Cybercrime is on the rise, and large corporations are not the only target. One form of cybercrime is becoming increasingly common, and it’s having a direct and immediate financial impact on small business owners. This method starts with a hack, moves onto a phish, and then tens of thousands of dollars disappear in an instant.
Imagine a Miami wholesaler that deals with suppliers overseas. One of the overseas suppliers gets hacked. The hackers gain access to all the invoices that are due from that supplier’s customers, along with all of the emails they have sent and received, signature lines, greetings, calendar entries, and the like.
One of those invoices is for supplies that the wholesaler received. The business owner receives an email from the supplier with a friendly greeting. “Did you have a nice vacation? How are the kids? Are you happy with your most recent order of 2,000 widgets? Did you get the invoice? Your busy season is coming up. Can you remit payment this week? And by the way, we have changed banks, here are the new wire transfer instructions.” (Danger Will Robinson!)
The hackers have all of the emails between the wholesaler and supplier for the last year. They can mimic the tone and refer back to prior exchanges. There will probably be nothing suspicious about the e-mail address. This supplier is in China, so it’s very late there and not practical to call. They’re a good supplier. The money is sent. Two weeks later, the supplier calls asking about the payment. By now, it’s too late to reverse the transfer.
Never fret. The wholesaler has insurance, so it’s covered, right? Maybe not. This exposure will not be covered under a property insurance policy or business owner package. It can be insured, however, with a crime insurance policy, if the policy covers this specific type of loss. The policy should include “social engineering” coverage. It could also be called “false pretense,” “voluntary parting,” or “inducement.”
This is important because the wholesaler was tricked into handing over the money, as opposed to the money being forcefully taken. That’s the phishing part, and according to the 2018 Security Report from Check Point Research, 64 percent of organizations have experienced a phishing attack in the past year.
A crime insurance policy could exclude “social engineering” coverage, specifically cover it, or it may be silent. If covered, there may be a lower limit for this type of claim, compared to a more traditional theft, such as employee theft, check forgery, and safe burglary. Either way, business owners should discuss it specifically with their insurance agent or the underwriter who handles the crime insurance policy or quote.
Here are some additional ways to manage risk.
▪ Most important, verify any wire transfer or ACH disbursements with a phone call, even if the time of day is not conducive to a call. This is especially important when there is a change in the usual procedures, like a new bank.
▪ Dual approval of wire transfers also helps. Another set of eyes can provide a fresh perspective.
▪ In the event of a potentially fraudulent transfer, contact the bank as soon as possible. The transfer may be reversible.
▪ Incidents should be reported to the authorities, either the police or the local FBI office. If an international transaction is involved, it will often come under the FBI’s jurisdiction.
Crime insurance policy holders should report an incident to the carrier as soon as possible. Even if the transaction can be reversed, an incident should still be reported as it may be a requirement of the insurance policy. Filing a report with the authorities is typically required to make a claim, as well. An incident can be reported online to the FBI at: https://complaint.ic3.gov/
What happens if the wholesaler is hacked rather than the supplier? It’s happening to Fortune 500 companies with teams of security professionals on staff. How hard would it be to gain access to the emails and sensitive records of a small business?
Businesses that suffer a breach that compromises personal information about others are open to tremendous liability. For starters, they have to comply with laws of the state where each person whose information was obtained lives. There are notification requirements, and they may be required to offer each person a year of credit report monitoring. Not to mention the prospect of being sued.
This is where cyber liability insurance comes in. The carrier will step in and make sure policyholders are compliant with any notice requirements. They will defend in the event of a lawsuit. The policy can also help cover costs to reproduce data or cover lost revenue resulting from a breach.
Cyber liability insurance can also cover theft from phishing. Once again, it needs to be written correctly, and it should be addressed specifically with the agent or underwriter offering the coverage. If risk of a data breach is a greater concern than theft, cyber liability insurance may be the better option.
Today, with so much of crime and theft being driven by technology, it’s important to manage cybercrime risk. Crime insurance and cyber liability insurance each have a role to play in risk management. Some businesses may need both types of coverage.
Phil Yanan, CPCU, is an independent insurance agent with Miami-based Wilson, Washburn & Forster Insurance. He can be reached at email@example.com or 786-454-8383.
▪ This is an opinion piece written for Business Monday’s “My View” space in the Miami Herald. The views expressed do not necessarily reflect those of the newspaper.
▪ Have a ‘My View’? If you have a point of view on a business topic you would like to share (excluding real estate), consider writing about it for Business Monday. Pitch your idea to rclarke@MiamiHerald.com. Guidelines: Submissions should be around 600 words; should state a topic clearly, with supporting examples; and use examples drawn from South Florida. They should also be accompanied by a photo of the writer, emailed as a jpeg. ‘My View’ submissions that are accepted are published as space allows.