General Inquiries

Cyber Insurance

  • 1.  Cyber Insurance

    Posted 02-26-2020 15:48
    We are debating on purchasing Cyber Insurance.  The plans presenting to us are in the $3500 range depending on deductibles.  Any insight would be greatly appreciated.

    ------------------------------
    Kimberly (Beeler) Peterson
    Chief Financial Officer
    Beeler Construction, Inc.
    Menomonee Falls WI
    (262) 252-7000
    ------------------------------


  • 2.  RE: Cyber Insurance

    Posted 02-27-2020 06:00
    Edited by John McGarvey 02-27-2020 06:01
    Kimberly,

    Great job on taking the first step and that is simply reviewing and considering the purchase of the cyber coverage!  My name is John McGarvey, Vice President of McGriff Insurance Services - Construction Risk Practice Group.  Our firm works with contractors, big and small, across the US and have helped several of them make the leap into the world of Cyber Insurance.

    Not knowing all the details, the policies being presented  or the risk profile of your company I will keep this fairly 30,000ft for you.  Here are a few things to consider when looking at the coverage and asking your agent what those policies actually cover.

    1. Confidential Client Information - Your company probably doesn't store a lot of credit card information or third party medical records. You most likely have items such as employee personal information, intellectual property (Building Maps, Architectural Drawings) that would make you susceptible to Phishing, Ransomware and other common cyber attacks.  How will the policy respond and at what limit?

    2. Business Interruption - When a cyber attack occurs, your company could potentially face a shut down for a period of time.  Attacks such as ransomware, they hack into your system and hold it hostage for a ransom can typically cause shorter delays and typically fall below the waiting periods within the business interruption policy.  A much larger concern would be the theft or altering of intellectual data and the potential delays that an attack like this can have on your project timeline.  These types of claims can become very costly.  How does your risk management plan address this and how will the policy you choose address this?  What limit is provided for this?

    3. Mobile Devices, Laptops, and Technology -  The theft of mobile devices, laptops and technology present a couple of challenges.  The equipment themselves (insured elsewhere in the policy) and the data that is stored within that equipment.  How will the policy respond if information is stolen off of the laptop?  Or what happens when information from a virtual building design is altered or stolen for personal gain?  What limit is provided for this?

    4. Third party liability - Your company is working for a large retailer and a data breach occurs on your system.  The hacker then gets into the large retailers system because they gained access to the network credentials you were granted.  How will your policy respond when the retailer tracks the hack back to you and you are held liable for the data breach?  What limit is provided for this?

    5. Social Engineering -  Claims arising out of this are increasing at a rapid rate.  The hacker intercepts an email regarding wire transfers and alters the wire information.  The client sends the money and it disappears.  Another scenario, you receive an email from the boss to alter the payment process for a vendor, only to find out that the email was hacked and that information came from a wrong email and the money was sent to the hacker.  I can provide greater detail on this, but be sure that your policy has sufficient limits for both Social Engineering , Computer Wire Transfer and Funds Transfer Fraud.  Recent case law and policy language have seen some interesting denials or limitations in coverage because the limits were not adequate enough or the policy omitted one of the above mentioned coverage's.  What limit is provided for each of these?

    Sorry for the length of the email and I hope it was beneficial in helping you determine what you might need.  The pricing doesn't seem to far outline for "standard cyber coverage" but definitely make sure you have clarity on what the policy is offering and that you are addressing the concerns and potential risks that your company is facing.  Be happy to provide more detailed documentation on any of the above directly to you or answer any questions that this response may have created.



    ------------------------------
    John McGarvey, CRIS, CWCP
    Vice President
    McGriff Insurance Services
    Construction Risk Practice Group
    Atlanta, GA
    jmcgarvey@mcgriffinsurance.com
    (770) 654-8666
    ------------------------------



  • 3.  RE: Cyber Insurance

    Posted 02-28-2020 09:58
    Kimberly,

    We recently had a client that because of a phishing e-mail wired the payment that should have come to us to some criminal.  They had cyber insurance, but unfortunately, their policy didn't cover criminal acts.  It only covered getting their computer system back up and running and making anyone whole that was affected by a breach.  My own insurance agent has told me that Cyber Insurance is still in its infancy and therefore there is no set standard yet of what is included in a Cyber policy.  I would highly recommend making sure that criminal acts are covered by whatever policy you buy.

