[BreachExchange] Is your design firm protected from cyber-risks?

[Audrey McNeil]

http://blog.willis.com/2016/08/is-your-design-firm-
protected-from-cyber-risks/

Cyber-risk is evolving fast, and the architect and engineer (A&E) community
should be monitoring the developments closely.  Arguably, design firms take
on considerably less cyber-related risk than large retailers and financial
institutions, which continue to  face huge and costly data breaches.  By
comparison, the typical A&E firm has less first-party or third-party
exposure. First-party exposure includes income loss and extra expense your
firm may incur as result of a computer attack or system failure – and the
costs to recreate lost or stolen data.  Third-party exposure typically
would include those liability costs associated with your firm’s inability
to protect a third party’s sensitive or confidential information.  This
blog will attempt to review these cyber related risks an A&E firm faces and
review important considerations when it comes to transferring and managing
this risk.

There are a lot of “what ifs” when it comes to a design firm’s cyber risk
beginning with: “What are the potential damages to my firm in the event of
a data breach?”  Depending on factors relating to the breach, you may find
your business having to pay for:

Legal fees
Judgments or settlements
Notification costs (depending on state requirements)
Forensic services
Credit monitoring services
Identity-theft-related fraud resolution services
Loss of business and public relations costs
Regulatory defense and penalties
Extortion loss
System disruption
Data recovery expenses

Should an A&E firm purchase a separate cyber-liability policy?

The short answer is that you should definitely consider it.  At the very
least, the exercise of going through the application process and assessing
your firm’s specific cyber-related exposures will put you in a better
position to manage this risk.  If you determine you need to buy a
stand-alone cyber-liability policy, there are plenty of carriers currently
offering this coverage at relatively low cost.  However, while purchasing a
separate cyber policy may be a good idea, or even contractually required by
a specific client, transferring cyber-risk by insurance is only one piece
of the risk management puzzle.

What are my firm’s cyber liability exposures?

Design firms have increased their use of the internet and electronic data
transfer of sensitive information, and more A&E firms have gained
proficiency in building information modeling (BIM) involving multiple
parties on complex projects. So it’s not a matter of “if” but rather “when”
we will start seeing more data breach claims against design firms in my
opinion.  According to our experts in the Cyber/E&O Practice Unit of Willis
Towers Watson, all businesses have the following potential data breach
exposures that they need to recognize:

Malicious insiders. These are insiders who abuse access to sensitive data
for financial gain, typically disgruntled current and former employees who
can exploit back doors of a company’s data systems.
Negligent or unwary insiders. Whether the result of lost laptops or simple
incompetence, businesses have found themselves susceptible to attacks that
exploit traditional security controls (e.g. spear phishing). This includes
employees who fail to embrace or are not properly trained on a company’s
culture of security who find, or stumble, upon ways to circumvent
‘inconvenient’ security controls.
Criminal hackers – Cyber-attacks are occurring at astonishing rate, and no
business is immune. Tactics have evolved from “hit and run” to “infiltrate
and stay.” Black markets exist for all types of personal information, and
with proliferation of mobile platforms, more and more businesses are
vulnerable.  This includes “ransomware” attacks where a business has its
data seized and later is extorted to pay a ransom for its release.

F.A.Q.

Design firms are now grappling with a lot of frequently asked questions
when it comes to data breach exposures:

What coverage would apply if a hacker plants malware and corrupts our
firm’s data systems, causing interruption to our business?
What if we are hosting a BIM site and our system crashes, causing
consequential delay damages – is this covered?
What if we lose confidential data belonging to our client and they sue us?
What if our data systems are compromised and we lose sensitive employee
information such as social security numbers?
What does our PL practice policy cover for data breach claims?
What if our firm is hacked with ransomware – what should we do and is this
covered?
What gaps do we have when it comes to cyber-related risk?
What additional protection do I get with a separate cyber liability policy?

Unfortunately, there are no simple answers to these questions.  Both
cyber-related exposures and the insurance community’s response to this risk
are evolving rapidly. There are myriad interrelated variables that could be
involved in a given cyber incident, and coverage would depend on the facts
of a given claim.

What is the insurance community’s position on cyber-risk?

We asked over a dozen leading A&E insurance carriers and attorneys whether
they have seen any data breach claims in the segment, and the general
response was “no.”  However, these same folks  weren’t nearly as consistent
when asked if they anticipate an escalation in data breach claims against
design firms in the future.  The responses to this question ranged from “we
definitely expect cyber related claims to increase in the future” to “we
highly doubt that cyber-risks will significantly impact A&E firms.”  In
other words, nobody really knows.

