it's also really cool to see other developing regions also starting to appreciate that they can mitigate their loss by engaging with us and buying our products too. And, as you say, it's always evolving. I might be looking at something in the U.S. this week, Romania next week, Australia the week after, Africa and The middle East are big developing regions too, so there's always something going on.
Joey Giangola: All right, Hugh. The last question to you, sir. If I were to be able to grant you the power to change one thing in the insurance industry, it doesn't really matter where, it doesn't have to be commercial crime related, but if it's one thing, anywhere, what's the thing that you're changing and what it's doing?
Hugh Sprowson: Well, there's an awful lot of answers I could give to that question, but I'm not sure it would make the final cut. What would I change? I think, I'm going to say this in as diplomatic as fashion as I possibly can. I would probably try and eradicate what we might euphemistically call [inaudible] because I still think in a lot of ways, our industry is very old fashioned and what I've actually really appreciated about the lockdown, and as you all know, in London, we do the whole face to face trading thing. And I've always got a lot out of that. I made a lot of very valuable relationships and it's been a wonderful thing, but we never thought that remote trading and operating, working from home would really work because perhaps we were all a little bit fearful of changing our modus operandis, but actually, it has worked brilliant. We've all responded to the challenge. I think response times are actually much shorter. We've all embraced electronic trading in a way that everyone was very reluctant to do before.
And I just think we've got so much wonderful technology out there. We've all utilizing zoom, all of a sudden. There's so much technology we could embrace, I just think we could make our lives so much easier, so much more streamlined and so much easier for clients and agents and everybody else, if we could just find a way to let our guard down a little bit more and embrace it because I think there's still too much concern and fear that we'll lose our unique selling point if we're all, not working from home all the time, but if we go away from those more traditional ways of doing business. And like anybody else, to survive, our industry has to evolve. And I really think I would just like to see the dropping of the reticence to embrace some of the new technology that's been afforded to us and moving forward and making our business cleaner, simpler, faster, and everything else that goes with it.
Speaker 3: It has been fantastic. I'm going to leave it right there, sir.
Hugh Sprowson: All right. Thanks, Joe. It's great to speak to you and have a great week.