PART ONE: WHAT’S THE MATTER WITH THEM?

Belleview Foods CFO Josh Carter was having a frustrating day. He walked into the office to see a notice from the Oregon State Department of Revenue that the department had some questions about Belleview’s 2018 tax payments.

“Just what I need is a stinking audit,” Carter was muttering to himself, when Marcia Leigh, Head of Accounts Receivable, stuck her head in his office.

“You got a second?” she said.

Carter softened. Leigh was a true asset. An adult who got things done with minimal handholding.

“Sure,” he said, trying to control the volume of the stress-sigh escaping him.

Leigh slipped into the office and closed the door with a careful, measured gesture.

She cleared her throat and looked out the window, seemingly to gather her thoughts.

“There’s something going on with Green Mountain Grocers,” she said. “They say they’re having problems with their IT systems, but something tells me it’s worse than that.”

Belleview, a manufacturer of a line of organic foods with annual revenues north of $500 million, did about $80 million in business annually with Green Mountain. News that Green Mountain was acting shaky turned an annoying day into an alarming day.

“Like….?” Carter said.

“I wish I knew what was up with them, really,” Leigh said.

“It’s been six months now since they merged with Mrs. Kimball’s and they are getting more and more irregular with payments,” she said.

She documented delays in their weekly payment schedule of a day or two here, three or four days there. None of it was causing any cash flow problems, but it was the sudden shift, going from a very regular payer to a slightly irregular payer that was bothering her.

“What I do know is that the Mrs. Kimball’s IT system and the legacy system at Green Mountain are not getting along very well,” she said. “At least that’s what Gary Bevens told me.”

Bevens had been CFO at Green Mountain now for seven years. Both Leigh and Carter knew him and trusted him.

“I wouldn’t be surprised,” Carter said, his emotions from his own issues of the day not quite settled down.

“But you think there’s more to it than that?” Carter said.

Leigh shrugged.

“It’s just a hunch, really,” she said.

“It’s just that Gary is usually a very responsive communicator,” she said.

“He’s been harder to get a hold of than usual. Couple that with the payment pattern becoming irregular….” her voice trailed off and they both fell silent.

“I don’t know if it’s in-house politics, IT, or what…” she added eventually.

Something in Carter’s gut went off. Maybe it was the acid from his second cup of coffee. But it felt more like fear.

“What do you….?”

“I’ll stay on it,” Leigh said. “Maybe take Bevens to lunch. We can’t afford to be in the dark here for very long if it is something more serious.”

“Agreed,” Carter said.

PART TWO: DISTURBING REVELATIONS

Carter didn’t have to wait for Marcia Leigh to have lunch with Gary Bevens to get the bad news. That’s because it made the front page of the Oregonian business section two days later.

In a statement to customers, vendors and investors, Green Mountain reported that it was attempting to recover from a data breach that had compromised customer credit card numbers and other personal data.

The company, in its February 22, 2019 statement, indicated that it became aware of a breach of its systems on February 15 and was acting as expediently as possible to notify affected customers and vendors.

Bevens was under water and wasn’t able to make it to lunch with Leigh. But he did get on the phone with her to explain what he could.

Green Mountain, with its 24 stores in Oregon, Utah, Idaho and Washington State, had been eager to pick up Mrs. Kimballs’ and its 12 stores in the lucrative Portland and Seattle markets. But Leigh was on the right track that the two company’s IT systems weren’t getting along post-acquisition. And that was most painfully true when it came to their security systems.

“We thought being based in Seattle that they would have it all over us when it came to IT security,” Bevens told Leigh. “It turns out we were wrong.”

Hackers had gained access to the combined system through Mrs. Kimball’s network, which was less well defended than Green Mountain’s.

The grocery business is a cruel one for owners, with margins brutally thin and little room for error. Green Mountain had leveraged itself to pay top dollar for the coveted Mrs. Kimball’s brand. Now its data breach recovery effort was costing it millions.

“I don’t like the looks of this,” Josh Carter told Marcia Leigh when they next conferred.

Carter handled risk management and the purchase of insurance for Belleview Foods. The company ran too lean to support a full-blown risk management department.

His brow creased with worry, Carter dialed his insurance broker Fred Atlas to relay the information that one of Belleview Foods key customers might be getting wobbly.

“You’re still getting paid, right?” Atlas said to Carter.

“Yeah, we are,” Carter said.

“Are you having any cash flow issues?” Atlas said.

