Accounts Receivables Coverage Helps Fill Supply Chain Gaps

It is standard for companies to insure and protect cash, inventory, property, plants and equipment, and more recently, data. Companies are insuring every step in the supply chain and sales process from concept to delivery. What is often not insured, however, is the last but most important part of a sales transaction—getting paid. You can safely bring your product to market, but if a partner or customer defaults on payment and you have no recourse, you’ve lost your total investment. Your balance sheet takes the hit.

As with most risks, there is insurance for that, too. Accounts receivable insurance protects what is often a company’s most critical asset on the balance sheet. More than just protection from non-payment, accounts receivable insurance puts companies in a stronger position to secure loans with improved credit quality. With accounts receivable Insurance acting as a second source of repayment, a company can assure a lender it will not have covenant issues if there is default by a customer.

Consider these hypothetical scenarios: Bob’s company is based in Canada and he sells components to computer chip manufacturers throughout North America. He buys parts from foreign markets to make his product. The company that supplies Bob with parts has been working with Bob for 30 years. Bob has always paid them for their deliveries. Recently, Bob has struggled to receive payment from his customers in North America due to their decline in computer chip sales.

As a result, Bob is now finding it difficult to pay his supplier on time. The supplier believed Bob had risk management protections in place and would always pay them for their delivery. They never thought Bob would go bankrupt. Fortunately for both Bob and his supplier, he has accounts receivable Insurance. Even though he was exposed to the risk of his customers not paying, his accounts receivable Insurance kicked in as a second source of repayment.

Here is another example regarding the uncertainty of political events in a global economy and how they can impact a company’s balance sheet. A U.S. exporter is selling to Latin America and there are a few countries within the region that are approaching elections. A regime change could mean changes in policies, resulting in the possible cancellation of an import or export license, a moratorium on the payment of any external debts outside the country, or the inability to convert local currency to hard exchangeable currency to make payment. With an accounts receivable program protecting assets, the exporter is able to securely transact with their customers in a foreign market, knowing they’ve mitigated the risk of non-payment due to any potential policy changes or actions.

These examples are not hard to imagine. What is startling to see are estimates that only 8% of U.S. companies have accounts receivable insurance compared with 70% of European companies. In Europe, boards mandate this coverage. This underscores the differences between regional risk perceptions. Perhaps there is a greater recognition of the account receivable risks for companies operating in multiple countries, including developing nations with a high degree of political instability.

With the new U.S. administration, Brexit and other unpredictable market forces in play, it is certain that we will be seeing shifts in the global economy. Undoubtedly, there will be bumps along the supply chain as well, and companies will face challenges, including non-payment.

These bumps are not only for the largest global organizations, however. Middle-market companies will face a new competitive landscape, with a push to focus manufacturing in the U.S., and changes to the flow of their supply chain. This will impact costs and the need for extra working capital. Accounts receivable insurance should be viewed as a tool to bolster the balance sheet to provide the liquidity needed to advance business goals.

Accounts receivable coverage provides a competitive edge by giving suppliers the ability to extend credit to their customers as opposed to requiring payment in advance or on delivery. It can be helpful in lengthening payment terms with customers to match or exceed the competition and allows for these aggressive growth strategies without taking additional balance sheet risk. Accounts receivable insurance also can help a company obtain a higher advance rate with lenders that use accounts receivables as collateral. This will provide increased liquidity without having to increase the asset base and can help in negotiating lower borrowing rates.

Supply chain risks are currently taking center stage as one of our greatest concerns. Don’t forget to protect the ultimate objective in the sales process—collecting payment.

Retail Data Security: Preparing for the Top Threat for Holiday Breaches

holiday shopping retail risk

Here’s the question of the season: What is the true cause of the retail breaches we read about year after year? While malware or ransomware may get most of the scary security press, they aren’t in fact the main culprit. The primary cause of most retail breaches is, by far, stolen credentials. These are the usernames and passwords of employees, contractors or partners of a retail firm. Victim firms such as Target Corp., Home Depot, eBay and others have fallen prey to similar attacks in recent years: a trusted insider’s credentials were stolen and hackers used those to access the network. In some cases, the credentialed access led to the installation of malware on card reader systems, while in others, hackers took different paths.

