Blog

Contributed by Angela McKerlich, Capri Insurance

Tender closings, electronic plan rooms, storage of documents and drawings, equipment buy and sell, and Linkedin. These are only a few examples of how advances in technology have increased efficiency, productivity, and precision in the construction industry — and to virtually every business and industry. It has also added another element of complexity for owners and executives to manage.

Behind this online world for each business lives the IT machines that make it go. Hardware, software, servers, back-ups (physical and cloud-based) are deployed by in-house or third party IT specialists with an almost blind faith from management, in hopes that the anti-virus, spam filters, patches, and other proactive measures are effective in preventing a breach. This is the new reality of the cyber world in construction. This type of risk is hidden and is not as tangible as other risks. Most businesses recognize the overt nature of risks such as a fire or a slip and fall and select insurance to ensure their business would be able to withstand a loss caused by such perils. Cyber insurance coverage is not yet dealt with in this same regard, but the devastation it can wreak on a business has the potential to be just as catastrophic.

A hazard such as a fire has protocols and procedures that are designed to mitigate risks – inspections, suppression systems, and risk management practices. Cyber protection of a business should also employ a rigorous process to develop both a risk prevention and incident response plan. Most cyber insurance applications serve as a catalyst in moving towards this process. The questions posed in these applications — including how data is backed up, how fast operations can be reestablished in the case of an attack, and who the best cyber-restoration partners are — quickly determine whether your protocols for preventing a cyber-attack are adequate and consistent with best practices. 

Cyber risks are generally not covered under traditional commercial property or liability policies and often require their own standalone policy. While it is recognized that every business has different needs, the minimum coverages for a cyber policy is 1st party coverage (including privacy breach notification expenses, restoration of systems etc.) and 3rd party liability. As legislation becomes more stringent and demanding of the security surrounding the private information of customers, the need for adequate 3rd party cyber liability limits is paramount. The buyer must beware of inexpensive insurance solutions offered as many of these extensions of coverage provide only counselling services in case of a breach. To compare with traditional insurance, that would be similar to having someone coaching you on how to repair drywall when really what you need is someone to come and fix the wall!  

These coverages have the potential of creating a false sense of security if not understood properly. There is value in having these resources available on the line for consultation, but it is important to recognize that they won’t be the boots on the ground dealing with your breach or system failure.

Insurance advisors are now actively introducing the concept of cyber insurance to their customers. These discussions must occur and be translated to owners and managers with real-life operational examples to make the risk tangible. High profile cyber-attacks do not necessarily resonate with smaller businesses.  However, when contractors recognize that they can be hacked, held ransomed for days, or be victims of social engineering fraud, they understand the devastation this would have on their businesses. 

Claims Example of Social Engineering Fraud

The controller of a private distributor of component parts was responsible for making regular payments to overseas vendors from which the company purchased product for resale in the United States. After many months of working with the vendor and receiving regular shipments, the controller received an email that appeared to come from his contact, indicating that the vendor’s bank was having issues with accepting payments, and asked if the next payment could be made to a new bank. The vendor was located overseas, making verification a challenge. After some pressure was applied by the supposed vendor, the invoice was paid by wire transfer. The following month, when the real vendor realized that its best customer was late on its payment, an investigation determined that the vendor’s email was hacked and an imposter had been socially engineering the company into believing that the change in bank information was authentic. In the end, almost $250,000 was handed over to the fraudster.

Should you wish to have further information or discussion, please give any of our trusted construction advisor’s a call!

Angela McKerlich, Contract Surety Advisor
Brad Sieben, Cyber Advisor, Kelowna
Ryan Fairburn, Construction Risk Advisor, Vernon
Paula Garrecht, Construction Risk Advisor, Kelowna
Lana Hunnie, Construction Risk Advisor, Kelowna
Matt Arruda, Construction Risk Advisor, Kelowna
Morly Bishop, Construction Risk Advisor, Kamloops

Angela is a partner at Capri Insurance, where she manages the construction surety division. Angela has worked in the insurance industry for over 25 years and is a leading expert in innovative surety solutions, educating and teaching contractors, public owners, consultants, accountants, and trade students.  

This article first appeared in the Fall 2017 issue of SICA's Construction Review Magazine. To read the entire magazine click here.