Many engineering firms aren’t fully aware of the major threat that cybercriminals pose to their business. But hackers’ ability and proclivity to cause expensive, destructive havoc is clear.
In 2022 alone, a teen-led, extortionfocused cyber gang called Lapsus$ breached the defenses of Microsoft, Samsung, and Nvidia; health systems across the U.S. reported data breaches; and cybercriminals hijacked TV screens in 7-Eleven convenience stores across Taiwan to display messages protesting the visit of American congressional leader Nancy Pelosi.
Yet many engineering firms, along with other small- and medium-sized businesses (SMBs), have been slow to shore up their cyber defenses. For example, nearly half (48 percent) of engineering firms haven’t purchased stand-alone insurance policies to protect against a cyberattack, according to the 2022 ACEC PLI Survey of Member Firms. That finding aligns with other recent research: Only half of SMBs have a cybersecurity plan in place, according to a survey from the service provider resource UpCity.
Insurance brokers who work with engineering firms say that to ignore cyber risk is to court disaster.
“Cyber coverage is not an optional coverage any longer. It’s only a matter of time before a company will face some sort of an attack,” says Mike Cosgrove, president of Professional Concepts Insurance Agency in Brighton, Michigan.
And there’s more bad news for any engineering executives who are hoping that their businesses will fly under the radar of hackers: “Architects and engineers have really come to find that they are favorite targets,” says Dan Buelow, managing director of WTW A&E, the architecture and engineering practice at insurance brokerage Willis Towers Watson. “We’re seeing significant exposure for design professionals, as well as significant business interruptions.”
“The need for firms of all sizes to have cyber coverage has grown tremendously over the past few years due to the increasing cyber crime activity,” says Johnna Wangensteen, account executive for Kraus-Anderson Insurance. “Most cybersecurity experts state that it is not if you will experience a cyber breach but when you will. If you use a computer, you need cyber insurance.”
Wangensteen adds, “We recommend for the vast majority of our clients to secure a stand-alone cyber policy. These policies typically offer a wider range of coverage as well as higher limit options. Our advice to all engineering firms would be to make sure you know and understand the coverage you are purchasing and where your risk lies. There are multiple carriers trying to sell cybersecurity, and no two policy forms are the same. Watch for carriers that have some experience in this area and have solid cyber services.”
Building and implementing a cyber defense strategy can be daunting, both because of the high stakes and the constantly evolving threat landscape. But as the volume and sophistication of cyberattacks increase, a robust and well-considered approach to cybersecurity is becoming a table-stakes component of corporate risk management. Accordingly, the most pressing question for engineering firms isn’t whether to pursue a cyber strategy, but how.
A well-rounded approach to cybersecurity has three primary elements. The first is prevention, which aims to keep attackers from gaining access to crucial systems or data. Firewalls, software patches, passwords, and data encryption all fall into this category.
In a perfect world, a strong perimeter defense would be enough to secure a company’s data. But attackers have proven themselves able to breach nearly any system, often without being noticed. That leads to the second part of a strong cybersecurity strategy: Companies must establish processes aimed at identifying and responding to attacks. What data did an intruder access after breaching the system? Do the attackers still have access? Once there’s conclusive evidence of an attack, specialists in digital forensics are often called upon to investigate the extent of the intrusion.
The third component to managing cyber risk is insurance. Over the last decade, cyber insurance has grown from an inexpensive, optional add-on to standard business insurance policies into stand-alone coverage that can come with hefty premiums—a consequence of a world where ransomware gangs routinely demand tens of millions of dollars from the companies they victimize.
“Cyber coverage is not an optional coverage any longer. It’s only a matter of time before a company will face some sort of an attack.”
MIKE COSGROVE
PRESIDENT
PROFESSIONAL CONCEPTS INSURANCE AGENCY
Increased insurance premiums are not the only thing to change because of the wave of cyberattacks. Insurance companies may cap the amount of an exposure-related coverage for a particular type of attack. For example, Cosgrove cautions that a $2 million coverage limit cyber policy may only provide $100,000 of protection against phishing and other social-engineered attacks.
In addition, insurance carriers are increasingly offering coverage to firms prioritizing strong cyberattack-prevention practices.
“There’s a lot more underwriting scrutiny around this coverage than we’ve seen in a long time, just because the risk is very volatile right now,” says Buelow, who sits on ACEC’s Risk Management Committee and leads a cyber-focused subgroup. “We’re seeing an evolution in the controls that these insurance carriers are asking their clients to have in place, and in some cases, the carriers will not offer insurance or even renewal terms if companies don’t meet a certain standard.”
“Stand-alone cyber policies are the preferred method of mitigating this risk,” says Jeff Connelly, managing principal of Greyling. “Most stand-alone policies offer a broader cover compared to endorsed PLI policies. Stand-alone policies are more apt to provide higher limits of coverage along with the broader terms. However, just going through the exercise of purchasing a cyber policy requires firms to have the proper risk management practices in place such as MFA (multifactor authentication). Cyber insurance is becoming as essential as private liability insurance. It is just a matter of time before all contracts will require engineering firms to carry cyber insurance.”