There is little meaningful historical data or loss info on cyber-claims
that actuaries can use to establish pricing and terms. As a result, pricing
and coverage terms can and will fluctuate greatly from one carrier to the
next — and the outlook on products and pricing is uncertain.

While a contributing factor in all of this is the fact that this exposure
is relatively new, it also has to be recognized that insurance companies
may not have historically gathered or shared  meaningful loss data.  I
don’t believe this is intentional but is rather because  some  insurance
carriers are more reactive than proactive in their response to industry and
loss trends.

It’s worth noting that there are reportedly over 30 insurance carriers now
offering cyber insurance, and written premiums are approaching $3 billion.
So it’s clear there is a perceived risk and need within the general
marketplace.  A recent State of The Cyber Market Report from the Willis
Towers Watson Cyber Practice  noted that a hardening of the cyber insurance
market persists.  Further, our cyber experts do not expect the marketplace
to flatten out any time soon.  They see cyber threats escalating as a
result of several factors: cyber criminals with varying agendas, growing
technology risks associated with the expansion of the mobile workforce,
broad adoption of “bring your own device” (BYOD) policies, and innovations
in technology that will only expand threats to data privacy and security.

As this exposure evolves and claims pick up, we can expect the insurance
marketplace to respond by developing new products as well as adding — and
excluding — cyber- related exposures. Many general liability policies are
now endorsed to exclude liability for data breach using a CG21060514 or
equivalent that excludes coverage for “access or disclosure of confidential
or personal information and data-related liability.”

What insurance coverage is available to transfer cyber risk?

It’s fair to say that A&E firms may have some coverage under both their
professional liability (PL) and business owners policy (BOP)/Package
policies for cyber-related risks.  However, there are some gray areas that
a prudent risk manager will want to address to understand whether their
firm is exposed to possible gaps for data breach claims under its current
insurance program. In addition, we can anticipate that if and when these
data breach claims start rolling in, most insurance carriers will respond
with reservation of rights letters as they attempt to sort out the facts of
a given matter to determine what, if any, coverage is available under their
respective policies.

Cyber coverage under an A&E’s PL policy

Professional liability (PL) policies provide indemnity for losses
pertaining to a covered error, omission or negligent act — including breach
of contract, vicarious and consequential damages — committed in the conduct
of the insured’s professional business.

Whether an A&E firm’s PL policy will cover a given cyber claim will largely
depend on whether it can be determined a data breach occurred in the
performance of the A&E’s professional services.  It’s important to note
that the standard of care of an A&E firm evolves over time, and with
advancements in technology, including the significant use of building
information modeling (BIM), I believe that, depending on the nature of the
claim, there is a fair amount of coverage under most A&E firms’ PL practice
policies for third-party data breach exposures — and that we will see this
tested in the near future.

In addition, many PL carriers will include or endorse their PL practice
policies to offer additional cyber-related coverage.  This will vary
significantly from carrier to carrier and may very well not provide all the
coverage an A&E firm will need to cover all its cyber-related exposures or
meet specific contractual obligations to carry cyber coverage.  The
additional cyber coverage that an A&E PL practice policy might offer would
include:

Technology-based services coverage
Technology products coverage
Computer network security coverage
Multimedia and advertising coverage

Again, any cyber liability coverage under a PL policy would be limited to a
claim arising out of a wrongful act in the performance of the design firm’s
professional services.  And, all A&E PL policies exclude liability assumed
by the firm under any contract – unless the firm would have been liable in
the absence of that contract.  In other words, is it within the standard of
care for the A&E firm to be providing these services?

While an A&E PL policy may provide some level of cyber coverage, this again
may vary significantly from carrier to carrier, and the policy may provide
a reduced or sub-limit for this “additional” coverage.  For example, a PL
practice policy may provide cyber-security breach response reimbursement to:

investigate the breach
notify any parties affected by the breach
perform credit monitoring service for your clients’ individual personal
data or your clients’ corporate data lost because of the breach
restore or recreate, if possible, clients’ lost content caused by the breach

However, while this additional coverage seems nice to have, it may very
well not be sufficient to fully cover this exposure or meet a contractual
requirement. This is because an “additional payment” provision in these
policies is often for a limit of coverage well under the full PL policy
limit, with some as low as $25,000 or $50,000.  Is $50,000 enough to cover
the expenses a firm might have to fully investigate a breach and restore or
recreate a client’s lost content caused by a breach?  Probably not.

