Lockton presents: The brave new world of cybercrime

Sponsored content by Lockton

Cybercrimes are not new. We’ve become accustomed to hearing about occasional high-profile incidents involving major retailers, financial institutions, and other large entities. Over the past 18 months, however, we have seen cybercrimes –ransomware attacks are the most publicly recognized – become extremely common and increasingly severe.

The targets are no longer only internet-based and digital technology-focused firms; leading construction firms are now experiencing attacks. Information and systems security has gone from being the exclusive province of the IT team to a top-priority, boardroom-level concern.

Cyber incidents are not just something that happens to large companies, either. If smaller contractors feel safe, it is likely to be a false sense of security. Many attacks are not targeting specific firms or systems; instead, cyber criminals are using hosts such as software packages, internet security contractors, or other subcontractors to metastasize their impact across hundreds or thousands of companies through one initial breach of a system. It is a matter of when – not if – your company will experience an attack. Analysis of attacks indicate that most attacks occur after the bad actors have been inside the victim company’s system for 7 months on average before making their presence known.

Cyber insurance is available to respond to these increasingly common and severe attacks, but due to the increasingly adverse loss experience in this line of business, coverage is only available to those companies that have implemented effective cyber security controls and policies. In fact, these measures now are also required on federal projects and by an increasing number of project owners who are demanding evidence that all parties to contracts, including sub-contractors and specialty trades, comply with cyber security protocols. An IT staff or IT Director truly represents an essential element of safety, security, continuity, and compliance strategy.

In short, cyber security controls are becoming a requirement not only to obtain and maintain insurance, but to win and keep clients. These controls include the following:

  • Multifactor authentication policies, protocols, and procedures.
  • Access and privilege restrictions.
  • Strong incident response and business continuity plans.
  • Processes to identify and implement required security and network patches.
  • Established controls for remote desktop protocols.
  • Education and training of leadership and employees on cyber hygiene practices.
  • Procedures for data backup management.
  • Executing tabletop exercises and data restoration tests on a recurring basis (more than annually)

Insurance is an important component of your construction company’s cyber security strategy, but it is just one part of the plan. Collaboration between your legal advisors, your IT group, your risk management team, your leadership, your insurance broker, and your insurance company – in advance of a cyber event – is necessary to minimize the likelihood of an attack on your business and clients, and to mitigate the impact of such attacks when they happen.

For additional details please contact Teresa Martin or Kevin Holland.