Why your clients’ clients need to be picky about cyber insurance too

Why your clients' clients need to be picky about cyber insurance too

Why your clients’ clients need to be picky about cyber insurance too | Insurance Business Canada

Cyber

Why your clients’ clients need to be picky about cyber insurance too

A good cyber insurer can help your SME clients and their customers

Places, industries, and names have been changed to preserve client privacy 

In Ontario’s fruit belt, the owner of a fruit supply company found herself plucked from the orchards of Niagara and thrust into the complex web of a cyber scam that would put a business relationship spanning two generations to the test.  

Isabella Montclair, “Ellie” to everyone who knows her, is the dynamic and visionary leader behind Montclair Orchards, a family-owned stone fruit supply company nestled in the picturesque countryside of Niagara-on-the-Lake, ON. Her grandfather left the orchards for the office in the 1960s to build Montclair Orchards into the successful business she eventually inherited from her own father. With an eye toward the future and roots firmly planted in the local economy, Ellie embraces technology to expand and simplify operations. And it’s paid off. A new e-commerce website, along with online invoicing and payment processing, has made it even easier for Montclair Orchards to connect with farmers, retailers, and the hospitality industry.   

Ellie’s approach to digital expansion has been measured. An IT department isn’t in the budget, but she keeps an IT consultant on retainer. When she made the decision to move more of the business online, Ellie listened to her insurance broker and invested in robust cyber security insurance—something she admits she didn’t see the point of at the time.   

Cyber insurance – the best business decision

“I almost skipped cyber insurance,” she said. “But my broker thought it was a good idea. She showed me some stats – how nearly half of all Canadian small businesses get hit with a cyberattack every year. But I really didn’t think it applied to me. Surely hackers were too busy with mega corporations to mess with a fruit supplier in rural Ontario.”   

See also  Insurers advised to consider risks as businesses adopt greener practices

Within the year, cyber insurance would prove to be the best business decision Ellie almost didn’t make.   

“My bookkeeper called me at home one evening,” she recalled. “One of our oldest accounts was in arrears and things were… ‘escalating’. I was surprised to hear it was Josette. Josette’s Jardin had been one of my dad’s clients. And for as long as I’d known her, she’d never missed a thing – not a plum, not a peach and certainly not a payment. I figured it had to be a mistake.”  

The bookkeeper agreed. That’s why she was calling. She explained to Ellie that she had triple-checked the account at Josette’s insistence. However, when she suggested that perhaps Josette had made a mistake – an honest error, even – it was not well-received. Before hanging up on the bookkeeper, Josette remarked that perhaps Montclair wouldn’t lose payments if they hadn’t changed banks.  

Her bookkeeper was flustered and confused. An important client felt insulted. Several thousands of dollars were missing. And what had Josette meant about changing banks? It was time for Ellie to step in.  

After ending the call with her bookkeeper, Ellie dialed Josette. It was getting late, but Josette answered on the first ring.  

It became clear to Ellie that this was no clerical error. Josette had paid her invoice to what she thought was Montclair’s new bank account – the details had apparently been sent to her accountant last month from Ellie’s bookkeeper. Josette had an electronic paper trail to prove it.  

Ellie felt sick. She hadn’t made any changes to their banking since her dad died five years ago. She was starting to panic. Not wanting to spook Josette more, she ended the call, promising to “make things right” as soon as she could.  

A few frantic texts to her bookkeeper confirmed that no-one from Montclair had emailed Josette’s accountant. She trusted her books. She trusted Josette. She began to wonder if someone else might be to blame for all this.  

See also  Visualising higher catastrophe bond spreads & pricing

It was very late. Her head was spinning with the implications of what she suspected. They’d been scammed, but how? Should she freeze her accounts? Shut down the company email? Take everything offline? She had cyber insurance, but would it help?   

Hackbusters

“I had no idea what my cyber insurance covered,” she said. “My broker told me I could call BOXX Hackbusters any time I wanted without having to make a claim. Expert advice 24-7. That’s what I was going to need to get through this mess.”  

After 20 minutes on the phone with the Hackbusters, Ellie learned she and Josette were the victims of a social engineering attack. It was the kind of cyberattack that typically involved hackers tricking people into parting with sensitive information or money. 

The Hackbusters verified that Ellie’s business email remained secure thanks to the company’s use of multi-factor authentication (MFA) logins. They investigated meticulously, requesting copies of all correspondence between Montclair Orchards and Josette’s Jardin. It didn’t take them long to piece together what happened.   

“That email that was sent to Josette – the one with updated banking information – it didn’t come from us,” Ellie explained. “It came from ‘monclairorchards.ca’. We’re ‘montclairorchards.ca’. The missing “t” was the smoking gun.”  

It was called “spoofing” and it was what tricked Josette into paying cyber thugs instead of her supplier. The scammers had hacked into Josette’s business email account to learn about the payment arrangements between the two companies. This meant that while both businesses were victims of a sophisticated social engineering attack, Montclair Orchards wasn’t liable. Ellie was relieved, but she worried that proving her company wasn’t at fault might not be enough to salvage her valuable working relationship with Josette.  

See also  Leadership lapses undermine workplace safety in New Zealand – report

To help with this, the Hackbusters drafted a letter to Josette, carefully outlining the findings of their investigation. It was an invitation to a discussion. Josette’s Jardin had clearly been socially engineered into sending money to scammers and the BOXX Hackbusters team was on hand to help. They answered Josette’s questions and helped her understand how her own cyber vulnerabilities had exposed both companies to an attack.  

The Hackbusters advised Josette to contact her bank and law enforcement to recover the funds. They helped Josette improve her cyber security courtesy of the complimentary services included in Ellie’s BOXX Insurance package. To Ellie’s delight, Josette directed her brokers to secure her own BOXX cyber insurance, now that she’d experienced firsthand the risks of doing business in a digital world.   

“We were lucky,” Ellie reflected. “The bank recovered Josette’s money and we got paid. Josette remains one of our best clients. Without BOXX and the Hackbusters team, I don’t know that everything would have worked out this well and all without the need to make a claim.” 

The BOXX approach to cyber insurance is ALL IN ONE, emphasizing training small businesses’ employees, and predicting and preventing cyber events, so clients rarely have to claim.  Most cyber threats are managed, and cyber events get robust and effective responses, making claims rare.  

With a focus on prediction and prevention, Cyberboxx Business helps small to mid-sized businesses build digital resilience. With protective tools, training and access to world-class incident response and recovery services, it’s no wonder more Canadian brokers choose BOXX for their small business clients.   

Keep up with the latest news and events

Join our mailing list, it’s free!