The Imperative of Cyber Liability Insurance for Engineering and Design Professional Firms

Introduction

In an increasingly digital world, the threat of cyberattacks looms large over businesses of all kinds. According to the 2022 ACEC (American Council of Engineering Companies) PLI Survey of Member Firms, a staggering 48% of engineering firms have not yet invested in stand-alone cyber liability insurance policies. This is a concerning statistic, especially when insurance brokers warn that ignoring cyber risk is akin to courting disaster. In this article, we delve into why cyber liability insurance is no longer optional but a necessity for engineering and other design professional firms.

The Growing Need for Cyber Coverage

Cybercrime has seen a significant uptick in recent years, affecting businesses both large and small. The need for firms to have cyber coverage has grown exponentially due to this increase in cybercrime activity. It’s not a question of if a company will face a cyberattack, but when.

Understanding the Coverage

When it comes to cyber liability insurance, one size does not fit all. Various carriers offer different policy forms, and it’s crucial to understand the coverage you are purchasing. Experienced carriers often provide a wider range of coverage and higher-limit options. Therefore, it is advisable for engineering firms to consult with insurance brokers who have a deep understanding of the cyber risks specific to their industry.

A Three-Pronged Approach to Cybersecurity

A well-rounded cybersecurity strategy consists of:

1. Prevention: This includes firewalls, software patches, strong passwords, and data encryption.
2. Identification and Response: Strong Incident Response and Business Continuity procedures are more important than ever. Digital forensics experts are crucial for assessing the extent of a cyber intrusion once it has occurred.
3. Insurance: Cyber insurance has evolved from being an optional add-on to a stand-alone policy with potentially high premiums.

The Changing Landscape of Cyber Insurance

Increased premiums are not the only change; insurance companies are also capping exposure-related coverage for specific types of attacks. For instance, a $2 million coverage limit may only offer $100,000 of protection against phishing and other socially engineered attacks.

Underwriting Scrutiny and Requirements

Insurance carriers are becoming more stringent in their underwriting processes. Firms must meet certain cybersecurity standards to even qualify for insurance. Stand-alone policies are often more comprehensive and may require firms to implement:

• Multi-factor Authentication (MFA)
• Data Storage Encryption
• Strong Wire Transfer Protocols
• Security Awareness Programs
• Cyber Risk Assessments
• Business Continuity and Disaster Recovery Plans
• Third-party Risk Management Programs

The Benefits of a Dedicated Cyber Policy

When you invest in a dedicated cyber policy, you’re not just buying insurance; you’re also gaining access to a network of experts who can guide you through the complexities of cyber risk management. This includes breach coaches and specialized legal counsel, particularly important when client data is exposed or when working on projects that touch public infrastructure.

How Can Architects and Engineers Better Prepare Against Cyber Risks, Aside from Insurance?

1. Regular Training and Awareness Programs: Employees should be trained to recognize phishing emails, use strong passwords, and follow best practices in cybersecurity. Programs like KnowBe4 can be used for this purpose.
2. Multi-Factor Authentication (MFA): Implementing MFA, especially on remote access and email systems, adds an extra layer of security.
3. Data Encryption: All sensitive data should be encrypted, both at rest and in transit, to protect it from unauthorized access.
4. Regular Software Updates: Keeping all software and systems up to date ensures that you have the latest security patches.
5. Firewalls and Intrusion Detection Systems: These can monitor and control incoming and outgoing network traffic based on predetermined security rules.
6. Regular Audits and Assessments: Regular cyber risk assessments, vulnerability assessments, and penetration tests can identify weaknesses before they can be exploited.
7. Incident Response Plan: Having a well-documented and rehearsed incident response plan can help minimize damage in case of a cyberattack.

Key Factors Influencing the Cost of Cyber Liability Insurance

1. Nature of Business: Firms that handle more sensitive data or are more reliant on digital tools may face higher premiums.
2. Size of the Firm: Larger firms may require more comprehensive coverage, increasing the cost.
3. Geographical Location: Regulations and risk levels can vary by location, affecting the cost.
4. Security Measures in Place: Firms with robust cybersecurity measures may be eligible for discounts.
5. Claim History: Firms with a history of cyber incidents may face higher premiums.
6. Coverage Requirements: The extent of coverage—first-party, third-party, or both—will also influence the cost.

Why Building Design Professionals Are More Susceptible to Specific Cyberattacks

1. Data Sensitivity: Architects and engineers often work with sensitive data like building plans, which if leaked, could have significant consequences.
2. Collaboration Risks: These professionals frequently collaborate with external contractors and vendors, increasing the number of entry points for potential cyberattacks.
3. High-Stakes Projects: Involvement in critical infrastructure projects makes them attractive targets for ransomware attacks aimed at disrupting essential services.
4. Intellectual Property: The unique designs and plans are valuable intellectual property that could be targeted in data breaches.
5. Client Confidentiality: They often have access to confidential client information, making them targets for attacks aimed at data exfiltration.

Conclusion

The risks associated with cyber threats are too significant to ignore. For engineering and design professional firms, the stakes are even higher given their involvement in critical infrastructure and confidential projects. Cyber liability insurance is not just a safety net; it’s a critical component of a comprehensive risk management strategy. By understanding the coverage options and meeting the stringent requirements set by insurance carriers, firms can better protect themselves against the financial and legal ramifications of cyber incidents.

Smith + Howard can help meet the underwriting scrutiny for cyber liability insurance. We provide a range of services to help engineering and design professional firms not only meet but exceed these requirements. By doing so, it is easier for your business to secure the insurance coverage you need while significantly enhancing your overall cybersecurity posture.