A/E/C Firms Need To Sharpen Focus On Risk Management, Insurance.
Although media reports of hacking incidents and other cyber-crimes typically focus on large-scale events involving retailers, health care, and financial institutions, architecture, engineering, and construction (A/E/C) firms are vulnerable as well.
In recent months, an engineering firm was victim of an unauthorized withdrawal of $86,000 from its bank account. The loss, initially undetected, was traced to malware that misappropriated its PIN and account information.
At another design firm, a client’s electronic file folder disappeared from its system days before drawings were due to be presented. The firm had to pay ransom of $1,000 in bitcoin to the cyber criminals to recover the work.
As design firms look for ways to prevent and protect themselves from these attacks, they need to increase their focus on network security, risk management and related insurance.
Cyber-crime risk management. The first step in protecting your firm is to have a sound risk management plan, including:
-
Financial controls, including separating requests for payment from approvals and check issuance and signature
-
Monthly reconciliation of bank statements and accounting records An approval process for any wire transfers or ACH transfers
-
A secure computer network, including firewalls, encryption, anti-malware protection and other barriers to intrusions
-
Back-up storage of data
-
Strong passwords for desktops and all mobile devices
-
Monitoring (and possibly testing) of computer systems for intrusion
-
Regular updates of all systems, including anti-virus software and “patches”
-
Creation of an event response plan and team, including those responsible for risk management, technology, legal, human resources, and finance
Along with sound risk management measures is to have appropriate insurance in case there is a loss. To address these cyber and related crime exposures most design firms should purchase are crime/employee dishonesty insurance (or fidelity bond) and cyber/network security insurance.
Cyber/network security insurance. Some standard insurance policies typically carried by design firms may provide limited cyber/network security coverage, such as a sublimit for this coverage in a package policy, which also provides general liability and property insurance, or professional liability policy. Yet, these so-called “add-on” coverages may leave significant gaps in protection.
Thus, the best cyber-insurance option for most firms is a stand-alone cyber/network security policy that covers first-party costs and third-party claims. First-party costs include cost of notification and credit monitoring for affected individuals and business income lost due to a covered data breach or denial-of-service attack. Third-party claims typically include lawsuits alleging damages from a breach or costs incurred by a design firm’s client for breach-related claims.
Most firms purchase cyber-insurance limits of $1 million to $5 million. Typical coverage sections include: privacy and security liability, breach notification and regulatory compliance costs (also referred to as “event management”), public relations and forensic assistance expenses, business income interruption, cyber extortion payments and regulatory fines and penalties. Often, media liability is also included to protect against claims of copyright infringement.
Nonetheless, depending on the insurance company, stand-alone policies have varied wording and definitions. Design firms should work with their insurance advisors to understand coverage features and restrictions, as well as to address potential coverage issue. These include: the definition of “confidential information,” any prior acts dates/exclusions, whether or not there is a professional services exclusion (which must be deleted or carved back), and whether or not coverage is primary over any other available insurance.
Crime/employee dishonesty insurance. While this coverage may be available as an add-on to a design firm’s package insurance policy, it typically is limited and may be suitable for smaller firms. However, firms with $5 million or more in billings should consider purchasing a stand-alone crime insurance policy.
Stand-alone policies often can be written for a three-year term; policy limits usually run from $500,000 to $5 million or more depending on the size of the firm’s revenues and assets.
Given the expanded risks associated with the internet and cyber-crime, design firms should carefully consider purchasing coverage extensions for “funds transfer fraud” and “computer fraud.” These types of theft are now more widespread and may be excluded from coverage under a package policy. Another key extension, “third party coverage,” addresses loss of monies by a client or others if their funds are in your control.
Protecting your firm from evolving cyber-crime exposures often calls for sound risk management, including the use of specialized insurance. Today, many cyber and crime insurers offer resources to help policyholders assess their risks and prevent losses.
About Ames & Gough: Ames & Gough is an industry-focused specialty insurance brokerage founded in 1992. We serve clients domiciled in 50 states and consult on risk and insurance issues around the world from our offices in Boston, Philadelphia, and Washington, D.C. Most of our professionals are equity partners in the firm. Our exceptional client retention rate is a reflection of our commitment to service. By offering quality people with decades of industry-specific experience who are focused on providing sound advice, Ames & Gough operates as a long-term partner dedicated to helping our clients grow and earn more profit. To contact us and discover how we can help your firm:
You can also meet with Ames & Gough at THRIVE 2016-THE A/E/C INDUSTRY SUMMIT!
They are a sponsor and exhibitor at the event to be held October 12-14 in Nashville. This is just one of the many reasons why you should join us in Nashville! Over the years, CEOs, CFOs, COOs, and other senior-level A/E/C firm leaders from around the world have made sure they don’t miss out on this unique two-day event. In fact, we see many firm leaders come with five, ten, or more members of their leadership team to absorb all that the conference has to offer.