    Kind Regards,

    ------------------------------
    Benjamin Knochel MSA, CPA, CCIFP
    CFO
    Catalyst Construction, Inc.
    Bloomington IL
    (309) 275-4101
    ------------------------------



  • 4.  RE: Cyber Insurance

    Posted 02-27-2020 06:41
    Hi Kimberly

    My book is largely contractors and over 70% of my clients do carry the coverage.  We worry most about Wire Transfer Fraud and Social Engineering issues.  Provided the quotes you are looking at provide both those aspects I would recommend you purchase it.  Over the last 2.5 years I have had a dozen claims in this area ranging from $50k - $900k.  Cyber forms can vary widely so before deciding I would ask for a thorough comparison of the forms they are looking at, particularly around WTF and Social Engineering.  A lot of the cheaper forms do not cover either of these areas.  We tend to lean towards the Evolve and Corvus programs, but have used a few others as well.

    Hope that helps.  Feel free to give me a call if you want a second opinion on what you are looking at for coverage.

    Greg

    ------------------------------
    Gregory Deems CRIS
    Partner, Executive Vice President
    Rogers Gray Insurance
    South Dennis MA
    (508) 209-6068
    gdeems@rogersgray.com
    ------------------------------



  • 5.  RE: Cyber Insurance

    Posted 02-27-2020 08:52
    Any business that is connected to the internet should have Cyber Insurance.

    ------------------------------
    Jerry Whitaker BA Marketing
    Senior Partner
    Acrisure / Whitaker LaChance
    Portage MI
    (269) 585-7098
    ------------------------------



  • 6.  RE: Cyber Insurance

    Posted 02-27-2020 09:38
    My last employer did purchase cyber insurance. We had 2 offices and the president of the company worked out of the remote office and frequently purchased heavy equipment. He would e-mail or call me and let me know I would need to wire a payment to the vendor and the vendor would be sending me the instructions. After I retired, my replacement accepted 3 different phishing e-mails with the president's address (without the usual heads-up) and wired a total of $375,000 to fraudulent accounts. The cyber insurance covered it.

    If you have sufficient controls to prevent that from happening, I would suggest getting a higher deductible to reduce your premium (I don't recall what ours was).  My 2 cents worth.

    ------------------------------
    Christopher L. Ciccone, CPA
    Nokomis FL
    (910) 263-4161
    ------------------------------



  • 7.  RE: Cyber Insurance

    Posted 02-27-2020 10:49
    Kimberly,

    I certainly cannot speak for the program that was presented, but strongly advise buying Cyber Liability coverage.  Depending on limits and deductibles, ($1m to $3m) $3500 premium is in line with current market conditions.  I will also advise the cyber market is hardening, along with the most coverages, and today is likely the cheapest rate you will see.   Ransomware, social engineering, phishing, etc. have created extremely large claims with high frequency......the kiss of death for insurance carriers. Lastly, we have seen larger GCs and owners requiring Cyber coverage as an insurance requirement.  Within a very short time, I think this will be the industry standard.

    Hope this helps

    Todd Burns
    Willis Towers Watson
    Construction
    512.739.0473




    ------------------------------
    Todd Burns
    Willis Towers Watson
    Austin TX
    ------------------------------



  • 8.  RE: Cyber Insurance

    Posted 02-27-2020 11:41
    Kimberly - I would STRONGLY recommend that you include cyber and related policies in your coverage. As a commercial banker I see, way too often, companies impacted by cyber and related fraud. Lean on the counsel of your agent, ask them for use-case examples of their clients' experiences with losses of those types, and write the check. You will sleep easier as a result.

    ------------------------------
    Bruce Bradford
    Senior Vice President
    Bank of Albuquerque
    Albuquerque NM
    (505) 222-8448
    ------------------------------



  • 9.  RE: Cyber Insurance

    Posted 02-27-2020 12:39
    Hi Kimberly,

    First of all, I'm glad to hear that you are considering purchasing this insurance.  We've purchased it for about eight years now and it finally paid off last year when we were attacked by cyber criminals.  You should be backing up every aspect of your IT system frequently i.e. daily or even more often.  It comes down to you answering the question of how much information you can afford to reinput.  You will as some point in the near future be attacked by cyber criminals if you don't have a strong defense system designed specifically for this purpose.  You've probably been reading about it in the news.  This is a huge risk to companies and governments in the United States.  All it takes is one of your users to click on a phishing email and the criminals are in your system.  They will then encrypt your backup system, your operating systems, your program files, and data files.  None of your users will have access to any of your files unless you pay the ransom (which typically can be negotiated).  If you back up everything daily and can restore from backup, then you theoretically could wipe your servers and endpoints clean and restore from backups.  At the advice of our IT consultant, we purchased an endpoint protection solution and an email protection solution.  My recommendation is to spend the small premium and purchase the insurance ASAP!  You have no idea how disruptive a cyber attack can be to your business.

