As the move toward BIM and open collaboration gathers momentum, architects, engineers and other service providers are becoming increasingly vulnerable to cyber-attack and need to consider whether or not they should take out cyber insurance.
Cyber risks are varied in nature. Along with the well-understood areas of viruses and theft of data through hacking, there are emerging threats such as ransomware, which locks and prevents access to entire systems until demands for payment are met and access restrictions lifted. Aside from malicious activity, sensitive information can also fall into the wrong hands by accidental means, such as through the inadvertent sending of files to the wrong person or organisation.
Risks are not limited to large organisations; in 2012, around four in 10 such attacks were directed toward small and medium sized enterprises, security software provider Symantec reckons.
Potential costs cannot be understated, and can include not only direct expenses associated with engaging technology consultants to fix the problem, notifying external people affected, monitoring bank accounts and potentially payment of ransom money but also costs associated with legal defence, third party compensation and fines and penalties associated with breaches of the Privacy Act, according to BJS Insurance Brokers senior account manager Alex Conlon. In addition, Conlon says, there is the loss of income while operations are impacted, as well as potentially additional expenses incurred to continue operations during the period in which the organisation is affected.
What can be done? The first step is to adopt strategies to manage and reduce risk. According to Jacqueline Romero, a Melbourne based insurance executive, this involves efforts to identify critical areas of vulnerability and spell out actions to be taken in the event that different types of attacks occur. It involves putting in place appropriate policies and controls (including when travelling and using portable equipment such as phones, iPads or laptops), encrypting backup data and securing IT systems and educating workers about risks involved.
Given the possibility of attacks being instigated from within the organisation, it is also important to be diligent in terms of recruitment practices, Romero says.
“It is fundamental that businesses acknowledge the risk of cyber-attacks and seek to mitigate this risk to ensure where an attack does occur, the business is equipped to manage it and respond/contain the incident to minimise business disruption,” Romero said.
Conlon says it is also important to engage in dialogue with your technology advisor and to talk through what can be done when things go wrong as well as the ways in which they can help.
“Talk to your consultant and gain an insight on their services in dealing with these types of dangers and what they can do to help if there is an attack or breach of that data,” Conlon said.
Beyond prevention, there is the question of insurance. According to Romero, many traditional policies for things like professional indemnity, public and product liability and business interruption do not appropriately cover losses associated with cyber-attacks – often by virtue of specific exclusions embedded within some policy wordings but also in the case of others where cyber-attacks do not count as an event which triggers a claim or where costs relating to attacks do not fall within areas of coverage under the policy concerned.
Instead, one possible option revolves around extensions to traditional policies for things like management liability to cover some specific issues relating to cyber-attacks. Compared with stand-alone products, these tend to be less costly and involve a starting price of only a few hundred dollars. These extensions are, however, generally more limited and restrictive in terms of the protection they offer.
Beyond that, there are the more comprehensive stand-alone cyber insurance products. Previously costing tens of thousands of dollars and being offered primarily by local arms of US-based insurers, these are now more widely available and start at a price range within the realm of a couple of thousand dollars.
Coverage generally falls under three areas:
- Reimbursement of ‘first party’ costs incurred in responding to a breach, including those associated with engaging technology professionals to investigate and resolve the situation, credit monitoring and public relations and costs associated with meeting extortion related demands of the attackers, such as the payment of ransom money.
- Reimbursement of third party related costs, such as claims for compensation as well as costs associated with investigations, fines and penalties arising out of alleged breaches of the Privacy Act along with costs associated with defending those allegations or claims.
- Business interruption reimbursement associated with the loss of profits arising from any breach along with any additional costs associated with continuing regular business operations during the period of the attack.
Policies vary, however, and both the nature of threats and insurance options available continue to evolve and vary according to circumstances of different organisations. Accordingly, Conlon says it is important to talk with your insurance advisor or broker about the options which are right for your individual company.
As business becomes more dependent upon information sharing and technology, risks faced by companies across all professional service areas will continue to evolve.
Managing this threat will require a deliberate approach to minimise risk as well as serious consideration about whether or not cyber insurance is appropriate and what type is suitable.