The good news for engineering firms purchasing stand-alone cyber insurance is that most policies not only provide a financial safety net, but also access to a partner who can help round out a company’s approach to cybersecurity. While it’s generally the insured’s responsibility to have adequate processes to prevent cyberattacks, some insurers will step in quickly in the wake of a successful breach to assist with cyber forensics and response. For example, when one of Cosgrove’s clients reported a multimillion-dollar theft, the insurance carrier quickly alerted the U.S. Secret Service, which was able to claw back a substantial amount of the total stolen.
“When you’re buying a dedicated cyber policy, it’s not the carrier’s first rodeo. They’ll know what to do; they will be connected with experts who can help you, and they will guide you through the process of responding to an attack,” says Karen Erger, senior vice president and director of practice risk management at Lockton Companies in Kansas City, Missouri. Erger is also a member of the ACEC Risk Management Committee and a risk management columnist for Engineering Inc.
Carriers can also provide other valuable connections in the immediate aftermath of a cyberattack, such as making connections to breach coaches who can provide counsel in the event of cyber extortion. Carriers can facilitate specialized legal counsel—there are implications, for example, with client notification requirements stemming from the exposure of third-party client data, which is an especially relevant concern for engineers.
“For engineers that are designing critical infrastructure or doing work with a government entity or anything that really touches the public, that’s a real threat,” says Erger. “It’s also potentially a breach of contract in cases where you’ve signed a contract with a confidentiality clause.”
Carriers sometimes also help with public relations expenses in the event that an attack threatens to harm a firm’s reputation.
“Architects and engineers have really come to find that they are favorite targets. We’re seeing significant exposure for design professionals, as well as significant business interruptions.”
DAN BUELOW
MEMBER
ACEC RISK MANAGEMENT COMMITTEE
MANAGING DIRECTOR OF WTW A&E
WILLIS TOWERS WATSON
Of course, the ideal outcome for any engineering firm is never to have to deal with the fallout of a major cyberattack. The first step toward warding off cyber thieves is mounting a strong defense.
Cyber insurance experts recommend several best practices to bolster your company’s defenses to prevent a cyberattack including the aforementioned MFA. Cosgrove says he’s noticed an increase in the number of carriers that are requiring MFA to issue a cyber policy.
“If a firm says no to an MFA, these carriers are just saying, ‘We wish you the best of luck, but we won’t insure you, even if we’ve been insuring you for the last eight years.’ Some carriers haven’t gone quite that far, but I think it’s just a matter of time,” he says.
Data storage is also a critical topic. Whether a firm’s data is encrypted, whether its servers are segmented, and how its backups are maintained all are components of an overall strategy aimed at resilience in the event of an attack.
“Don’t understate the importance of continuously sensitizing employees to the need not to click on fishy links and not to respond to emails that say the CEO is traveling and needs money right away.”
KAREN ERGER
SENIOR VICE PRESIDENT AND DIRECTOR OF PRACTICE
RISK MANAGEMENT
LOCKTON COMPANIES
Another flashpoint is establishing and communicating strong protocols around wire transfers. Cyber thieves have gotten very good at asking for money, often sending emails that impersonate clients with astonishing precision. Buelow says some attackers have even updated engineering project documents to enhance the faux-authenticity of their communications—before supplying a new routing number and asking for payment.
Mounting a defense against such attacks can include process changes such as requiring verbal verification before replacing a routing number. Companies can also mandate that alterations to payment details occur only at a laptop or desktop computer, because it’s more difficult to spot a fraudulent email on a mobile device.
It’s just as critical to communicate frequently with employees about those processes.
“Don’t understate the importance of continuously sensitizing employees to the need not to click on fishy links and not to respond to emails that say the CEO is traveling and needs money right away,” says Erger.
That’s especially true given the sophisticated nature of advanced social engineering attacks. Sometimes the CEO really is traveling, a fact that the attackers may have gleaned by snooping on company email servers. Employees need to know that no request, no matter how urgent or apparently authoritative, is worth overriding the company’s security protocol.
Cybercriminals are growing more audacious, more sophisticated, more ruthless, and more effective. Rather than crossing their fingers and hoping to avoid an attack, engineering firms should develop a proactive approach to cybersecurity—one that incorporates best practices for attack prevention, as well as partnerships with insurers that can offer resilience in the event that an attacker does break through.
Steve Hendershot is a journalist based in Chicago. He has contributed to Crain’s Chicago Business, Chicago magazine, Chicago’s NPR affiliate, WBEZ, and the Project Management Institute’s Projectified podcast.
Cybercriminals employ various tactics to carry out their attacks, usually aimed at breaking into company servers, gaining access to sensitive information, or redirecting payments to fraudulent accounts. Here are a few of the most common cyberattack methods:
Distributed Denial of Service (DDoS) attack: An attempt to cause a website to crash by overloading servers with traffic
Malware: An umbrella term for software designed to facilitate a cyberattack
Phishing: Fraudulent messages intended to gain access to sensitive data, often financial information; many phishing attacks appear to come from trusted senders
Ransomware: A type of malware that blocks access to a device or network until the owner pays a ransom
Spyware: A type of malware that enables the attacker to monitor activity and gather information