Cyber Security - Phishing, smishing, ransomware & cyber attacks!
Posted on: January 13th 2023 · read
The number of large contractors finding themselves caught up in cyber security issues that have led to substantial ‘pay-off’s’ and management time to resolve has brought into focus even more clearly, the need for effective IT systems and processes to combat the ever-increasing number and sophistication of cyber threats as well as the need for cyber insurance.
A government cyber security breaches survey that was done earlier this year reported that only 34% of businesses feel they invest enough in their cyber defenses with many businesses not having cyber insurance cover in place or cover that could be inadequate. Cyber-attacks are a threat to all businesses and the Government and Met Police have both highlighted some of the underhand tactics fraudsters have used to try and breach systems and processes. The most serious threats are to the financial stability and reputation of your firm, to client confidentiality, and to the protection of intellectual property and sensitive commercial or business trading information, including research and development projects.
Fraudsters are finding ever more inventive methods of infiltrating your systems, from installing malware attached to a seemingly innocent CV to using the stolen identities of Directors at other construction firms, or suppliers to obtain financial information, trade secrets, or even insider information relating to patents or mergers and acquisitions. For international firms, commercial espionage may even be a concern, where overseas state-sponsored efforts to obtain business and technology secrets may pose a risk. To address this significant challenge many are turning to cyber-insurance.
Many insurers won’t provide terms at all unless you can demonstrate a certain level of risk management. They are looking at IT controls, procedures and practices in place supported by regularly updated risk assessments. To obtain insurance, underwriters need to understand the nature of the business and what risk management plans are in place that demonstrates security around IT and internal controls, such as signatories required for payments.
Many of the mid-size and larger construction firms will have their own in-house IT function, who can often be sceptical about the need for cyber cover. Unfortunately, cyber criminals are very capable, and do find their way through system defences.
When going to market for insurance, you ideally need packaged cover to protect first party and 3rd party losses. The key here is making sure that you can demonstrate to insurers that you are a risk worthy of the level of cover that you want. This is effectively achieved via a due diligence exercise focused on IT systems, with a questionnaire to establish your controls, such as MFA (muti-factor authentication), how do you deal with your accounting, what you have in the way of a firewalls, what systems you are using etc.
Some organisations use outside consultants to support them with cyber security, which can help to demonstrate that the risk management in place is as robust as it can be. The more layers of protection that you have in the business will give the underwriter added confidence when determining premiums.
We’ve found that there aren’t any specific rates that you would apply like you would do for employers liability or public liability insurance. It is an assessment of the overall risk. However, in an age when cyber security leakages can have far reaching financial and reputational consequences it is surprising that only 1/3 have got adequate cover in the industry. Clearly, cyber security should be covered in any business continuity plan and insurance will have its place within that plan.
Find out more
If there are any topics raised in this knowledge post that you would like to talk to us more about, please do get in touch.
You can also discover how to navigate the insurance market by listening to our podcast here: Insurance issues in Construction & Real Estate