Cyber-risk is evolving fast, and the architect and engineer (A&E) community should be monitoring the developments closely. Arguably, design firms take on considerably less cyber-related risk than large retailers and financial institutions, which continue to face huge and costly data breaches. By comparison, the typical A&E firm has less first-party or third-party exposure. First-party exposure includes income loss and extra expense your firm may incur as result of a computer attack or system failure – and the costs to recreate lost or stolen data. Third-party exposure typically would include those liability costs associated with your firm’s inability to protect a third party’s sensitive or confidential information. This blog will attempt to review these cyber related risks an A&E firm faces and review important considerations when it comes to transferring and managing this risk.
There are a lot of “what ifs” when it comes to a design firm’s cyber risk beginning with: “What are the potential damages to my firm in the event of a data breach?” Depending on factors relating to the breach, you may find your business having to pay for:
- Legal fees
- Judgments or settlements
- Notification costs (depending on state requirements)
- Forensic services
- Credit monitoring services
- Identity-theft-related fraud resolution services
- Loss of business and public relations costs
- Regulatory defense and penalties
- Extortion loss
- System disruption
- Data recovery expenses
Should an A&E firm purchase a separate cyber-liability policy?
The short answer is that you should definitely consider it. At the very least, the exercise of going through the application process and assessing your firm’s specific cyber-related exposures will put you in a better position to manage this risk. If you determine you need to buy a stand-alone cyber-liability policy, there are plenty of carriers currently offering this coverage at relatively low cost. However, while purchasing a separate cyber policy may be a good idea, or even contractually required by a specific client, transferring cyber-risk by insurance is only one piece of the risk management puzzle.
What are my firm’s cyber liability exposures?
Design firms have increased their use of the internet and electronic data transfer of sensitive information, and more A&E firms have gained proficiency in building information modeling (BIM) involving multiple parties on complex projects. So it’s not a matter of “if” but rather “when” we will start seeing more data breach claims against design firms in my opinion. According to our experts in the Cyber/E&O Practice Unit of Willis Towers Watson, all businesses have the following potential data breach exposures that they need to recognize:
- Malicious insiders. These are insiders who abuse access to sensitive data for financial gain, typically disgruntled current and former employees who can exploit back doors of a company’s data systems.
- Negligent or unwary insiders. Whether the result of lost laptops or simple incompetence, businesses have found themselves susceptible to attacks that exploit traditional security controls (e.g. spear phishing). This includes employees who fail to embrace or are not properly trained on a company’s culture of security who find, or stumble, upon ways to circumvent ‘inconvenient’ security controls.
- Criminal hackers – Cyber-attacks are occurring at astonishing rate, and no business is immune. Tactics have evolved from “hit and run” to “infiltrate and stay.” Black markets exist for all types of personal information, and with proliferation of mobile platforms, more and more businesses are vulnerable. This includes “ransomware” attacks where a business has its data seized and later is extorted to pay a ransom for its release.
Design firms are now grappling with a lot of frequently asked questions when it comes to data breach exposures:
- What coverage would apply if a hacker plants malware and corrupts our firm’s data systems, causing interruption to our business?
- What if we are hosting a BIM site and our system crashes, causing consequential delay damages – is this covered?
- What if we lose confidential data belonging to our client and they sue us?
- What if our data systems are compromised and we lose sensitive employee information such as social security numbers?
- What does our PL practice policy cover for data breach claims?
- What if our firm is hacked with ransomware – what should we do and is this covered?
- What gaps do we have when it comes to cyber-related risk?
- What additional protection do I get with a separate cyber liability policy?
Unfortunately, there are no simple answers to these questions. Both cyber-related exposures and the insurance community’s response to this risk are evolving rapidly. There are myriad interrelated variables that could be involved in a given cyber incident, and coverage would depend on the facts of a given claim.
What is the insurance community’s position on cyber-risk?
We asked over a dozen leading A&E insurance carriers and attorneys whether they have seen any data breach claims in the segment, and the general response was “no.” However, these same folks weren’t nearly as consistent when asked if they anticipate an escalation in data breach claims against design firms in the future. The responses to this question ranged from “we definitely expect cyber related claims to increase in the future” to “we highly doubt that cyber-risks will significantly impact A&E firms.” In other words, nobody really knows.