The point is clear, however: the access credentials of trusted insiders are in fact the biggest risk factor for a breach in the retail sector. Verizon’s annual data breach survey, released earlier this year, confirms this, with credential attacks identified as the top source of data breaches as 63% occurred via weak or stolen credentials.

This isn’t a particularly new insight. The Target and Home Depot breaches, both via stolen vendor credentials, happened more than two years ago. And yet, as the Verizon report indicates, large firms are still quite vulnerable to credential attacks. Why is a credential-based attack so hard to detect? The point of the attack is to impersonate a valid user (an employee, contractor or some other insider) going about his or her daily job. When a financial analyst logs into a financial system using her regular ID and password, for example, we do not expect an alarm to sound.

The retail environment has some unique factors that make detection more difficult. For example, retailers employ large numbers of seasonal workers, so knowing whether a particular person should be allowed near a secure server in the back room of a store may be difficult. The general buzz and chaos in retail stores may weaken security checks, and sheer volume of transactions, returns, special orders, and the like can distract employees and open up security gaps.

There are, however, concrete steps that can be taken.

The first is simple: most if not all retailers have two networks, one corporate and one retail (in-store). Human resources, research and development, accounting, and other corporate functions operate on the corporate network. Point of sale systems, cashiers, and store managers operate on the retail network. In theory, these networks are completely walled off from each other, using two-factor authentication and other security systems. A temporary sales clerk should not be able to access the payroll system at corporate headquarters and download employee social security numbers, just as an HR specialist at headquarters should not be able to access the credit card database within a store point-of-sale (POS) server. This is especially sensitive since many retailers haven’t yet rolled out chip-and-pin readers. If a card number is stolen from a POS system, it’s usable in many places.

A basic check would be to ensure that the two-factor authentication system between the corporate and retail networks is working correctly, is updated with patches, and is applied as broadly as possible. However, this is not always the case, and there have been instances where hackers have been able to steal a corporate user’s credentials (using a keylogger or other type of malware) and then bypass the authentication system to connect to hundreds of in-store POS systems. Perhaps the system configuration has “drifted” over time and needs re-certification. This is an easy check on network security risk.

Another step relates to context—in other words, understanding what is normal. As mentioned above, a retailer during the holiday season manages chaos on a daily basis. It is too easy for attacks to slip by without notice during the noise and commotion. Recall the advice given to New Yorkers after 9/11: “If you see something, say something.” While relying on employees to notice unusual behavior is fine, a better approach is to augment humans with smart technology that understands normal behavior and can raise an alarm when behavior is suddenly not normal.

For example, a specialist in IT is accessing hundreds of POS systems in multiple stores via the corporate network. Is that okay? It is hard to say. Perhaps he is doing it as part of a backup process or maybe he is helping restore systems after a failure. Without knowing what is normal for this person, as well as for his peers, it is very difficult to judge the riskiness of his actions. Behavioral analytics systems are built for this problem. They analyze past behavior and build baselines, just as VISA and MasterCard do for every credit card owner. When an employee suddenly starts logging into store POS systems but has never done so before, behavioral baselines can provide the context needed to alert that this user might in fact be a hacker.

Retailers are getting better about security every year, improving risk management processes and rolling out new security technologies. Credential attacks remain the top threat for retail breaches, however, and retail firms must both verify their processes and also look to new solutions, such as behavioral analytics, to close the risk gap.

Aquisition Integration for Logistics and Cargo Insurance

chess-game
During my 36 years in the marine insurance industry, one of the most common issues has been failure to properly integrate acquisitions into cargo logistics insurance programs—which can result in gaps in cargo insurance coverage. Old habits die hard, however, and this is particularly true in logistics operations.