    ------------------------------
    Clarke La Vine
    CFO
    Gothic Landscape, Inc.
    Valencia CA
    (661) 678-1414
    ------------------------------



  • 10.  RE: Cyber Insurance

    Posted 02-28-2020 11:05
    Kimberly, Like Clarke from Gothic said, it is peace of mind insurance.  We had read about what happened to Gothic and purchased our insurance.  Soon after, we had an attack.  Thankfully the company owner just happened to be in the system just after it had started and he immediately told everyone to hard shut down their computers and he went and pulled the plug from the internet which stopped the lock down of our system.  Our IT person was called and showed up immediately to see what was compromised.  It was early in the morning thankfully so not much work had started and our IT person was able to reinstalled everything from the previous night and clean up our system.  Thankfully we didn't need our insurance as we have processes in place to mitigate the damage but we did lose a days worth of productivity.  We feel lucky.

    ------------------------------
    Cynthia Dean
    Controller
    Nevada General Construction
    Las Vegas NV
    (702) 254-0262
    ------------------------------



  • 11.  RE: Cyber Insurance

    Posted 02-27-2020 13:26
    As a banker of smaller, closely held companies (mainly contractors), I have seen more examples of online, wire, ACH and other forms of fraud than I care to share.  In 3 cases, the losses were all in the low to mid 6-figure range ​and the bank could do nothing to assist getting those funds back since the client's systems were hacked (to include passwords to everything, create fake ACH and payroll batches, etc.  The cost for the insurance is nominal compared to this exposure.  Just make sure you ask lots of questions about what the coverage actually covers, get really specific.

    ------------------------------
    Marc Hendrikson CPA, CCIFP, CGMA
    Senior Vice President, Contractor & Commercial Banking
    Sunflower Bank
    Broomfield CO
    (303) 831-6735
    ------------------------------



  • 12.  RE: Cyber Insurance

    Posted 02-27-2020 14:22
    We purchased Cyber Insurance and given the current aggressive attacks companies are faced with everyday.  Our premium is close to that amount and feel that it will only take one occurrence to pay for it for quite a few years.   Email me if you would like more information on who we use and our broker.


    ------------------------------
    Todd McDaniel CPA, CCIFP
    Corporate - Financial / Tax Administrator
    Streimer
    Portland OR
    (503) 288-9393
    ------------------------------



  • 13.  RE: Cyber Insurance

    Posted 02-28-2020 10:47
    Thank you everyone for your responses.  they were helpful and we are verifying coverage and purchasing the coverage.

    ------------------------------
    Kimberly (Beeler) Peterson
    Chief Financial Officer
    Beeler Construction, Inc.
    Menomonee Falls WI
    (262) 252-7000
    ------------------------------



  • 14.  RE: Cyber Insurance

    Posted 02-28-2020 12:41
    Our company just got hit with ransom ware this week. I am glad we have Cyber Insurance. We have had 3 IT professionals working on the project this week as well as other 3rd party vendors.  ​

    ------------------------------
    Stephen Hadley
    Controller
    Quigg Brothers, Inc.
    Aberdeen WA
    (360) 533-1530
    ------------------------------



  • 15.  RE: Cyber Insurance

    Posted 03-02-2020 16:17
    Identification of risk is the most important step in the process. Example; in your risk register you've identified the risk of a phishing attempt, numbered the risk, labeled the risk, the potential impacts, and the risk priority as high. You've assigned the risk to an individual for responsibility, and determined your mitigation strategy and deadline. For every risk you identify you should have at least one risk control measure in place in addition to your choice of risk financing including but not limited to; transfer, avoidance, reduction, prevention, segregation and duplication.

    ------------------------------
    Jon Erickson CRM, CIC, CWCA, MLIS, CIRS
    Producer
    Insure Forward
    Fargo ND
    (701) 893-2750
    ------------------------------