There is little meaningful historical data or loss info on cyber-claims that actuaries can use to establish pricing and terms. As a result, pricing and coverage terms can and will fluctuate greatly from one carrier to the next — and the outlook on products and pricing is uncertain.
While a contributing factor in all of this is the fact that this exposure is relatively new, it also has to be recognized that insurance companies may not have historically gathered or shared meaningful loss data. I don’t believe this is intentional but is rather because some insurance carriers are more reactive than proactive in their response to industry and loss trends.
It’s worth noting that there are reportedly over 30 insurance carriers now offering cyber insurance, and written premiums are approaching $3 billion. So it’s clear there is a perceived risk and need within the general marketplace. A recent State of The Cyber Market Report from the Willis Towers Watson Cyber Practice noted that a hardening of the cyber insurance market persists. Further, our cyber experts do not expect the marketplace to flatten out any time soon. They see cyber threats escalating as a result of several factors: cyber criminals with varying agendas, growing technology risks associated with the expansion of the mobile workforce, broad adoption of “bring your own device” (BYOD) policies, and innovations in technology that will only expand threats to data privacy and security.
As this exposure evolves and claims pick up, we can expect the insurance marketplace to respond by developing new products as well as adding — and excluding — cyber- related exposures. Many general liability policies are now endorsed to exclude liability for data breach using a CG21060514 or equivalent that excludes coverage for “access or disclosure of confidential or personal information and data-related liability.”
What insurance coverage is available to transfer cyber risk?
It’s fair to say that A&E firms may have some coverage under both their professional liability (PL) and business owners policy (BOP)/Package policies for cyber-related risks. However, there are some gray areas that a prudent risk manager will want to address to understand whether their firm is exposed to possible gaps for data breach claims under its current insurance program. In addition, we can anticipate that if and when these data breach claims start rolling in, most insurance carriers will respond with reservation of rights letters as they attempt to sort out the facts of a given matter to determine what, if any, coverage is available under their respective policies.
Cyber coverage under an A&E’s PL policy
Professional liability (PL) policies provide indemnity for losses pertaining to a covered error, omission or negligent act — including breach of contract, vicarious and consequential damages — committed in the conduct of the insured’s professional business.
Whether an A&E firm’s PL policy will cover a given cyber claim will largely depend on whether it can be determined a data breach occurred in the performance of the A&E’s professional services. It’s important to note that the standard of care of an A&E firm evolves over time, and with advancements in technology, including the significant use of building information modeling (BIM), I believe that, depending on the nature of the claim, there is a fair amount of coverage under most A&E firms’ PL practice policies for third-party data breach exposures — and that we will see this tested in the near future.
In addition, many PL carriers will include or endorse their PL practice policies to offer additional cyber-related coverage. This will vary significantly from carrier to carrier and may very well not provide all the coverage an A&E firm will need to cover all its cyber-related exposures or meet specific contractual obligations to carry cyber coverage. The additional cyber coverage that an A&E PL practice policy might offer would include:
- Technology-based services coverage
- Technology products coverage
- Computer network security coverage
- Multimedia and advertising coverage
Again, any cyber liability coverage under a PL policy would be limited to a claim arising out of a wrongful act in the performance of the design firm’s professional services. And, all A&E PL policies exclude liability assumed by the firm under any contract – unless the firm would have been liable in the absence of that contract. In other words, is it within the standard of care for the A&E firm to be providing these services?
While an A&E PL policy may provide some level of cyber coverage, this again may vary significantly from carrier to carrier, and the policy may provide a reduced or sub-limit for this “additional” coverage. For example, a PL practice policy may provide cyber-security breach response reimbursement to:
- investigate the breach
- notify any parties affected by the breach
- perform credit monitoring service for your clients’ individual personal data or your clients’ corporate data lost because of the breach
- restore or recreate, if possible, clients’ lost content caused by the breach
However, while this additional coverage seems nice to have, it may very well not be sufficient to fully cover this exposure or meet a contractual requirement. This is because an “additional payment” provision in these policies is often for a limit of coverage well under the full PL policy limit, with some as low as $25,000 or $50,000. Is $50,000 enough to cover the expenses a firm might have to fully investigate a breach and restore or recreate a client’s lost content caused by a breach? Probably not.
