CYBER LIABILITY EXPOSURES IN CONSTRUCTION
BY LAWRENCE LEJFER AND MIKE ZYSMAN, CRIS
Know any contractors who don’t use a single computer? Not likely.
The use of technology and computing infrastructure is vital in the day-to-day operations of running a business. And as a result, the amount of private data and information being used and stored by organizations is growing at a staggering rate. So here’s the question:
When will your company fall victim to an attack that can expose your (or your clients’) private data and information? Saying you can never fall victim to cyber risk is like driving a car and insisting you’ll never have an accident. In today’s digitally connected world, the odds are just not in your favor.
To put it in perspective, there were over 117,000 cyber attacks per day in 2014. That’s up nearly 50 percent from the previous year. At that rate there have already been 40 cyber attacks in the time it’s taken you to read this far in the article.
WHAT IS CYBER RISK?
Cyber risks are those exposures associated with computers, electronics or communication systems. A range of cyber risks exists, including:
• Simple data breaches
• Failures of an electronic system
• Cyber attacks or terrorism
• Everything in between
These risks all have one thing in common—they are costly to fix and can destroy a business. According to a report by Kaspersky Lab, the average data security incident costs a company nearly three-quarters of a million dollars.
And because the construction industry is increasingly more reliant on not only their own systems, but the systems of their vendors, subcontractors and clients, the risks increase exponentially.
THE THREAT IS REAL
As construction companies become increasingly dependent on all forms of technology to deliver high-quality competitive projects, their cyber liability exposures increase as well. For a typical contractor, information such as employee records, customer lists, bid data, contracts, financial records and a multitude of other data and information is stored on their servers or those of the service providers and vendors they contract with. Contractors are obligated, like any other business, to protect sensitive data and information. It is crucial to recognize these exposures and understand where your organization might be vulnerable.
There are four root causes of cyber risk for a typical business:
• Malicious attacks (including crimeware)
• Inadequate security
• System glitches
• Employee-related causes
Carelessness (lost passwords, stolen laptops/tablets)
Mobility (use of unsecured networks)
Disgruntled current or former colleagues
Malicious attacks are the most common way for a company’s cyber security to be compromised. These attacks are frequently caused by viruses, worms, spear phishing, advanced persistent threats (APT) and Trojans. They can be crippling, resulting in business interruption (or worse), and are rampant and costly.
A TARGET ON YOUR BACK
Hackers used APT to initiate the high-profile 2013 Target breach. APT is a type of network attack in which a hacker accesses the targeted network and remains there unnoticed for an extended period of time. The goal of APTs is typical data theft.
The hackers gained access via an employee of an HVAC subcontractor performing work for Target. The employee opened a link in an email received through their own e-mail system. Clicking the link released password-stealing malware onto that employee’s computer.
The subcontractor had a data connection to Target for electronic billing, contract submission and project management. Once inside its system, the hackers were able to gain access to Target’s e-billing system, which opened the door for them to install malware on nearly every point-of-sale device that stores credit and debit card information when a customer’s card is swiped.
The breach has reportedly cost Target approximately $148 million. The associated costs to financial institutions are reportedly about $200 million.
Any contractor that is linked to a client’s computer systems in any way can cause a similar breach. A malware attack such as the one used against Target falls under the category of a crimeware attack.
Crimeware covers the use of any malware to compromise systems such as servers and desktops. According to Verizon’s 2014 Data Breach Investigation Report, 33 percent of all reported crimeware incidents occurred in the construction industry. It is expected that the number of incidents will continue to increase year over year.
Contractors must understand what went wrong with the subcontractor in the Target cyber crisis and learn how to prevent a similar situation from happening to their own companies.
ANATOMY OF A BREACH
Data breaches all follow a basic timeline of events:
• First response
• External issues
• Long-term consequences
The first step in the process is discovery of the actual or alleged breach — theft, loss or unauthorized collection of information. Ideally, the best way to find out about a breach is through self-discovery. Establishing security processes and protocols is crucial to discovering a breach as quickly as possible. Containing an attack before harm is caused helps reduce the chances that the breach can turn into a major (and more costly) event. Breaches that are not self-discovered, may be brought to the victim’s attention through a customer inquiry, vendor discovery, regulators or even law enforcement. Should the discovery be found by a regulator or law enforcement, the odds are that the damages could be very severe. In the case of Target, the Department of Justice made them aware of the breach three months after the attackers originally gained access to the subcontractor’s network. All in all, the earlier the breach is discovered, the better the chance at minimizing damages, whether they be reputational, technical or financial.
Once the discovery of the breach occurs, the first response should be made by both a forensic investigator and a legal team. It is important for the forensics team to explain what exactly happened in conjunction with the legal team laying out the options and obligations of the affected party moving forward. As can be expected, the cost of this investigation could be very costly, without even getting into long-term consequences. As a result of the initial investigation, some external issues such as public relations and notification of other affected parties will need to be dealt with. In the long term, consequences of the breach could be income loss, damage to brand or reputation, fines and penalties or civil litigation.
ALREADY COVERED? PROBABLY NOT
Most contractors purchase traditional insurance lines such as Commercial general liability (CGL), crime, cdirectors & officers, professional liability and first party property. The area of cyber liability is still relatively new. As case law evolves, so do interpretations of traditional insurance coverage. It is important to understand exactly how these policies would react to a claim situation.
DON’T BE A VICTIM
As organizations increase their understanding of the cyber exposures they face, then they can begin working on ways to insure those exposures.
A typical cyber and technology liability policy will contain both first and third-party coverage parts.
• Breach notification and crisis response services
• Data recovery expenses
• Business interruption
• Cyber extortion
• Security and privacy liability – civil & regulatory
• Network security liability – viruses, malware
• Technology errors and omissions
Additional Coverage available by endorsement
• Assessed PCI (Payment Card Industry) fines and penalties
• Dependent business interruption
Within the coverage available, there are certain things contractors should pay particular attention to:
Direct data theft. The response to theft of customer records, bid data and financial information could be an important coverage to consider.
Credential theft. In addition, contractors often have log-in credentials for systems outside of their immediate control. Coverage is provided to cover the theft of the log-in credentials, such as the log in information stolen from the subcontractor, which provided access to Target’s system.
Business interruption. Another key concern for contractors might be the business interruption that could occur due to a breach. Coverage for business interruption expenses is important to keeping a business running (and projects on schedule) long after the breach is dealt with.
In addition to insurance coverage, contractors can protect themselves through basic risk management: Among the things a contract can do to reduce cyber liability exposures are:
• Ensure strong password protection for all company systems and individual email accounts and logins.
• Review and revise (as necessary) current cyber security procedures.
• Hire a cyber security expert to help look for vulnerabilities.
• Analyze cyber security issues and exposures before.
• Provide mandatory cyber security training for all employees. (Simple training about email phishing could have prevented the Target breach and all of the resultant losses.)
As companies increasingly rely on technology to perform more day-to-day tasks, and as technology continues to shape the way business is done, the need for cyber insurance will only increase. Having a better understanding of the exposures and how you can protect your organization through insurance and risk mitigation practices is the first step to insuring against a catastrophic loss that could damage or destroy your business.
Lawrence Lejfer is vice president – senior underwriter and Mike Zysman, CRIS is an associate underwriter in XL Catlin’s Construction Professional Liability business, part of XL Catlin’s North America Construction insurance business. The XL Catlin insurance companies offer property, casualty, professional, financial lines and specialty insurance products globally. Businesses that are moving the world forward choose XL Catlin, a member of multiple AGC chapters, as their partner. To learn more, visit xlcatlin.com.