Specialty Podcast: Russian Invasion of Ukraine & Contractor Cyber Security Risks

Intro (00:00):

You're listening to the Alliant Specialty podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

David Finz (00:08):

Hey everyone, and welcome to another edition of the Alliant Specialty podcast. I'm David Finz with our cyber practice and with me today, once again, we have Matt Walsh and Steve Pierce from our construction services group. Matt, Steve, welcome to the program.

Steve Pierce (00:23):

Thanks, David.

Matt Walsh (00:25):

Thank you, David. Good to be here.

David Finz (00:27):

So, gentlemen, it seems like cyber risk is top of mind for the construction industry today. I mean, I think that was already the case before the conflict in Ukraine, and now there's a bit of a heightened sense of awareness, I gather, around this issue. So, Matt, what are you hearing from clients when you talk to them about some of the events that have been in the news?

Matt Walsh (00:46):

Well, we certainly saw that president Biden came out and announced that firms should be at a high level of security, given the increasing challenges coming out of Russia. Prior to that, I think most of our contractor clients knew that the majority of the challenges would come out of that part of the country when it came to cyber-attacks. So, not a surprise coming out of these unfortunate events, but certainly one that has caused quite a bit of conversation, both from concerns of attacks on their own systems, but also on their counterparties, their suppliers, and their partners that they interface with.

David Finz (01:21):

Well, that's interesting. Because, you know, when it comes to cyber insurance, I have to say the construction industry, hasn't exactly been what I would've called early adapters of this coverage. Mainly, because they didn't see themselves as having large quantities of consumer data, like a retailer or a bank might have, but, it does seem that there's more of an appreciation around the breadth of the coverage that is offered and how cyber insurance can come into play. So, Steve, turning to you, what do you see as some of the challenges that construction firms are facing when it comes to managing cyber risk?

Steve Pierce (01:57):

I think the first heightened awareness was the COVID and the force measure issues that came out of that. Then, the largest concern is supply chain, and, I think, the war kind of exacerbates that, but with supply chain and construction, you have high volume, low margin business. So there's a lot of pressure on budget and on-time performance, so, anything that could lead to a delay could put considerable strain on cash flows and also drive financial penalties. We also see some big challenges in end to end. There's a plethora smartphones, PDAs, smart tablets, and then with wearables and all this smart technology that's going on, on the internet of things, right. That opens up all different points of access, which I think people are concerned with. Finally, I think it's really project management and a BIM system. This is just, you know, where people are evaluating, whether they have their own internal data or whether they work with SaaS companies, and then there needs to be an evaluation of the controls that are in place with those SaaS companies, and how you manage that by contract.

David Finz (02:57):

Yeah. You know, when you talk about supply chain issues and third-party service providers, that's where the insurance can really help to ease some of the burden for a company when they do have an incident. Because, in addition to business interruption coverage around the insured's own network going down, there is coverage available for what's called dependent or contingent business interruption, and I'm not sure a lot of companies are aware of this; That, if there is a supplier, a cloud service provider, a SaaS provider that they depend upon to do business such that an outage at their network can have a material impact on their income or additional expenses for them as a result, that there is an insurance solution for that. I'm not sure a lot of companies are necessarily aware of that. What I thought was interesting, was that a data encryption firm by the name of NordLocker came out with a report this past December; They analyzed the frequency of ransomware attacks at 1200 companies across 35 industries, and construction actually came out at the top of the list, of all industry sectors, in terms of the frequency of those attacks. So, Matt, turning back to you, what are some of the things that we are advising construction firms to do to safeguard themselves again, from these sorts of attacks?

Matt Walsh (04:22):

Well, it's interesting, the volume of payments that flow back and forth between contractors and all their counterparties, that really attracted the attackers, and so the ransomware outcomes, all the different challenges that they're witnessing, the probes that happened, some firms that are of great scales, see millions of hits a day. They've all taken a step back and said, in addition to the very sophisticated security measures, they have -The fundamental frontline defense is adopting an aggressive security mindset across their entire enterprise. All of their personnel realize that they're on the front end and the frontline of first defense comes to preventing attacks, fishing, spearfishing, all the different tools that are used that are the more unsophisticated methods that are then followed by sophisticated methods. Then also looking at their counterparties and perhaps considering the requirement of cyber insurance as being at least a measure of the security system that a counterparty might have, because as we know, well, you cannot get cyber insurance unless you have a fairly decent security system in place. It's interesting too, how far some firms are taking it; There's one consulting firm that actually provides a service where they will go out into the dark web and explore credentials that may be out there, that your counterparties, that their counterparties have lost due to attacks, to expose the vulnerabilities that these firms might have, not from a system perspective per se, but from the evidence and presence of their information out in the dark web. So, it's a broad range of sophistication, but really starting at the front end with that security mindset being the first line of protection.

David Finz (06:07):

Yeah, I think that's very true. We have found that the cyber insurance underwriting process itself can serve as a gut check, right? Because as you said, companies are expected to have the requisite controls in place. The underwriters aren't going to want to cover them as a risk, if they don't, for example, update and patch their software on a regular basis, if they don't have a proper plan for disposing of digital assets safely, if they're not backing up their data offsite. So these are the things that the underwriters are looking for. So, the ability to present cyber insurance to counterparties, and having those types of controls in place, Steve, and I open this up for you as well, Matt, any other points that we should leave our listeners with?

Steve Pierce (06:53):

I would just say that one area that we're getting heavily involved in, is working with our prime generals and starting to have town hall meetings and trying to educate downstream, if you will, into some of the specialty trades and sub-tier subs. That's one area we're also starting to educate our folks, on our clients, on taking a hard look at contracts, making sure that they're aware of all the data protocols they're are going to have to follow and cybersecurity that they're going to have to meet, particularly when they're dealing with waste, waterworks, power utility, public works. Then really trying to maybe shore up a little bit of detail on the insurance requirements of a contract. Just making sure that this is starting to become a more elevated concern and that the entire supply chain needs to meet some level of protocol and have limits to protect against the overall project.

David Finz (07:42):

Yeah, I think reviewing those contracts is definitely part of what a risk advisor should be doing. Again, we're not a law firm, we're not in the position of giving legal advice, but we can certainly review a contract with an eye toward how it interplays with their insurance and what types of controls they're expected to have in place and what to look for from their counterparties as well. Well, I guess that about wraps it up for this edition here at Alliant. We are always working to help our clients find the more rewarding way to manage risk and to learn more about how Alliant can help your business. Please visit our website at www.Alliant.com. Until next time, Thanks for joining us.