Your guide to monitoring the unseen risk
by Troy Carlson
Monday, October 17, 2016

Most of us have emails filling our inboxes throughout each workday. Often, it seems like a job in and of itself just to keep up with them. When an invoice comes across your desk, you typically review it, approve it or reject it, and move on. Imagine your surprise when you receive an email from a client you have been working with, confirming that they have paid their invoice.

Confused, you respond that you have not invoiced them, yet they are able to forward you an email that looks like it is from you. You check your inbox—did someone else create and send an invoice? It sure looks like it came from you, until you look at the account number. Shocked, you realize that you don’t recognize the account. Ask yourself, how well do you know the account numbers for each client?

Most of us don’t pay attention to those details. After frantic phone calls back and forth, it comes to light that your system has been hacked, and your client just sent thousands of dollars to the hacker, which they will likely never be able to retrieve. You have now put your own financial future at risk, as your biggest client wonders what you are doing that exposed you to such risk. So now what?

Unfortunately, this is a very real scenario that plays out daily throughout the United States. A majority of construction clients who haven’t been faced with a situation like this often think cybersecurity doesn’t apply to them. If they do, they have a policy to cover it, yet they have little to no idea about what the policy includes.

Cyber Risk in Construction

With the growing use of digital technology, the construction industry is more vulnerable than ever to cybersecurity threats. With the amount of work now completed online and on computers or tablets—from building information modeling (BIM) to invoices, building automation services and everyday correspondence about projects—construction companies are opened up to innumerable cybersecurity threats and liability. If a company is not adequately protected against exposure, the associated costs can be financially crippling.

Don’t Be Left Unprotected

Cyberthreats expose companies to liability risks constantly. For example, if you unknowingly send someone a virus that attacks their system and gives a hacker access to sensitive information, that would come back as a liability claim against your cyber liability policy.

This is why cyber liability insurance is an essential part of doing business in the 21st century. Before a cyber incident or data breach occurs, ensure that cyber incidents are endorsed on your crime insurance policy or that you have comprehensive cyber coverage.

Some elements to look for in your cyber coverage include:

  • Data breach/privacy code—This should spell out who is responsible for expenses related to the management of an incident, such as the investigation, remediation, data subject notification, call management, credit checking for data subject, legal costs, court attendance and regulatory fines.
  • Multimedia/media liability—If your employees are posting to social media on the jobsite or taking photos and videos, there is always the possibility of them getting footage of injuries or safety violations. In addition to having a social media policy in your employee handbook—including how the name of the company can be used in social media—you can also customize your insurance policy to cover any potential liability. Third-party damages covered can include specific defacement of website and intellectual property rights infringement.
  • Extortion liability—This will address losses due to a threat of extortion and professional fees related to dealing with extortion.
  • Network security—This will detail third-party damages as a result of denial of access, costs related to data on third-party suppliers and costs related to the theft of data on third-party systems.

Some of these elements may overlap with coverage from existing products, including those for business continuity, third-party supply chain issues and professional indemnity.

Work with your insurance broker to ensure that even if an overlap exists, your cyber liability policy will ensure identified cyber risks are covered.

Considerations for Cyber Liability Insurance

Cybersecurity is such a complex issue that it takes a number of players with different specialties to fully protect a company. When you are looking to create or renew an insurance policy, find an insurance company that specifically addresses cybersecurity. No carrier is the same, just like no business is the same.

The following basic considerations will guide you in your decision-making process:

  • Determine what costs or expenses and what types of incidents you would like to have covered. Discuss this list with key members of your team, making sure to get any information you need from third-party suppliers and partners. List both your own costs (first-party costs) and the costs others may attempt to claim from you as a result of an incident (third-party costs).
  • Getting the right broker is important. The right broker will understand your company and the unique risks you face in the construction industry. They will save you time, bring you up to speed on the latest risks and help you determine what is right for your business. Keep in mind that this may not be the broker you are currently using for your noncyber risks.
  • Share your list of estimated expenses and costs with your broker and discuss exclusions that make sense for your company. With this information, your broker will be able to place your company with the right insurance company to meet your needs. This is key, as having the right insurance company can be the difference between paying little for coverage that you will never be able to utilize in the event of an incident or having cost-effective coverage, where the insurer understands the implications of a breach and the costs associated with it.
  • Selecting the right policy for your business can be a very complex exercise, which is another reason why a broker is important. They are likely to know the best products to suit your needs. It is also important to understand the support you receive as part of your coverage. Some policies provide a point of contact who will handle everything from the moment the insurer has made a claim, whereas others will let you manage the incident and decide which services you want to use from their list of suppliers. If your company does not have the people or experience to manage a data breach incident, a third-party supplier can often be a better route to take.

No two companies are the same when it comes to cyber risks. It is essential to understand the cyber risks your business faces, have a plan in place for when a breach occurs and ensure your cyber policy is tailored to mirror those risks and work with your plan. Doing this will help mitigate the potential losses your company could face in the event of a breach.

Utilize Available Resources

Any type of cyber breach can cripple an organization by causing downtime or reputational damage. Now that the big corporations have so many tools in place and full-time IT departments to combat cyberthreats, hackers are going after smaller businesses and contractors without those available resources.

Align yourself with the right risk management and IT team, and you will be less likely to fall victim to these attacks.


Troy Carlson is a strategic risk advisor for McClone. He is a certified Construction Risk Insurance Specialist (CRIS). He is involved with Construction Financial Management Association (CFMA Fox River Valley), serves as membership involvement committee chairperson for Associated Builders and Contractors of Wisconsin and is an associate board member for Associated General Contractors of Wisconsin (AGC). Contact Carlson at troy.carlson@mcclone.com or visit mcclone.com.

October 2016