BUSINESS
cyber risk management plans can be
rendered ineffective. Businesses should
also implement strong internal controls,
including resetting of passwords every
90 days.
•• Regularly review and update firewalls
and security patches: Despite the added
expense, investing in a robust set of firewalls
that require user authentication
can be beneficial. Businesses should also
institute secure file sharing, advanced
email and web filtering and separate
WiFi networks for subcontractors, architects
and engineers.
•• Closely monitor third-party risk:
Assess the cybersecurity processes of
any third parties that access or retain
critical data. And seek to build favorable
hold harmless agreements into contracts
with third-party vendors. Also establish
procedures to evaluate any third-party
service providers (if applicable) and, as
discussed, review their agreements, limiting
as much liability to your company
as possible, and assess their cybersecurity
processes.
•• Develop detailed data breach response
plans: Advance planning can enable an
organization to act swiftly, decisively and
effectively to minimize damage from a
breach and any resulting claims or regulatory
actions.
Insurance considerations
Although all businesses should plan for
and take steps to prevent potential cyberattacks
and technology disruptions, the
reality for many businesses is that it’s not a
question of “if ” a cyber loss will occur but
rather “when” one will. To prepare for that
eventuality, insurance should be a part of
any construction company’s risk management
program.
The continual evolution of privacy and
computer security risks has left traditional
forms of insurance largely unable to adequately
cover cyber exposures. For example:
•• General liability (GL) policies typically
require bodily injury and/ or physical
damage to property to trigger coverage.
Insurers have frequently argued that GL
policies do not provide coverage for electronic
data loss because data does not
constitute tangible property.
•• Property policies typically limit coverage
to tangible property as a result of a
covered physical peril, and several insurers
have specifically excluded damage
or theft of data. Business interruption
coverage also does not usually include
losses stemming from the unavailability
of critical applications, data and networks,
unless the root cause is a physical
damage event.
•• Commercial crime policies often limit
coverage to theft of assets, fraudulent
electronic fund transfers and the cost of
recollecting, replicating or restoring lost
or corrupted data.
•• Similarly, professional liability policies
often limit coverage to liability arising
from an act, error or omission in the
course of an insured’s professional duties
and are principally designed to provide
coverage for third-party claims; a contractor’s
own first-party cyber exposures
would not be adequately addressed
under such policies. Some architects
and engineers (A&E) policies expand the
scope of coverage for professional services
to include any activities that involve
the use of technology. This typically provides
coverage for third-party claims, but
most cyber risks – including first-party
claims – are not included.
Given the limitations of these and other
forms of coverage, contractors should consider
purchasing standalone cyber insurance
coverage. While cyber insurance
THIS IS
NOT
A DRILL
It’s time to renew your PDCA membership!
PDCA is the only association in the world that exclusively
represents the driven pile industry; we advocate for our
members that derive their livelihood from driving piles.
Visit www.piledrivers.org and renew your membership today!
Are You Driven?
94 | ISSUE 1 2020 www.piledrivers.org
/www.piledrivers.org