Subscribe / Renew
|► Subscribe to our Free Weekly Newsletter
|print email to a friend reprints add to mydjc
January 27, 2020
Mark Smith, senior vice president at CRC Insurance Group, was one of the featured speakers at Friday's annual meeting of the Associated General Contractors of Washington in Bellevue.
Smith leads CRC's nationwide Cyber Liability Team, and is a wholesale insurance broker specializing in the placement of cyber, professional and management liability insurance. His topic on Friday addressed how to prevent, respond and insure against cyber risk.
The DJC spoke with Smith about cybersecurity in the construction industry. His answers were edited for style and length.
Q: How long has cyber risk insurance been around?
A: Cyber insurance had its roots arise in the late 1990s from a concern hackers could penetrate a company's network security and steal their private information. However, it didn't begin to find acceptance until individual states began to pass their own privacy laws dealing with the theft or unauthorized disclosure of personal identifiable information (PII), beginning with California in 2003. The purchase of this coverage has been relatively slow until the last five years, when there became a dramatic uptick in the number of companies purchasing this insurance.
Q: How vulnerable are contractors to cyberattacks?
A: Overall, the risk to most contractors from the theft or unauthorized disclosure of PII is small, but significant first party exposures arising from ransomware attacks, including business interruption and data destruction, in addition to sophisticated social engineering attacks, leave many contractors vulnerable to sizable financial loss.
Q: How can cyber risk insurance help the construction industry?
A: Construction companies do not typically hold much PII due to the nature of their business. However, they do have to protect the PII of their own employees, but in general, this has not been a significant concern for most contractors. It is primarily because of customer contracts that many contractors have purchased cyber insurance. This has arisen because contractors may hold corporate confidential information under a non-disclosure agreement with a customer requiring them to carry the coverage. Such information may include plans, designs, financial statements, research, bids, reports or any other information that the client deems sensitive if it was lost or disclosed to unauthorized parties.
In addition, some customers are concerned the contractor's employees working on their premises may gain access to confidential information and steal it for their own purposes.
Contractors face the same exposures many business enterprises are commonly encountering. Roughly 30% of all cyber-related claims now arise out of ransomware attacks, which can lead to a temporary shutdown of a contractor's computer network, resulting in a business income loss while access to the corporate computer network is lost or electronic files have been encrypted.
Furthermore, if files have been encrypted, the contractor may be able to restore from backup tapes but claim experience has shown such backups may sometimes be incomplete, infrequently backed up, if at all, or in the worst case, also infected by ransomware.
Unfortunately, some studies have shown if the ransom is paid, a significant percentage of the payments have been for naught as the encryption keys provided failed to unlock the encrypted files. Since early summer of 2019, ransom demand amounts have skyrocketed, now commonly made in the six- and seven-figure range.
Cyber liability insurance will pay the ransom amount, business interruption loss, forensics work to determine the source of the ransomware and the files affected, restore the computer system or encrypted files from backup tapes; and some policies will even pay to recreate from scratch lost or destroyed electronic files if they cannot be restored from any source.
Cyber insurance coverage as part of a comprehensive risk management tool lessens this risk, as well as fulfills the requested contractual requirement to carry this coverage by clients who are concerned the information they provide to the contractor may be at risk, exposing them to financial loss as well.
Q: What about those fake billing schemes recently in the news?
A: Another significant benefit for contractors is cyber coverage can protect them from social engineering schemes. Organizations of all types have fallen victim to fraudsters posing as clients, vendors, principals or executives directing accounting personnel to unknowingly wire funds to the fraudster's bank upon changing wiring address instructions.
Most organizations can protect themselves by always requiring callbacks to a predetermined number of the actual client to verify the change in the bank routing instructions, but failures to follow sound procedures do occur and such transfers happen with routine frequency to the peril of the organization. Most cyber carriers offer some form of cybercrime coverage that extends to such social engineering schemes.
Q: What should you do after a data breach?
A: The answer depends if the contractor has a cyber policy in place or not.
If coverage is in force, the contractor immediately upon discovery of an incident should contact their insurance company to reach a breach coach.
The breach coach, normally a lawyer, will discuss with the contractor the immediate steps to be taken on their behalf. The coach will engage directly, from a list provided by the insurer, an IT security and forensic firm to investigate the cause and the scope of the breach or ransomware attack, including the records potentially compromised or encrypted. This information will be relayed to a law firm chosen by the insurer.
If the event is a suspected data breach, the firm will review the information to determine if the incident meets the threshold of a breach depending on individual state and/or federal law. Upon such a positive finding, an attorney will draft up notification letters to be forwarded to a fulfillment center to mail out to the affected individuals within the guidelines of the applicable laws.
Prior to any mailing, a call center will be established to answer any questions by those affected upon receiving their notice. Concurrently, a crisis management/public relations firm will be engaged prior to the release of the notifications to help protect the contractor's reputation by formulating a public response to the breach once the notices are sent.
If the contractor does not have a cyber policy, a law firm specializing in cyber events should be engaged immediately upon discovery of the incident. Ideally, the law firm and data breach response vendors should have been engaged prior to any data incident by the contractor, providing an efficient, speedy response to the incident, as well as saving money by pre-negotiating rates for their services. The law firm should always engage the IT security and forensic team to keep any information discovered by the team within the client-attorney privilege.
Q: What can you do to prevent a cyberattack?
A: Cyberattacks are constantly evolving in their manner of attack and every organization should dedicate resources, internally or even externally, to understand the data at risk and how best to protect it. Many organizations focus solely on IT security and overlook that almost a third of all cyber events are directly related to human error.
Companies should begin their risk management efforts with educating employees on the ramification of a cyber event and how it may seriously damage the company's reputation, relations with customers and regulators, and financial impact on the company's balance sheet. This should include ongoing training on what data is at risk and how to safeguard it given the schemes and methods directed against them by bad actors who want access.
From an IT security standpoint, there are a number of practical measures firms should consider implementing. A few of these include:
Maintain and update firewalls.
Back up all data on a daily basis on a physically separate system.
Encrypt mobile devices including thumb drives.
Implement multi-factor authentication.
Consider end-to-end encryption of all communications.
Rigorously enforce a robust password policy.
Utilize secure email gateway software.
Establish regular anti-phishing training for all employees including executives.
Know what data is confidential, where it resides and avoid concentration on one device or server.