Firms should evaluate their services, internal IT systems and controls, and check their insurance to make sure they have the protection they need.
There’s an increased wave of cybercrime. It involves costly ransomware and cyberextortion attacks against numerous businesses of all sizes and government entities and serves to underscore the need for design firms to be adequately prepared and protected.
For AEC firms of any size, the impact of cyberattacks can be devastating. They can result in everything from extended disruption of services and damage to computer software and hardware to significant repair costs and enduring reputational damage. Indeed, a growing number of design firms have been victimized by hacking incidents. They’ve suffered from efforts to fraudulently secure wire transfers of monies, actually shutting down a design firm’s computer system for a week, and more.
Understand policy differences. Today, building a proactive risk management program to address cyber risks requires enterprise-wide participation and collaboration. Large firms with departmental functions, such as finance/accounting, information technology, security, human resources, and marketing, need the engagement of each function, along with their risk/insurance advisor. Notably, having a cyber insurance policy in place brings resources available from the insurance carrier; whether up front advice or forensic, technical expertise during and after a cyber-event.
As a first step in evaluating any coverage you already have in place or may need, be aware of the distinction between technology coverage and cyber coverage. Specifically, technology coverage is not always offered in a cyber policy as it is intended to cover the insured for liabilities arising out of technology services (analogous to your Errors & Omissions policy, which covers design firms for liabilities arising out of A/E/CM-related professional services). There is also a “cyber” related set of coverages intended to cover the policyholder relative to Personally Identifiable Information, hacking, etc.
Some policies typically purchased by design firms, such as business owner’s policy, property insurance, crime, professional liability, and directors and officer’s liability, may provide some specific coverage endorsements to address cyber-related incidents and losses. For instance, coverages that may be available under a BOP or property policy include:
- Targeted Hacker Attack/Electronic Vandalism, which covers costs involving damage or destruction of electronic data caused by a hacker.
- Interruption of Computer Operations, which covers lost income due to direct physical loss or damage to electronic data processing equipment and media.
- Employee Dishonesty/Computer Fraud, which covers loss or damage resulting from employee theft, often including use of computer systems or fraudulent electronic funds transfer.
Each coverage is intended to respond when the loss affects the firm’s money or securities. Note that several of these coverages also may be available under stand-alone, crime insurance policies.
Meeting contractual insurance requirements. Many clients now contractually require design firms to obtain specific coverages to address cyber-exposures, especially when the work involves the use of technology, such as building information modeling. As your firm looks to sign an agreement with a new client or even with an existing client, don’t be surprised to see insurance specifications of a page or more describing the various coverage areas to be satisfied.
In recent years, more professional liability insurers have responded by offering broader technology and cyber-related coverage as part of their standard AEC professional liability policies. These enhancements are continually evolving and may offer suitable solutions for some firms. Be aware, however, that many AEC firms still may need stand-alone cyber insurance policies to satisfy their contractual requirements and to meet their own needs for more robust protection.
Stand-alone cyber risk insurance policies. A number of insurance companies writing design firm professional liability insurance also have underwriting units dedicated to the technology market segment. In addition, other carriers not in the design firm market, are also adeptly able to underwrite the cyber coverage and tailor it to a design firm’s risks and other insurances. The stand-alone cyber policies often contain multiple insuring agreements, or “modules,” including:
- Privacy Injury Liability, protecting the design firm from the cost of judgments or settlements, and associated defense costs, from any unauthorized access to confidential information (either corporate or individual).
- Network Security Liability, covering an error or omission that results in a breach of security in the firm’s computer network that results in network damage, unauthorized use or disclosure of information on the network; or inability of authorized third parties to access the network.
- Privacy Regulation Proceeding coverage, which reimburses the insured firm for costs associated with a civil, administrative, or regulatory proceeding by a federal, state, local, or foreign governmental authority alleging any violation of a Security Breach Notice Law.
- Privacy Event Expense Reimbursement for necessary expenses incurred to comply with Security Breach Notice Laws or related regulations and retain crisis management resources.
- Privacy Regulation Investigation Expense Reimbursement for all reasonable expenses required to respond to an investigation by a federal, state, local, or foreign governmental authority in connection with a Security Breach Notice Law.
- Extortion Demand Reimbursement for reasonable expenses incurred to respond to a demand when the firm believes there is imminent danger of a loss or damage to the network, loss of confidential information or defacement of the firm’s website.
- First Party Network Interruption & Extra Expense Coverage to cover lost income related to a network shutdown caused by unauthorized access, electronic virus, or denial of service attack.
Note that some of these coverages may not be available from all insurers; others may be sublimited or require additional premium. The stand-alone policies also have exclusions and policy conditions, which may limit coverage. A key consideration: A wide array of carriers now offer technology/cyber polices and the coverages can be equally wide-ranging; make sure you understand exactly what you’re buying and that it keeps pace with the market and exposures each renewal.
For many design firms, the utilization of technology tools has become a growing part of their standard services, which brings greater and different risk. Firms should evaluate their services, internal IT systems, and controls, and check their insurance to make sure they have the protection they need.
Rob Hughes, senior vice president and partner, Ames & Gough. He can be reached at firstname.lastname@example.org.