By Erin Kelley, JCJ Insurance Agency
With a new year full of promise and pipelines once again full, it feels like spring is in the air for design firms for the first time in many years. Changing your organizational focus from growth to damage control is probably not where you want to divert your attention. Yet in light of so much heightened awareness about cyber security we feel this topic is both timely and relevant.
Until now, you may not have considered your firm to be the next target for a malicious cyber attack, since you are not in the business of handling large amounts of sensitive medical files, credit card or financial data. But with the reality of today’s fully connected business environment, every company is now at risk. Design firms can no longer expect to be immune to threats once reserved for large corporations only seen in headlines. Small businesses that are less likely to have the infrastructure and the means to protect their data in the same way larger corporations do are increasingly susceptible.
In the wake of 2014, the time has come for all businesses to acknowledge and accept that breaches are inevitable. In doing so, business leaders must make cyber security a part of their business plan by identifying the vulnerabilities and implementing a strategy to actively safeguard their assets, employees and customers. Firms that invest time and resources in advance will be better prepared not if, but when a crisis occurs. In order to assist in navigating these murky waters, this article specifically addresses the growing cyber threats design firms face and practical/efficient ways to mitigate these risks.
Nearly all companies have Personally Identifiable Information (PII), typically in the form of confidential employee information, stored on their internal networks. But on a day-to-day basis, design firms rely on the availability of critical project data as well as the protection of proprietary intellectual property. With the introduction of digitized technical drawings, CAD, BIM and IPD methods, many design firms are making the move toward virtual collaborative design projects. A data breach can cause project delays and damage your firm’s reputation as well as valuable client relationships. This can have a significant impact on your firm in lost revenues, productivity and can expose your firm to significant legal damages.
Most of the incidents we see among the design industry appear to be the result of malicious attacks from outside threats targeting certain weaknesses in a system. In these instances, critical or confidential data has been lost and deadlines have been compromised.
Such was the case for one of our own insureds, a design firm in Florida. Their system was recently invaded with a Trojan horse virus called cryptowall. These attacks are becoming increasingly harder to detect as was the case with this one, which went unnoticed over the course of several days. The attack encrypted their files using ransom-ware which asks the victims for a ransom in order to decrypt the files. In the end, the attack resulted in the loss of thousands of working documents and considerable down time. The firm is currently faced with the daunting task of restoring or recreating those files with an estimate of $50,000 in man-hours.
In addition, your firm could be exposed to internal threats. If an employee accidentally loses their mobile device, the wrong hands could potentially access confidential or proprietary information. A sole-proprietor subcontractor who is working on one of your projects most likely does not employ a dedicated information security officer and could expose your organization unknowingly. Lack of education and negligence by employees and other subcontractors can compromise your system, and vice versa. In addition to the expense of replacing lost data, your firm could be faced with other costs such as: business interruption, extortion, legal fees and defense costs, and credit monitoring services for breaches involving Personal Identifiable Information.
In order to minimize these types of exposures, we strongly advise firms to consult with an IT professional to conduct a risk assessment and ensure adequate backups. It is crucial that your back-up processes work in order to both effectively recover data after an attack and comply with requirements for maintaining proper records documentation. In addition, everyone in your organization should be trained and expected to comply with information-sharing protocols. And, just as important, experts suggest your strategy must be continually monitored in tune with the rapidly-changing nature of technology.
Perhaps you have already taken measures to put many of these protection mechanisms in place. However, many studies warn it is impossible to expect data to be 100% secure and organizations that employ all the right strategies can still fall victim to cyber crimes. Knowing that incidents can occur regardless of precautions, it is also wise to have a response plan in place so your firm can be prepared to address situations in a professional manner. Once a breach happens, response time is critical and swift, clear-headed decision making is necessary. This is where a Cyber Liability insurance policy can help – in the aftermath of a breach or attack.
You may be wondering if your current insurance policies already offer this type of coverage. It is important to point out that Commercial Property, General Liability and Professional Liability insurance policies typically do not provide sufficient coverages for cyber-related exposures. And, in the wake of more claims by their policyholders and heightened situational awareness, we are seeing insurance companies reevaluate their policy forms. Insureds filing claims under commercial crime policies have also experienced pushback from many insurance companies, particularly if they involve third party losses.
Professional Liability insurance policies are designed to cover negligent acts related to your professional services. They are not designed to cover losses due to cyber-related crimes, unless your insurance policy includes a cyber liability endorsement. We are seeing a growing trend with Professional Liability insurance companies now offering cost-effective, stand-alone Cyber Liability policies tailored to the needs of design professionals A true Cyber Protection Policy provides policyholders with the assurance that cyber risks are adequately covered, eliminating uncertainties. It will also protect your business from exorbitant expenses and man-hours required to restore or recreate files. This can be seen as a positive since a separate policy will not put Professional Liability limits at risk or affect your loss experience if you file a cyber related claim. There are many types of Cyber policies offering different features, but the added benefits of hands-on assistance and crisis management could be worth their weight in gold if disaster ever strikes.
We realize cyber security is never going to be on top of everyone’s priority list. Regardless, the path of complacence should no longer be an option for your business. As Ben Franklin said it best, “An ounce of prevention is worth a pound of cure.” Design firms need make sure that they are fully prepared to deal with these ever-emerging security challenges—before it’s too late.
The access, protection and integrity of your data are fundamental to the successful operations of your business. An effective cyber risk management strategy and adequate insurance coverage is imperative to protecting your organization from catastrophic claims.
Erin Kelley is a specialty insurance advisor at JCJ Insurance Agency. Her specialties include professional liability and other commercial insurance for architects, engineers, environmental consultants, attorneys and the commercial real estate industry. In addition, Erin provides risk consulting services including risk management best practices, seminars, contract reviews and subconsultant risk management. Erin is active with several industry associations including AIA, a/e ProNet, ASHE, CREW Orlando, and FES. Erin graduated from the University of Florida in 1992. She holds a Florida General Lines insurance license and a Florida Real Estate License.