Viewpoint: Contractors Explore Evolving Cyber Security Coverage Needs

Responses to a Worrisome New Threat Are Cautious and Varied

Threats by hackers still are being sorted out by designers and contractors.

It’s one thing to hear about the hack of a mass-market retailer such as Target, a major event of 2014 that involved network access provided to a contractor. Even this year’s breach of the Democratic National Committee seemed far removed from ordinary business as it involved Russia and U.S. politics.

But Yahoo? You would think an internet company had figured out its exposures. And NSA? Isn’t it supposed to do the hacking?

As U.S. businesses weigh their cyber vulnerability, ENR recently surveyed several hundred design and contracting companies about how they are financing the risks. The answers range from definitive, “We’ve got it comfortably under control,” to “Just studying now.”

A good reason to start is that clients are asking for the coverage in contracts.

“It is becoming a normal request besides additional coverage,” says Anthony Kammas, president of Skyline Risk Management Inc., a New York City based broker that specializes in construction and real estate.

For companies that haven’t bought insurance coverage for cyber breaches, there is a tendency for policy holders to ask whether their property and casualty policies will cover them. But, according to one insurance executive, the carriers didn’t price cyber risks into their property policies and many were still in the the process of gauging the exposure and figuring out how to price and underwrite it.

The designers and contractors, meanwhile, are insuring themselves differently depending on the risks they perceive and the requirements imposed in contracts. One big Texas general contractor says it buys blanket coverage for computer viruses and hacking and media and data loss. One medium-size general contractor in Indiana says it buys data breach cost recovery coverage.

The insurance coverage often goes hand-in-hand with upgrades in platform security and advice from brokers and carriers.

For example, one medium-size Connecticut construction manager says it buys business continuity coverage and has made “significant improvements in firewall, malware filtering and hardening of devices. Employees are also receiving cyber security awareness training.”

Other companies cite one particular type of coverage only, such as loss and replacement of documents, privacy liability coverage, network/business interruption or ransomware.

With scant data available so far, insurers are relying on an applicant’s risk-management procedures and risk culture to evaluate the risk and pricing. Before writing coverage, an insurer will probably review a construction company’s network, website, physical assets and intellectual property, says a report on the subject by the National Association of Insurance Commissioners and the Center for Insurance Policy and Research.

There seems to be no standard package of coverages that has yet taken shape but at least there are plenty of options.

Insurers such as Chubb and Travelers make many different types of coverage available. Chubb’s third-party cyber liability coverage includes unauthorized access or dissemination of private information, reputational injury, security system failures that harm third-party systems and security breaches that prevent access by customers to platforms and information. First-party coverage may include expenses related to notifying of data breaches, vandalism to a company’s systems and threats and the “the cost of a professional negotiator and ransom payment.”

Defense costs, settlements or judgments may be covered.

Although neither type of policy has been designed for cyber exposures, “The usual suspects for insurance coverage where cyber insurance has not been purchased include commercial general liability insurance and commercial property insurance,” attorney Patrick O’Connor wrote in a paper presented at Victor O. Schinnerer’s annual meeting for invited attorneys.

According to O’Connor, insurers in 2001 had very specifically separated coverage of electronic data under a commercial general liability policy and defined it very broadly. The definition included data created, used or transmitted by computers. The Insurance Services Office also created a new exclusion in 2004 specifically eliminating electronic data and “damages arising out of the loss of, loss of use, damage to, corruption of, inability to access or inability to manipulate electronic data.”

Deputy Editor Richard Korman helps run ENR's business and legal news and investigations, selects ENR's commentary and oversees editorial content on ENR.com. In 2023 the American Society of Business Publication Editors awarded Richard the Stephen Barr Award, the highest honor for a single feature story or investigation, for his story on the aftermath of a terrible auto crash in Kentucky in 2019, and in 2015 the American Business Media awarded him the Timothy White Award for investigations of surety fraud and workplace bullying. A member of Investigative Reporters and Editors, Richard has been a fellow on drone safety with the McGraw Center for Business Journalism at the Craig Newmark Graduate School of Journalism at CUNY. Richard's freelance writing has appeared in the Seattle Times, the New York Times, Business Week and the websites of The Atlantic and Salon.com. He admires construction projects that finish on time and budget, compensate all team members fairly and record zero fatalities or serious injuries.

Post a comment to this article

Enhancing Collaboration and Surpassing Traditional Design-Build Methods with Progressive Design-Build

Earn: 1 PDH; 1 AIA LU/Elective; 0.1 IACET CEU

Progressive Design-Build is reshaping large infrastructure projects by addressing key issues with the traditional Design-Build approach. We'll explore how PDB fosters collaboration between owners, design-builders, and design teams to develop a well-defined scope and budget, plus minimizes cost overruns and reduces liability claims.