Q: A cannabis business had roughly $200,000 stolen through a sophisticated cyber theft. Will the money and securities insurance provisions cover this loss? The policy states there is coverage if money was stolen while in the bank.
A: Great question. We’ve seen a few of these scenarios, and not just in the cannabis industry – all types of businesses are at risk. Coverage varies depending on the terms of your policy and how the funds were lost. For example, Your coverage will likely be capped at the money and securities sublimit. A social engineering sublimit may also apply if the money was stolen via a business email compromise scheme, fraudulent instruction emails, or another social engineering tactic.
Without reviewing the terms of your specific insurance policy, it’s impossible to know what’s covered and what’s not. That’s why it’s so important for businesses to take every step possible to avoid financial loss. Below are four important steps to take.
1. Understand Common Fraud Types
It’s easier to steer clear of cyber theft if you know the tricks fraudsters are using. Phishing tactics are just one scheme. According to Quadscore, there are two common impersonation-based fraud schemes:
- Impersonation of authority schemes occur when a fraudster contacts an employee (often a low-level employee) via phone or text, pretending to be a manager or other high-ranking official within your organization. The fraudster fabricates an urgent reason to withdraw a specific amount of cash and gives the employee transfer instructions, often using a Bitcoin machine.
- Impersonation of vendor or business partner schemes use email. A fraudster posing as a vendor or business partner may create an email address that closely resembles the vendor or partner’s legitimate email. The fraudster explains they’ve changed their bank account and provides instructions to wire future payments to the new account.
2. Train Your Workers
Since scams may target both low- and high-level employees, everyone at your company needs training on how to spot and avoid cyberattacks. For example, you should train workers on how to check email addresses to ensure they are legitimate and how to avoid phishing attacks. After initial training, provide refreshers with information on how to avoid the latest scams.
Employees should also know how and when to report fraud and possible fraud. If an employee falls for a scam or clicks on a malicious link, a quick response could help mitigate the damage.
3. Establish Policies to Verify Identities and Requests
Although spotting a fake email address will help companies avoid some scams, this won’t always be enough because some hackers use legitimate emails. Microsoft Security reported on one scam in which attackers first gained unauthorized access to a legitimate email account at a law firm. The attackers were then able to use the real email address to send clients invoices or links to pay online, directing the funds to their own bank account.
This risk means it’s important to have policies in place to verify identifies and requests for sensitive information, wire transfers, bank account changes, or funds via other means, such as cryptocurrency or gift cards. For example, you may want to implement a policy stating that employees receiving requests must call the person making the request by using a verified phone number – not the phone number provided in the request. Whenever possible, confirming requests in person is ideal.
4. Maintain Secure Devices, Accounts, and Networks
If hackers access your devices, networks, or accounts, they may be able to spread ransomware, steal data, or take control of email accounts to carry out future scams. Good cybersecurity is therefore essential. Some basic measures include using:
- Strong passwords and two-factor authentication. You should not share passwords and should change passwords when employees leave the company.
- Settings that prioritize cybersecurity. For example, the principle of least privilege limits access to a need-to-have basis. This is especially important for the Remote Desktop Protocol, which is vulnerable to exploitation.
- Firewalls, antivirus programs, and security patches. All these are important, but security patches are often the weak point. Businesses that fail to update their computers with new patches may be easy pickings for hackers.
To strengthen your defenses, combine strong cybersecurity practices with comprehensive insurance coverage tailored for your industry.
Do you need help reviewing your insurance coverage? Contact Heffernan Insurance Brokers.