If your business was involved in a cyber breach, would your insurance cover you?

The construction industry is going through a rapid period of digitisation, with technology being increasingly embraced from project modelling to daily operations. Today, cyber-attacks have moved beyond data breaches to disruptive and even destructive attacks that can paralyse entire business operations.

As malicious cyber activity becomes more prevalent in the industry, this in turn creates complex computer and information security risks.

What are the risks?

There are a broad range of cyber and privacy risks that can trigger significant economic loss and reputational damage. If any of the following happened to your organisation, would you be confident that you had the appropriate insurance in place?

• Cyber-attacks and other non-damage events that result in outages and disruption to critical software applications, data and networks.
• The corruption of, or inability to, access critical data following a targeted hack or computer virus.
• The theft, loss or unauthorised disclosure of personal information, payment card information, or third party confidential information.
• Significant fines and penalties as a result of a changing global regulatory environment with the Mandatory Data Breach Notification Legislation in Australia and GDPR in Europe. 

Key considerations

It is critical for construction businesses to assess their potential exposures; not only the levels of cyber security protection but also the resources available to respond in the event of a breach. In most companies, cyber risks are now being considered at boardroom level and companies are being asked by internal and external stakeholders to assess where they are now and where they aim to be in the future. 

Traditional forms of company insurance

The rapid evolution of privacy and network security risks has left many traditional forms of company insurance unable to respond adequately to these exposures.

Contract Works

Construction companies typically purchase Contract Works insurance which affords coverage for material damage to the contract works during the construction phase. The breadth of coverage afforded under the Contract Works policy will vary depending on the insurer; however, it is certain that some wordings will exclude cyber coverage.  It is important to note that a limitation under your Contract Works policy will also affect the indemnity under any delay in start-up or advance consequential loss policy. 

Third Party Liability

In conjunction with the Contract Works policy, Third Party Liability policies are also purchased to provide coverage for bodily injury and damage. Some policies will extend coverage to specific financial loss events such as denial of service or loss of trade, however, it is unlikely that the policy will extend to cover cyber risks.

All businesses should carefully review their policy exclusions and, if accepting a form of cyber or electronic data exclusion, must consider how this could affect your business in the event of a loss. 

Do you need standalone cyber insurance coverage?

Given the limitations of the insurances discussed above, construction firms should consider purchasing standalone cyber insurance coverage.  Today, cyber policies can be designed to cover:

• Damage to computers or servers caused by malware rather than a physical event.
• The costs of restoring damaged data, either from back-ups or manually.
• Additional expenditure incurred in addressing and remedying a significant outage, such as the costs of paying overtime, hiring additional contract staff or engaging a third party service provider for remote hosting of data at short notice.
• Forensic investigations into the nature and cause of a data breach, system failure or other cyber-attacks.
• Liability and defence costs associated with failure to prevent unauthorised access or disclosure of personal and confidential information.
• Legal expenses associated with the release of confidential information and intellectual property, notification expenses, legal settlements, and regulatory fines.

For construction clients who purchase a combination of our comprehensive Contract Works and Marsh Cyber policies, the main identified residual exposure appears to be project delay in start-up or advance consequential loss caused by a non-damage cyber event where inaccessibility to systems, or interruption by investigations, causes a delay to the completion date of a project. In the event that a cyber event results in a project delay, this can also result in potential reputational damage for the organisation. 

Cyber risk can be effectively managed through a program of continuous improvement and vigilance that combines technology with risk transfer. Cyber risks are not technical problems that firewalls and patches (though important) can solve alone. 

Speak to Marsh's Cyber team today.

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) arrange insurance and are not an insurer. Any statements concerning legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as legal advice, for which you should consult your own professional advisors. This document is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy.  Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. LCPA no. 19/032