I feel it’s also fair to question whether this additional cyber coverage
some A&E PL carriers are adding to their PL practice policies is a good
thing.  Might a firm be better off having a PL policy that is silent on all
of this — allowing coverage for data breach claims to be determined based
on the full terms of the policy, which is closely tied to the standard of
care of a design professional?  Could coverage be limited to these
“additional payments” versus having the full limits of the firm’s PL
practice policy available to cover these exposures?  I certainly don’t
think this would be the intent; however, like any contract, these policies
are up for interpretation.

Cyber coverage under the A&E’s GL/BOP policy

The professional liability exposure of a Design Firm, covered by a PL
Practice policy, is by far its greatest risk.  We simply don’t see nearly
the level of claim activity from our A&E clients against their other P&C
products.  Many A&E firms have a Business Owners Policy (BOP) or Package
policy covering their Property, General Liability (GL) and Automobile
Liability exposures.  A BOP or Package policy is intended to protect a firm
for its bodily injury (BI) and property damage (PD) office exposures.  The
typical BOP or Package policy for an A&E firm would most likely not provide
any meaningful cyber related coverage.  The PD coverage under a BOP/Package
policy is intended to cover damage to tangible property – and data is not
“tangible”.  We are seeing A&E P&C carriers add endorsements for cyber on
these products however, these are typically being added to clarify that
they are not intended to cover data breach claims.  In short, while some
firms may have in fact received some coverage under their BOP/Package
policies for cyber related claims, such as extra expense for a ransomware
attack, I would say this is the exception and not the rule.  I would also
anticipate carriers will be fine-tuning these products in the not too
distant future to clarify that it is not the intent to cover these cyber
related risks.

Ransomware

One area where carriers have recently paid out on some cyber related claims
is due to ransomware.  Ransomware again is when a business has its data
seized and later is extorted to pay a ransom often in bitcoin for its
release. Some A&E BOP/Package policies have a sublimit for “electronic
vandalism”. This covers costs to restore data but this sub-limit (if
available at all) may not be enough to cover these damages when the extra
expense and business interruption costs are factored in.

An A&E’s BOP and Package policies typically won’t pay for the ransom. The
FBI notes that there is no guarantee the cyber-criminals will unlock a
firm’s files after the ransom is paid. In a report recently posted to its
website, “Incidents of Ransomware on the Rise – Protect Yourself and Your
Organization,” the FBI states, “Ransomware attacks are not only
proliferating, they’re becoming more sophisticated. Several years ago,
ransomware was normally delivered through spam e-mails, but because e-mail
systems got better at filtering out spam, cyber-criminals turned to spear
phishing e-mails targeting specific individuals.

And in newly identified instances of ransomware, some cyber criminals
aren’t using e-mails at all. According to FBI Cyber Division Assistant
Director James Trainor, “These criminals have evolved over time and now
bypass the need for an individual to click on a link. They do this by
seeding legitimate websites with malicious code, taking advantage of
unpatched software on end-user computers.”

The FBI doesn’t support paying a ransom in response to a ransomware attack.
Not only is there no guarantee the firm will get its data back, paying a
ransom emboldens current cyber criminals to target more organizations and
offers an incentive for other criminals to get involved in this type of
illegal activity.  And finally, by paying a ransom, an organization might
inadvertently fund other criminal activity.

So what does the FBI recommend? As ransomware techniques and malware
continue to evolve — and because it’s difficult to detect a ransomware
compromise before it’s too late — organizations should focus on two main
areas:

Prevention efforts, including awareness training for employees and robust
technical prevention controls
The creation of a solid business continuity plan in the event of a
ransomware attack. (See sidebar for more information.)

Often these ransom demands are for dollar amounts (in bitcoin) under a
firm’s deductible.  Needless to say this places a firm in a precarious
position.  Pay the ransom or risk losing valuable data.  Regardless, I
would recommend that any subject to ransomware should report it immediately
to its insurance carrier(s) and broker to get their input on how best to
respond.

Separate cyber-liability coverage

As I’ve noted, there may be coverages under both an A&E’s PL and
Package/BOP policies for specific data-breach-related claims; however,
these coverages may not be sufficient. It may be necessary for A&E firms to
secure separate cyber-coverage to adequately protect against losses and
liabilities not covered under their current insurance program.  In fact,
given the broad coverage provided by a stand-alone cyber-liability policy
and the relatively low cost, I would recommend that every A&E firm
seriously consider purchasing this insurance. In addition, we are seeing
more and more contracts requiring specific cyber coverage that only a
stand-alone cyber policy would satisfy.

