Although contractors generally haven’t focused on potential cyber exposures in the past, that situation is changing, especially as more sensitive information is shared electronically among project participants.
In light of these developments, as well as the significant and constant visibility hacking incidents and breaches are receiving in the news media, more owners and managers are inquiring about contractors’ cyber risk management and stipulating in contracts that contractors purchase cyber insurance.
Indeed, today, larger volumes of information are being shared electronically among contractors and various project participants. Some of this is proprietary or highly sensitive, including building plans, blueprints, and employees’ and 1099 contract workers’ personally identifiable information (PII), such as Social Security numbers, driver’s licenses, birth dates, etc., that often is targeted by hackers.
On municipal projects, the theft of building plans or blueprints may increase vulnerability to terrorism. At the same time, breaches involving the inadvertent release of PII trigger costly regulatory compliance, including disclosure of the breach to all individuals whose information may have been compromised and extended credit monitoring for each individual, and increasingly involve liabilities from lawsuits brought by affected parties.
Yet, theft of valuable data and privacy violations aren’t the only Internet or cyber-related risks for contractors. Some already have fallen victim to elaborate Internet cons or social engineering schemes, known as phishing, in which perpetrators use spam, fake websites, emails and instant messages to trick a company’s employees into handing over sensitive information or transferring funds or assets to phony bank accounts. Typically, by the time a phishing scheme is uncovered, the perpetrators and usurped funds are long gone.
More recently, phishing attacks launched against contractors have affected the delivery of valuable construction equipment. In these situations, perpetrators have hacked systems or launched schemes attempting to intercept supply chains and re-route deliveries.
In terms of insurance, some coverage for these types of issues may fall under a cyber insurance policy, as well as the contractor’s crime, fidelity or property policy. As this new type of exposure evolves, contractors need to work closely with their insurance advisors to understand how and whether their insurance might respond, including any coverage limitations.
Managing cyber risk
While the presence of a cyber insurance policy is increasingly contractually required of contractors, the effective management of cyber exposures often requires a rigorous process beginning with an internal conversation about the type of data the contractor maintains on its own employees, contract workers and trades, as well as the data it maintains or accesses electronically for the owner, general contractor, project manager or other project participants.
At most firms, understanding the full scope of their potential cyber risk requires a team effort, involving the C-suite and human resources/payroll, legal, risk management and information technology functions (or related outsourced providers). Besides assessing data the firm handles and maintains, the team will need to determine who is responsible for what data. Contracts with other firms, including the company IT vendor, need to be examined, especially with respect to any indemnity agreements.
Be aware that while the presence of such agreements may provide some protection, they are hardly a panacea for managing potential risk. For instance, many indemnification provisions cap these amounts and exclude certain types of data breaches. Further, the partner firm or vendor may become insolvent, bankrupt or simply not honor the agreement.
To address fraud risk, many firms work to establish sound accounts payable procedures with graduated authorization and requirements for two signatures on payments exceeding predetermined amounts. Similarly, in an effort to minimize the risk of malicious software or malware, more businesses are training employees to not open suspicious documents or attachments and making sure IT maintains updated anti-virus software on all of the firm’s computers. These efforts include establishing procedures for the use of laptops outside the workspace, as well as for any data shared or accessed by mobile phones or tablet devices.
In terms of privacy exposures, the firm should know who its stakeholders are in the event of a breach. In addition to assessing potential exposures, the firm’s cyber risk team should develop an incident response plan that addresses each type of potential cyber event. The plan should be tested regularly and updated as the contractor’s technology and project mix evolves.
In this environment, it generally makes sense for contractors to invest in IT security. This may involve having an outside firm come in, test systems and conduct an assessment. While that might appear straightforward, it’s often not the case. There has been a groundswell of IT professionals providing these services, and all are not equally adept at this work (nor are their fees). Some providers charge multiples of the going rates for the same service.
In preparing for a potential breach, contractors should work with their legal counsel to make sure they understand and comply with the emerging regulatory issues in the industry that pertain to data security and cyber threats.
Assessing cyber insurance
Contractors also should evaluate cyber insurance, not only to satisfy contractual requirements, but especially to make sure they have the protection they need. Besides providing coverage for certain cyber-related exposures, many insurance companies can help policyholders identify preferred vendors to evaluate data security and help respond to a breach.
Not all cyber insurance is the same, so construction companies need to know how the coverage works and whether it addresses their needs. For instance, some cyber policies provide some first-party coverage, which protects the company if its systems are damaged by a covered cyber attack or key aspects of the business are affected resulting in downtime and consequential revenue loss. They also may cover expenses, such as forensic investigations following an attack and costs to restore damaged systems.
Cyber policies typically cover third-party liability, including that arising from a breach involving confidential project data or PII. This coverage typically addresses costs for notification of all potentially affected parties, required credit monitoring and legal defense costs.
Limited protection may be offered for intellectual property theft or payment of ransom if systems are compromised and perpetrators demand ransom, often in Bitcoin, to restore the system.
While some firms opt to purchase cyber coverage as part of a package insurance policy, these arrangements often provide limited protection and may include several exclusions. If this protection is insufficient, contractors might explore standalone cyber insurance policies, which offer higher limits of protection and tend to have fewer exclusions.
A key exclusion in these policies is for prior acts, defined as events that occur before a policy’s effective date. This can create significant issues with respect to cyber exposures where breaches may go undetected for several months or longer before perpetrators extract data or damage systems. Contractors should work with their insurance advisors to try to have this exclusion removed. They also should review all policy wording carefully and assess whether coverage provided is adequate and meets their needs.
Even though insurance can provide valuable protection and help satisfy contractual obligations, contractors should conduct a rigorous assessment of their technology and cyber risks, and develop comprehensive approach to address them. Given the escalating number and costs of cyber attacks, that important work can mean the difference between a contractor’s success and failure.