I feel it’s also fair to question whether this additional cyber coverage some A&E PL carriers are adding to their PL practice policies is a good thing. Might a firm be better off having a PL policy that is silent on all of this — allowing coverage for data breach claims to be determined based on the full terms of the policy, which is closely tied to the standard of care of a design professional? Could coverage be limited to these “additional payments” versus having the full limits of the firm’s PL practice policy available to cover these exposures? I certainly don’t think this would be the intent; however, like any contract, these policies are up for interpretation.
Cyber coverage under the A&E’s GL/BOP policy
The professional liability exposure of a Design Firm, covered by a PL Practice policy, is by far its greatest risk. We simply don’t see nearly the level of claim activity from our A&E clients against their other P&C products. Many A&E firms have a Business Owners Policy (BOP) or Package policy covering their Property, General Liability (GL) and Automobile Liability exposures. A BOP or Package policy is intended to protect a firm for its bodily injury (BI) and property damage (PD) office exposures. The typical BOP or Package policy for an A&E firm would most likely not provide any meaningful cyber related coverage. The PD coverage under a BOP/Package policy is intended to cover damage to tangible property – and data is not “tangible”. We are seeing A&E P&C carriers add endorsements for cyber on these products however, these are typically being added to clarify that they are not intended to cover data breach claims. In short, while some firms may have in fact received some coverage under their BOP/Package policies for cyber related claims, such as extra expense for a ransomware attack, I would say this is the exception and not the rule. I would also anticipate carriers will be fine-tuning these products in the not too distant future to clarify that it is not the intent to cover these cyber related risks.
One area where carriers have recently paid out on some cyber related claims is due to ransomware. Ransomware again is when a business has its data seized and later is extorted to pay a ransom often in bitcoin for its release. Some A&E BOP/Package policies have a sublimit for “electronic vandalism”. This covers costs to restore data but this sub-limit (if available at all) may not be enough to cover these damages when the extra expense and business interruption costs are factored in.
An A&E’s BOP and Package policies typically won’t pay for the ransom. The FBI notes that there is no guarantee the cyber-criminals will unlock a firm’s files after the ransom is paid. In a report recently posted to its website, “Incidents of Ransomware on the Rise – Protect Yourself and Your Organization,” the FBI states, “Ransomware attacks are not only proliferating, they’re becoming more sophisticated. Several years ago, ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out spam, cyber-criminals turned to spear phishing e-mails targeting specific individuals.
And in newly identified instances of ransomware, some cyber criminals aren’t using e-mails at all. According to FBI Cyber Division Assistant Director James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”
The FBI doesn’t support paying a ransom in response to a ransomware attack. Not only is there no guarantee the firm will get its data back, paying a ransom emboldens current cyber criminals to target more organizations and offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently fund other criminal activity.
So what does the FBI recommend? As ransomware techniques and malware continue to evolve — and because it’s difficult to detect a ransomware compromise before it’s too late — organizations should focus on two main areas:
- Prevention efforts, including awareness training for employees and robust technical prevention controls
- The creation of a solid business continuity plan in the event of a ransomware attack. (See sidebar for more information.)
Often these ransom demands are for dollar amounts (in bitcoin) under a firm’s deductible. Needless to say this places a firm in a precarious position. Pay the ransom or risk losing valuable data. Regardless, I would recommend that any subject to ransomware should report it immediately to its insurance carrier(s) and broker to get their input on how best to respond.
Separate cyber-liability coverage
As I’ve noted, there may be coverages under both an A&E’s PL and Package/BOP policies for specific data-breach-related claims; however, these coverages may not be sufficient. It may be necessary for A&E firms to secure separate cyber-coverage to adequately protect against losses and liabilities not covered under their current insurance program. In fact, given the broad coverage provided by a stand-alone cyber-liability policy and the relatively low cost, I would recommend that every A&E firm seriously consider purchasing this insurance. In addition, we are seeing more and more contracts requiring specific cyber coverage that only a stand-alone cyber policy would satisfy.
Some specific coverage features and benefits under a stand-alone cyber liability policy include the following:
Business Interruption & Extra Expenses
Covers lost online & offline income, as long as your income is network dependent and the loss is caused by security breach or errors plus expenses of avoiding such a loss.
