- About PS&F
- Industry Focus
- Client Tools
- Education & Events
- Case Studies
April 13, 2016
Despite our heightened awareness and best in class cyber controls, most companies will at one time or another experience a cyber security event. Whether it’s a malicious hacker, extortionist, or just a disgruntled employee, our networks seem to be under constant surveillance and attack.
So what do we do? Many companies are turning to the cloud to host their operating systems and critical infrastructure. For many contractors, this is an excellent choice. Experienced cloud providers are experts in system security. They invest far more time and resources into their networks than most construction firms can afford. Their facilities are secure, they have state of the art resources, and they can effectively scale with your needs. However, it’s important to remember that liability for most data breach events flows back to the owner of the data, regardless of where it is stored. Contractors should carefully review any cloud provider contracts to understand their risk. Larger providers generally have little flexibility in their contracts and most providers assume little to no liability for any consequential damages should their systems fail. Further, many of the contracts fail to address how and when the provider will cooperate with you in the event their systems are breached. Therefore, just because you are shifting computing operations does not mean you are shifting all your cyber risk.
Whether you host or outsource your network, cyber insurance has become a logical purchase for most contractors. The forms are quite broad and the premiums are reasonable, especially for the construction marketplace. In addition to covering the company for liability suits, a well-structured policy will pay for first party expenses, such as hiring an I.T. forensic firm to investigate the breach to identify how the intrusion occurred and what data may have been compromised. It can cover the costs of hiring legal counsel to guide you through the myriad of privacy laws, both local and federal. The policy can also pay the cost of notification and credit monitoring for affected individuals. Contractors are now often purchasing additional coverage for data restoration and business interruption loss that results from a cyber event, as cyber hacking is generally excluded on your property policies. Finally, paying cyber extortion demands can also be covered. Cyber extortion is on the rise and, in the event of an extortion demand, most of the above coverages could be triggered.
Cyber policies provide more than just indemnification. As adoption rates for cyber insurance increase, insurance companies are gaining extensive experience responding to these events. Many insurers provide “data breach coaches” to help you manage the process. The “coach” is often an attorney who understands the unique legal and regulatory issues that accompany a breach. The coach will help you navigate the process and comply with statutory requirements. Additionally, the carriers have pre-negotiated rates with IT forensic firms, law firms, and notification providers. Insureds will often have access to these pre-negotiated rates, even if they have a small loss that does not pierce the policy retention. Finally, most insurers provide discounted or free loss control services that may include employee training, penetration testing, security audits, and vendor management advice.
If you have spent the time and money to develop a data breach response plan (DBRP), make sure that your insurance policy is synced with your plan. Most insurance policies require timely notification of a breach, so this should be included in the plan. A good DBRP has identified third party providers that will assist you with the breach. As discussed above, most insurers have appointed their own panel lists of service providers. Make sure that the insurance company is willing to work with the providers you have chosen. If the carrier has a rigid list that does not include your vendors, you may want to consider other insurance companies. Conversely, if you are just developing a plan now, you may wish to interview some of the providers that your insurer insurance company is currently using. Finally, organize a call with your data breach team and the insurance companies claim department prior to an incident. The insurance companies welcome these calls. Take this time to discuss use of vendors and best practices. The claim teams can also share with you proactive loss control services they may be able to provide.
When a breach occurs, time is often of the essence. In addition to financial loss, your brand is likely at risk. A thoughtful and timely response is critical. Insurance and a well thought out data breach response plan will help you prepare for what many believe is an inevitable event.
The views and opinions expressed within are those of the author(s) and do not necessarily reflect the official policy or position of Parker, Smith & Feek. While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it.