When an organization acquires a new company, there is a choice. The buyer can allow the acquisition to continue to operate independent of its logistics program (rarely is cargo insurance left independent) or fully integrate them into the buyer’s logistics and cargo insurance programs. The most common occurrence is full integration into the buyer’s logistics and cargo insurance programs for cost savings and continuity.

If the independent logistics option is chosen for the acquisition, it is still critical to perform a detailed gap analysis of the logistics SOPs (Standard Operating Procedures) used by the acquisition to assure their program does not present unique exposures not currently considered or addressed in the buyer’s program. The most objective and effective gap analysis should be performed by an outside consultant working with the buyer’s designated logistics representative.

A risk management representative is not required but may wish to attend. The consultant must have extensive experience in logistics audits as well as a clear understanding of implications of the terms and conditions of the cargo policy. This team will create a gap analysis report that details variances from best practices and the key drivers in the buyer’s logistics program that are critical to the marine cargo insurance program. This also allows the buyer’s cargo program to be adjusted for any unique requirements of coverage by the acquisition to assure there are no coverage gaps.

Importance of SOPs
It is worth a moment to address SOPs for logistics and security for shipping and storing goods in the due course of transit. Formal SOPs are critical to assure compliance, and proper measurement of compliance. SOPs also provide continuity of logistics’ programs so learned processes and shipping lane specific issues are not lost when there is a change in personnel.

In instances when the buyer decides for full integration, the process is much the same as described above for the independence option for logistics by the acquisition. The most important difference is that the gap analysis details the variances between the acquisition and the buyer’s logistics program SOPs and rates the findings into levels of importance for timely adoption; critical, second tier and third tier variances. The critical issues require adoption as soon as possible while the other variances can be corrected over the course of time.

It is important to complete a followup audit(s). If there are critical issues, a followup audit might be completed after the buyer has been advised that the critical variances have been finalized, to independently confirm compliance has been obtained if deemed appropriate. Regardless, a one-year audit is recommended to examine all the variances in the gap analysis to determine the level of compliance to correct all originally identified variances.

Again, old habits and processes die hard. You will often hear, “We always did it this way.” It is important during the gap analysis to integrate local issues required as needed, as long as it does not compromise the goal of the SOP. The integrations, especially acquired foreign companies, can be difficult, involving politics by other units of both companies outside of the logistics, security and risk management units. It is critical that senior management of both the buyer and the acquisition company have “full buy-in” on the integration process to overcome the political infighting that can develop.

The best analogy of this process would be a chess game—complex and variable with many moving, interrelated parts.

Wildfires a Reminder to Update Disaster Preparedness Plans

Raging across the country, threatening businesses and residences alike, wildfires are a reality, burning a reported 1.9 million acres in the U.S. so far this year. West of Santa Barbara, firefighters have battled an intense fire for almost a week. Wildfires are also burning in Arizona and New Mexico. In Canada, the Fort McMurray blaze burned for weeks and scorched some 2,400 square miles of land—more than 1.4 million acres. In five of the past 10 years, in fact, wildfires have ranked among the top 20 worldwide loss events.

Interstate2

Companies that haven’t already done so may want to assess the impact such a disaster could have on their business as well as what actions can be taken to mitigate damage. While most businesses believe they are prepared for a fire, especially if their building is equipped with fire alarms, fire extinguishers, smoke detectors and an evacuation plan, these measures may not be enough when stress and confusion take over, according to Interstate.

Organizations could face utility interruption, impacting gas and phone syDocument recovery3stems; they may have flooding from sprinklers, which, mixed with soot, can cause other complications; there may be smoke damage, which can by carried throughout a building through air conditioning systems; and there can be chemical residue from fire suppression systems.

There also may be asbestos hazards from older building materials, ceiling and floor tiles and pipe insulation.

Planning ahead for data loss resulting from damaged computers and burned paper documents is also advised.

Interstate lists four questions companies need to ask in advance of such a disaster:
Interstate 1