It’s one thing to hear about the hack of a mass-market retailer such as Target, a major event of 2014 that involved network access provided to a contractor. Even this year’s breach of the Democratic National Committee seemed far removed from ordinary business as it involved Russia and U.S. politics.
But Yahoo? You would think an internet company had figured out its exposures. And NSA? Isn’t it supposed to do the hacking?
As U.S. businesses weigh their cyber vulnerability, ENR recently surveyed several hundred design and contracting companies about how they are financing the risks. The answers range from definitive, “We’ve got it comfortably under control,” to “Just studying now.”
A good reason to start is that clients are asking for the coverage in contracts.
“It is becoming a normal request besides additional coverage,” says Anthony Kammas, president of Skyline Risk Management Inc., a New York City based broker that specializes in construction and real estate.
For companies that haven’t bought insurance coverage for cyber breaches, there is a tendency for policy holders to ask whether their property and casualty policies will cover them. But, according to one insurance executive, the carriers didn’t price cyber risks into their property policies and many were still in the the process of gauging the exposure and figuring out how to price and underwrite it.
The designers and contractors, meanwhile, are insuring themselves differently depending on the risks they perceive and the requirements imposed in contracts. One big Texas general contractor says it buys blanket coverage for computer viruses and hacking and media and data loss. One medium-size general contractor in Indiana says it buys data breach cost recovery coverage.
The insurance coverage often goes hand-in-hand with upgrades in platform security and advice from brokers and carriers.
For example, one medium-size Connecticut construction manager says it buys business continuity coverage and has made “significant improvements in firewall, malware filtering and hardening of devices. Employees are also receiving cyber security awareness training.”
Other companies cite one particular type of coverage only, such as loss and replacement of documents, privacy liability coverage, network/business interruption or ransomware.
With scant data available so far, insurers are relying on an applicant’s risk-management procedures and risk culture to evaluate the risk and pricing. Before writing coverage, an insurer will probably review a construction company’s network, website, physical assets and intellectual property, says a report on the subject by the National Association of Insurance Commissioners and the Center for Insurance Policy and Research.
There seems to be no standard package of coverages that has yet taken shape but at least there are plenty of options.
Insurers such as Chubb and Travelers make many different types of coverage available. Chubb’s third-party cyber liability coverage includes unauthorized access or dissemination of private information, reputational injury, security system failures that harm third-party systems and security breaches that prevent access by customers to platforms and information. First-party coverage may include expenses related to notifying of data breaches, vandalism to a company’s systems and threats and the “the cost of a professional negotiator and ransom payment.”
Defense costs, settlements or judgments may be covered.
Although neither type of policy has been designed for cyber exposures, “The usual suspects for insurance coverage where cyber insurance has not been purchased include commercial general liability insurance and commercial property insurance,” attorney Patrick O’Connor wrote in a paper presented at Victor O. Schinnerer’s annual meeting for invited attorneys.
According to O’Connor, insurers in 2001 had very specifically separated coverage of electronic data under a commercial general liability policy and defined it very broadly. The definition included data created, used or transmitted by computers. The Insurance Services Office also created a new exclusion in 2004 specifically eliminating electronic data and “damages arising out of the loss of, loss of use, damage to, corruption of, inability to access or inability to manipulate electronic data.”