Dependent Business Interruption
Covers lost online & offline income, as long as your income is network dependent and the loss is caused by a third party’s network security failure or error, plus expenses of avoiding such a loss.
Content Injury Liability (Media)
Defamation, disparagement, copyright, trademark, publicity rights and content errors, etc. Covers computer readable content and can be expanded to all media.
Data Restoration / Digital Assets
Covers costs to recreate or restore network to pre-loss conditions. Attacks covered include those instigated by employees.
Network Extortion Pays credible extortionist demands and response costs to demands for money against threats to release private information or bring down a network.
With regards to cyber extortion, there is a cyber extortion portion of the ‘cyber’ coverage that will address the cyber extortion claims. The coverage will pay for the costs associated with the extortion attempt (forensics expert to determine if there is a real threat and if it’s possible to remove the threat) and also the pay ransom, if necessary. Of course there will be a retention that applies to this coverage. If the extortion demand is below the retention, the insured will have to satisfy the retention before the coverage is triggered. In any event, the insured will have the benefits of utilizing pre-approved vendors at a pre-negotiated rate that is significantly less than if they were to hire these vendors post incident.
Steps your firm can take to assume and control cyber risk
As noted, transferring cyber-liability risk through insurance is only one piece of the risk management puzzle. The intangible costs associated with a claim or client dispute, including the distraction to a business and its reputation, can be greater than any hard costs of insurance premiums and deductibles. An A&E firm needs to consider how best to assume and control this risk. If you are interested in purchasing a separate cyber policy, most carriers will assess whether or not your firm has specific risk management protocols in place as part of their underwriting process.
Our cyber experts advises that the following underwriting questions be considered in assessing and pricing cyber liability products:
- Governance and risk assessment requiring current, tailored processes with senior management and board involvement
- Access rights and controls inside and outside the enterprise, including credentialing, access tracking and bring your own devices (BYOD) policies
- Encryption of Personal Identifiable Information (PII), Personal Health Information (PHI) and the transmission lines in the credit processing systems (If PII cannot be encrypted, underwriters look for compensating controls for the protection and monitoring of data, including file integrity monitoring and malware detection.)
- Data loss prevention, including patch management, system configuration and outbound communications, with special emphasis on PII
- Vendor management that includes due diligence at the time of selection and downstream compliance controls over third-party providers
- Training of employees and vendors
- Incident response plans and data protection priorities
While the average A&E firm may not be subjected to the same level of underwriting scrutiny as large retailers and financial institutions, the underwriting questions above are an excellent place to start for any business reviewing its risk management protocol. Additional questions include:
- What cyber exposure does the firm face and what are the plans to address these risks?
- How informed is executive leadership about the current level and potential business impact of cyber-risk to the company?
- What coverage gaps exist in traditional insurance policies that would not respond to a cyber event? (i.e. cyber business interruption vs. property business interruption)
- What is the potential loss of net income/profit that would be incurred if the firm’s network were shut down due to a cyber event?
- Is there a well thought-out incident response plan for cyber events and has it been tested? Does the plan respond enterprise wide?
- How much information personally identifiable information, personal health information and corporate confidential information is in your possession?
- Do you have any obligations if data are outsourced to a third party? What do vendor agreements dictate?
- How many and what types of incidents does the IT department detect in a normal week? Is there a company-mandated threshold in place for notifying executive leadership?
There are more questions than answers when it comes to cyber-related risk. I spoke to a lot of folks that specialize in A&E insurance, legal and risk management, and it’s safe to say that none of us really knows what the future holds for the A&E community and cyber-related risks. The best risk management advice I can offer is to be proactive in assessing your firm’s exposures and continue to tap into the collective resources of your insurance broker and risk manager partners. As noted, this exposure and the insurance market are evolving fast, and all A&E firms should be monitoring this risk closely.
I can’t stress enough the importance of working with your business partners and brokers that have the expertise and resources dedicated to understanding and managing this risk. I’ve cited throughout this blog information shared with me by members of our dedicated cyber team. I have the benefit, along with the rest of our Willis Towers Watson A&E team, of having access to a wide range of specialists within the organization that we can go to on behalf of our A&E clients — and expect I will be talking a lot with our cyber team in the future.