Over the last three years there have been a number of well publicised cyber incidents involving tier one design and build contractors. These incidents, however, are not exclusive to large contractors; small to medium size firms are equally exposed. Underlining that, the National Cyber Security Centre (NCSC), an organisation of the UK government providing advice and support for the public and private sector in how to avoid cyber security threats, recently published a guidance note for SME construction businesses on how to better protect themselves from cyber-attacks. Click here to read. 

Cyber risks: not necessarily covered by traditional insurance policies

Cyber incidents, whether the result of malicious intent or human error, can have a material impact on a firm’s finances and reputation. The immediate costs of responding to a cyber-attack, or major outage, can run into millions of pounds, and significantly higher where business interruption, legal and regulatory consequences occur.

The risks presented by the use of technology within the construction industry are not always fully covered by traditional insurance policies:

• General liability - policies often have data and technology exclusions and do not respond to intangible property damage.
• Property - policies provide loss of revenue cover only when there is direct physical damage to the insured property. Cyber events caused by hackers or employees, and non-physical business interruption are not covered.
• Professional indemnity - policies may provide a small amount of cover, but only for third-party losses arising from the professional services covered under the policy.
• Broader considerations - the construction industry is subject to administrative and industrial compliance regulations and privacy laws, all of which involve cyber exposures.
  
  

How standalone cyber insurance can be the solution

The following case studies are examples of construction specific cyber exposures that would be covered under a standalone cyber insurance policy:

Social Engineering

Firm A, a construction contractor, is contacted by Firm B, a supplier of raw materials, and instructed that payment of an outstanding invoice is to be made to a new bank account. Firm B provide the details, and Firm A’s accounting department pays the invoice to the new account. 

The following week Firm B contacts Firm A asking for payment for the same outstanding invoice. After investigating it transpires that Firm A had paid funds to a fraudster who had hacked their invoice system and impersonated Firm B.

A standalone cyber policy could reimburse Firm A for the amount of the outstanding invoice, as well as cover the costs to investigate and remediate the security failure of the invoice system. 

Data/Software Restoration

Firm A is in the process of bidding for a new project and has been using specialist software to develop the design. A rogue employee loads malware that corrupts and deletes huge sections of the data stored on Firm A’s corporate servers. Backup files have also been corrupted, but are recoverable with the support of IT forensic experts. This includes the designs and drawings that have been created as part of the bid for the new building project, which need to be restored or recreated otherwise Firm A are at risk of losing the business opportunity.

A standalone cyber policy can cover the spectrum of Firm A’s expenses, from identifying the source of the malware attack to the cost of recovering lost data and rebuilding of IT systems.  

Ransomware 

Firm A uses Building Information Modelling (BIM) technology to ensure the smooth execution of their construction projects. An employee at Firm A is victim of a phishing campaign, opening an email and clicking on a link that releases malware that ransoms the firm’s data stored on the corporate servers. Access to the BIM technology is lost, causing issues as subcontractors and vendors cannot log onto the system to update their progress or tell Firm A when deliveries have been made. The delay leads to chaos across multiple building projects, with the threat of penalties. The ransomware demands payment of crypto currency for the release of the systems and data.

A ransomware event will usually trigger several parts of a standalone cyber policy, including both First and Third party elements, in addition to the actual ransom demand, where insurable by law.

For First party coverages, breach response services take immediate effect to identify the source of attack and get Firm A’s business back up and running as soon as possible, thereby limiting downtime. The policy would also cover loss of income or increased costs of working from the ransomware attack. From a liability perspective, a cyber policy can also cover defence costs of any subsequent litigation.

Talk to a cyber risk specialist

Cyber is an important strategic risk to recognise and manage in today’s world, and it is a frequent misperception that cyber criminals are unlikely to attack the construction sector.

With the level and type of cyber risks faced by firms highly dependent on their individual activities and processes, working with a broker who understands such exposures and what the insurance market can offer to provide true protection is paramount.

More and more construction firms are rightly taking-up cyber insurance. Contact our experts below to discuss how Miller can assist.