Some specific coverage features and benefits under a stand-alone cyber
liability policy include the following:

Business Interruption & Extra Expenses

Covers lost online & offline income, as long as your income is network
dependent and the loss is caused by security breach or errors plus expenses
of avoiding such a loss.

Dependent Business Interruption

Covers lost online & offline income, as long as your income is network
dependent and the loss is caused by a third party’s network security
failure or error, plus expenses of avoiding such a loss.

Content Injury Liability (Media)

Defamation, disparagement, copyright, trademark, publicity rights and
content errors, etc.  Covers computer readable content and can be expanded
to all media.

Data Restoration / Digital Assets

Covers costs to recreate or restore network to pre-loss conditions.
Attacks covered include those instigated by employees.

Network Extortion Pays credible extortionist demands and response costs to
demands for money against threats to release private information or bring
down a network.

With regards to cyber extortion, there is a cyber extortion portion of the
‘cyber’ coverage that will address the cyber extortion claims. The coverage
will pay for the costs associated with the extortion attempt (forensics
expert to determine if there is a real threat and if it’s possible to
remove the threat) and also the pay ransom, if necessary.  Of course there
will be a retention that applies to this coverage. If the extortion demand
is below the retention, the insured will have to satisfy the retention
before the coverage is triggered. In any event, the insured will have the
benefits of utilizing pre-approved vendors at a pre-negotiated rate that is
significantly less than if they were to hire these vendors post incident.

Steps your firm can take to assume and control cyber risk

As noted, transferring cyber-liability risk through insurance is only one
piece of the risk management puzzle. The intangible costs associated with a
claim or client dispute, including the distraction to a business and its
reputation, can be greater than any hard costs of insurance premiums and
deductibles.  An A&E firm needs to consider how best to assume and control
this risk.  If you are interested in purchasing a separate cyber policy,
most carriers will assess whether or not your firm has specific risk
management protocols in place as part of their underwriting process.

Our cyber experts advises that the following underwriting questions be
considered in assessing and pricing cyber liability products:

Governance and risk assessment requiring current, tailored processes with
senior management and board involvement
Access rights and controls inside and outside the enterprise, including
credentialing, access tracking and bring your own devices (BYOD) policies
Encryption of Personal Identifiable Information (PII), Personal Health
Information (PHI) and the transmission lines in the credit processing
systems (If PII cannot be encrypted, underwriters look for compensating
controls for the protection and monitoring of data, including file
integrity monitoring and malware detection.)
Data loss prevention, including patch management, system configuration and
outbound communications, with special emphasis on PII
Vendor management that includes due diligence at the time of selection and
downstream compliance controls over third-party providers
Training of employees and vendors
Incident response plans and data protection priorities

While the average A&E firm may not be subjected to the same level of
underwriting scrutiny as large retailers and financial institutions, the
underwriting questions above are an excellent place to start for any
business reviewing its risk management protocol.  Additional questions
include:

What cyber exposure does the firm face and what are the plans to address
these risks?
How informed is executive leadership about the current level and potential
business impact of cyber-risk to the company?
What coverage gaps exist in traditional insurance policies that would not
respond to a cyber event? (i.e. cyber business interruption vs. property
business interruption)
What is the potential loss of net income/profit that would be incurred if
the firm’s network were shut down due to a cyber event?
Is there a well thought-out incident response plan for cyber events and has
it been tested? Does the plan respond enterprise wide?
How much information personally identifiable information, personal health
information and corporate confidential information is in your possession?
Do you have any obligations if data are outsourced to a third party? What
do vendor agreements dictate?
How many and what types of incidents does the IT department detect in a
normal week? Is there a company-mandated threshold in place for notifying
executive leadership?

There are more questions than answers when it comes to cyber-related risk.
I spoke to a lot of folks that specialize in A&E insurance, legal and risk
management, and it’s safe to say that none of us really knows what the
future holds for the A&E community and cyber-related risks. The best risk
management advice I can offer is to be proactive in assessing your firm’s
exposures and continue to tap into the collective resources of your
insurance broker and risk manager partners.  As noted, this exposure and
the insurance market are evolving fast, and all A&E firms should be
monitoring this risk closely.

I can’t stress enough the importance of working with your business partners
and brokers that have the expertise and resources dedicated to
understanding and managing this risk.  I’ve cited throughout this blog
information shared with me by members of our dedicated cyber team.  I have
the benefit, along with the rest of our Willis Towers Watson A&E team, of
having access to a wide range of specialists within the organization that
we can go to on behalf of our A&E clients — and expect I will be talking a
lot with our cyber team in the future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160811/e170e624/attachment.html>