When people hear about cyberattacks, they often think about data breaches, where confidential, sensitive, or protected information is released to an unauthorized person. That is only one type of cyber loss and one portion of the cyber coverage available on today’s market. As cyberattacks evolve, so has cyber insurance coverage.

Two of the most common cyber risks for the construction industry are: (1) social engineering fraud (i.e., “phishing” or “CEO fraud”); and (2) contingent business interruption (losses caused by interrupted services from a third party). Today’s cyber insurance policies may cover both.

Insurance Coverage for Social Engineering Fraud

Most of us have been on the receiving end of an obvious phishing email, where the sender attempts to convince us to take some action by impersonating a trustworthy party. Other scams target specific individuals within a company, or imitate the CEO in the company.

Sometimes, however, these attacks can be quite sophisticated. For example, the cyber attacker could pose as a trusted vendor, client, or employee (complete with a similar “spoofed” email address), and request payment of an outstanding invoice via wire transfer. Companies of all sizes and in a myriad of industries are targets. The FBI reports in excess of $1.7 billion in such losses in 2020 alone.

This type of loss is unlikely to be covered under commercial property policies. However, coverage is available for such losses under many cyber policies. It may be called “funds transfer fraud” coverage or “social engineering fraud” coverage. Such policies cover loss due to unauthorized electronic funds transfer, or theft of money or financial assets from your bank by electronic means. Generally, the transfer must have been made in good faith reliance upon a verbal, written, or electronic instruction that purported to be legitimate, but was, in fact, fraudulent.

Beware the lower limits of this type of coverage. Even if you have $1,000,000 in coverage, this type of coverage is generally subject to a lower “sublimit.”
Beware the authentication condition to coverage. Some policies require that the insured attempt to independently confirm the accuracy of the instruction which was purportedly from a client, vendor, or employee of the insured entity to transfer funds. In addition to being a condition to coverage, this so-called two-factor authentication technique is part of a robust internal prevention technique.

For all types of cyber losses, make sure all relevant entities are insured under the policy. Generally, subsidiaries are included within the definition of an insured. However, other members of a joint venture are probably not.

Insurance Coverage for Contingent Business Interruption

Another type of cyber loss can occur when your computer system is interrupted due to a cyber event experienced by a third-party service provider, such as an internet or cloud network provider. This type of event is sometimes called a “dependent network event.” Such interruptions can result in lost business income, as well as expenses to continue or maintain normal operations. Again, such losses are unlikely to be covered under commercial property policies. More frequently, such coverage is available in some cyber policies.

Beware the waiting period requirement. This type of coverage is subject to a minimum waiting period, meaning it is not available unless the interruption lasts in excess of a specified, minimum period of time.

Some cyber policies may limit the type of service provider whose service interruption would qualify. Policies may further require the existence of a written contract with the service provider.

Not All Policies Are Created Equal

Unlike commercial general liability policies, cyber insurance policies vary greatly, and not all are created equal. Thus, coverage will depend on the specific policy language. Just as it can be wise for construction contractors, subcontractors and suppliers to secure their operations with a cyber insurance policy, it can also be wise to consult with an insurance attorney before purchasing the policy and before reporting a claim.