“No. Not yet,” Carter told him on Feb. 26.

Carter was worried for good reason.

But it was what he didn’t yet know that would really rock him. The data breach was one thing. But what lay in wait in the Green Mountain Information Technology system was even more horrid.

The hackers had installed a Trojan Horse that was getting ready to lock up Green Mountain’s systems entirely.

On March 4, the Trojan Horse was released, locking up Green Mountain and causing major operational problems for 20 of its 36 stores.

Freezers failed, cashiers couldn’t ring up customers, and perishables rotted. With much of its cash flow blocked for a week, Green Mountain went right from being an irregular payer to being a non-payer.

PART THREE: PAINFUL UNCERTAINTY

Twenty of Green Mountain’s stores were shut down or substantially impaired for a week. And the combination of the cyber event happening so soon after its leveraged buy out of Mrs. Kimball’s created substantial cash flow problems for the company.

It was underinsured for the costs of both the data breach issue and the system stranglehold the hackers placed on it with the Trojan Horse.

By the end of May 2019, Green Mountain was $20 million in arears to Belleview Foods.

Belleview held reserves for bad debts from customers, but not to the tune of $20 million.

Josh Carter was having a drink with one of his friends from business school and laid out the whole sorry narrative for him. Belleview, hamstrung by the Green Mountain tragedy, was now the slow payer, straining relationships with farmers and other suppliers up and down the West Coast that had stuck by it in its growing years.

“Have you guys ever looked into accounts receivable insurance? Did your broker ever mention it to you?” Carter’s friend Ed Graham asked.

“No. Not that I can bear listening, but tell me more.” Carter said.

“It’s accounts receivable coverage that can protect against customer nonpayment in situations just like this,” Graham said, as he drained the remaining drops of Glenfiddich in his glass and held it up for the waitress, signaling for a refill.

“Nobody in their right mind is going to sell you an All-Risks cyber policy,” Graham said. “But you can get this coverage that specifically covers accounts receivables losses stemming from a cyber event.”

Carter sighed. He liked his whiskey, but the brown fluid in his glass at that moment seemed distinctly unappetizing.

“This is why we needed a risk manager,” Carter said. “I wouldn’t even know enough to ask that question,” he said.

“Who is your broker?” said Graham.

“Fred Atlas,” Carter said.

“It’s too late now, but you should probably fire him,” Graham said. “In your business you can’t afford not to have up-to-date information,” he continued.

Carter summoned up enough will to take a deep swig from his whiskey glass.

“I will fire him,” he said, as the whiskey warmed his throat.

“If I don’t get fired first.”

Risk & Insurance® partnered with Allied World to produce this scenario. Below are Allied World’s recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance.®.

The “Belleview Foods” story is not unique. Many small and mid-sized businesses succumb to the loss of reputation and/or income created by cyber disruptions. While insurance policies cover a range of cyber losses, only one type of policy includes coverage for customer cyber events that lead to customer non-payment – and that is Accounts Receivable Insurance.

CFOs should consider:

• their customers’ operational risks and how it could affect their company’s profitability;
• business preparedness should hackers shut down the country’s power grid; and
• the impact of negative brand image.

Cyber experts advise CFOs and Risk Managers to implement a program that addresses all types of cyber exposure – including situations where customers become compromised. Accounts Receivable Insurance can help companies:

• expand their cyber security insurance coverage as the standard policy wording does not exclude coverage from third-party customer cyber events that lead to a non-payment;
• mitigate the risk of non-payment due to customer insolvency, protracted default and/or political risk (for export policies); and
• improve certainty around a company’s balance sheet by protecting accounts receivable against customer default.

By expanding their cybersecurity compliance program to include Accounts Receivable Insurance, CFOs and Risk Managers are better prepared to manage risks that are critical to their organization’s bottom line.

This information is provided as a general overview for agents and brokers. Coverage will be underwritten by an insurance subsidiary of Allied World Assurance Company Holdings, GmbH, a Fairfax company (“Allied World”). Such subsidiaries currently carry an A.M. Best rating of “A” (Excellent), a Moody’s rating of “A3” (Good) and a Standard & Poor’s rating of “A-” (Strong), as applicable. Coverage is offered only through licensed agents and brokers. Actual coverage may vary and is subject to policy language as issued. Coverage may not be available in all jurisdictions. Risk management services are provided or arranged through AWAC Services Company, a member company of Allied World. © 2019 Allied World Assurance Company Holdings, GmbH. All rights reserved.