Professional service firms are facing an increased exposure to cyber liability. According to Victor O. Schinnerer & Company, many firms do not take the necessary steps to secure their systems, guard their digital assets, protect confidential client information, and maintain productivity. Each firm should have digital protection protocols that help avoid or minimize data breaches. There should also be a plan to manage any breach that might occur, to include insurance coverage in the event firm operations are compromised.
Common Sources of Cyber Liability
Cyber liability problems that have disrupted firm operations often are based on one of three scenarios:
- insiders who are dissatisfied or recognize their ability to tap firm assets and use that access for harm or personal profit;
- past employees who either take digital assets with them or to enact revenge against their former employers corrupt firm systems and information; and
- hackers who know that confidential project data is vulnerable and hold digital information hostage until a ransom is paid.
Most firms allow unsafe digital behavior or have little in the way of protection protocols. Many firms lack appropriate limits on employees’ access to confidential and sensitive information such as intellectual property, digital design data, and private information about clients, employees, and business partners. Some employees are allowed to load confidential documents onto their unsecured personal computers, smart phones, and the public cloud. A combination of employee knowledge of a firm’s system and a failure to monitor insider behavior leads to some of the most damaging data breaches.
A disgruntled former employee who decides to steal or compromise the firm’s digital assets before leaving can be a significant risk. Deleting important files, sharing proprietary or confidential client information with unauthorized third parties, remotely modifying or deleting critical design data, and tampering with the integrity of design documents can result from unauthorized access. Some former employees may use past access to company bank accounts and payroll systems and employees’ personally-identifiable information to harm the firm and its employees.
Hackers Can Wreak Havoc on a Firm
Although internal threats cause many cyber liability breaches, a malicious outsider is one of the greatest fears of professional services firms. A hacker could cause data inaccessibility through alteration or destruction. A firm would lose intellectual property and no longer be able to meet contract objectives and deadlines. Attackers who gain access to a firm’s data can encrypt it using ransom-ware and extort payment to regain access to information. Firms that do not properly preserve digital assets through robust back-up systems often have no alternative but to pay the ransom.
Construction projects today are increasingly dependent on digital technology. The adoption of BIM and the increasing use of digital technologies in designing, constructing, and operating buildings and infrastructure are transforming the way the industry works. The concept of collaborative work through the sharing and use of detailed models and large amounts of digital information requires that parties be aware of vulnerability issues and take appropriate control measures. Improper access controls could lead to an attack severely disrupting progress on a project, causing delays or remedial work that could lead to significant claims from owners, lenders, or other stakeholders. If confidential information on the structure or systems of projects is accessed by unauthorized parties, the safety of the owners and users of the buildings or infrastructure could be put at risk.
A Digital Security Strategy is Critical
Creating a strategy for improving digital security can be challenging. In addition to appropriate firm practices—such as requiring secure password-naming conventions and limiting internet access to many records—educating employees on the dangers of digital data security and the need to follow proper procedures is critical. If network integrity is compromised, sophisticated malware can create liability issues by using a firm’s network to compromise and infect other networks that may be integrated on a continuing or project basis.
Cyber losses involve more than payouts to third parties injured by the wrongful disclosure of confidential information. Firms are subject not only to providing legally required notices and meeting other regulatory obligations, but may face breach of contract, confidentiality and other legal challenges. In addition, firms must also pay for up-front investigation costs, data restoration and business interruption costs, and public relations costs. A significant data breach can lead to millions of dollars in costs and productivity losses. Firms need to protect their operations and insure their cyber risks with a policy appropriate for their industry and operations.
Schinnerer has put together a cyber risk kit for AIA members that includes information on cyber insurance coverage, obtaining a free quote, and risk management resources. The kit can be found at www.Schinnerer.com/aecyber.
Victor O. Schinnerer & Company, Inc. and CNA work with the AIA Trust to offer AIA members quality risk management coverage through the AIA Trust Professional Liability Insurance Program and Business Owners Program to address the challenges that architects face today and in the future. Detailed information about both these programs may be found on the AIA Trust website, TheAIATrust.com.