Meet the Mishaps: Liability Larry and Catastrophe Cathy are married with two kids, Deductible Dudley and Peril Polly, and a dog, Risk. As their name would imply, they are often faced with very unfortunate circumstances. What’s worse, everyone around them seems to get caught up in their bad luck, too!
Join us each month as we dive into some of the adversity that comes their way, all from the insurance perspective!
The Story
Liability Larry loved his job as the Chief Financial Officer of Risky Widgets Company (RWC). He enjoyed working with his colleagues and stood behind the top of the line widgets the company produced. As one of the largest manufacturers and distributers of quality widgets, Larry had responsibility for a large staff and a large budget. With a solid team working with him, Larry trusted his staff’s judgment.
The Loss
Widgetland had been purchasing widgets from RWC to sell in their store for thirty years. An error caused them to double pay an invoice for $26,000. The owner of Widgetland sent an email to Larry requesting the funds be returned.
Larry asked Joe, his accounting manager, to refund the overpayment to Widgetland. A short time later, Joe received an email from Larry stating that Widgetland had recently changed banks. The email provided an updated bank account and routing number for any future funds transfers.
Joe made the change and sent the money. When Widgetland called to say they hadn’t received the transfer, Joe confirmed where he’d sent it and that’s when he discovered that RWC had been the victim of a spear-phishing attack.
The Investigation
Spear-phishing happens when hackers infiltrate a company’s computer system and then mimic the company’s practices and procedures using email. Joe had no reason to suspect that the email he received from Larry was actually from a hacker. The hacker pretended to be Larry in order to trick Joe into sending the funds to the hacker’s bank account.
Larry notified the rest of the executive management team, and together they consulted with their insurance agent.
The Outcome
Unfortunately, this loss was not covered under RWC’s general crime insurance policy due to an exclusion known as voluntary parting. RWC did not have a cyber policy in place, having declined to purchase a policy. They had invested heavily in firewalls and the in-house technology professionals felt that RWC was secure from hackers. They thought a cyber breach couldn’t happen to them.
The cyber policy RWC considered purchasing could have covered them in case of a data breach and the costs associated with that incident: public notification, remediation measures, investigation fees and defense against lawsuits. While RWC’s system was hacked, they didn’t suffer a data breach as defined in the policy. The hacker tricked the accounting manager into willingly sending money to an unintended account. In order to have coverage for the type of incident that occurred at RWC, they would have needed to add a spear-phishing endorsement to the policy at the time of purchase.
The Lesson
Many businesses, RWC included, feel that they are taking adequate measures to protect themselves from cyber hacks and data breaches. However, every business, regardless of size is susceptible to a hack. Cyber thieves are smart, and they invest more time than any of us can imagine infiltrating corporate computer systems looking for an opportunity to steal anything that can make them money. In their search for vulnerabilities, hackers will find holes in procedures and look for ways to manipulate unsuspecting employees.
Since the incident, accounts payable procedures at RWC state that all requests to update payment information must be verified by phone. RWC also instituted an employee awareness and training campaign to lessen the chances of another hack. They implemented policies designed to address password security, awareness of the various tactics that hackers use to gain information, and various other measures.
While RWC’s insurance agent had secured quotes from several reputable insurance carriers, RWC still was not convinced of the need. Now that a breach had occurred, Larry and the rest of the executive team understood the benefit. They reached out to their agent again for quotes, but their procrastination proved costly: Already the victim of a hack, the cost of coverage for RWC was significantly higher.