Are Hackers a Threat to My Design Firm?

Hackers make headlines daily with targets ranging from major Swiss banks to Minecraft users to German nuclear power plants. But what are the risks to architects and engineers?

keyboard

Professional Liability carrier Victor O. Schinnerer urges design professionals to Take Cyber Liability Exposures Seriously in a recent blog post:

Cyber liability problems that have disrupted firm operations often are based on one of three vectors:

— insiders who are dissatisfied or recognize their ability to tap firm assets and use that access for harm or personal profit;

— past employees who either take digital assets with them or to enact revenge against their former employers corrupt firm systems and information; and

— hackers who know that confidential project data is vulnerable and hold digital information hostage until a ransom is paid.

Hackers Can Wreak Havoc on a Firm

Although internal threats cause many cyber liability breaches, a malicious outsider is one of the greatest fears of professional services firms. A hacker could cause data inaccessibility through alteration or destruction. A firm would lose intellectual property and no longer be able to meet contract objectives and deadlines. Attackers who gain access to a firm’s data can encrypt it using ransom-ware and extort payment to regain access to information. Firms that do not properly preserve digital assets through robust back-up systems often have no alternative but to pay the ransom.

Construction projects today are increasingly dependent on digital technology. The adoption of BIM and the increasing use of digital technologies in designing, constructing, and operating buildings and infrastructure are transforming the way the industry works. The concept of collaborative work through the sharing and use of detailed models and large amounts of digital information requires that parties be aware of vulnerability issues and take appropriate control measures. Improper access controls could lead to an attack severely disrupting progress on a project, causing delays or remedial work that could lead to significant claims from owners, lenders, or other stakeholders. And if confidential information on the structure or systems of projects is accessed by unauthorized parties, the safety of the owners and users of the buildings or infrastructure could be put at risk.

It is possible to insure against these vulnerabilities. Schinnerer’s Cyber Protection Package is one example of such coverage. Here are a few others:

Give your local a/e ProNet broker a call to discuss your options today.

smoothsailing_engineeringinc

Design firms preparing to purchase or renew professional liability insurance ask the same few questions every year.

How will my professional liability premium be calculated? Will my professional liability premium go up? Should I change professional liability insurance companies?

One helpful resource to answer these questions is the 2015 Professional Liability Insurance Survey of Carriers, a report published annually by the ACEC along with a companion analysis in Engineering, Inc. that includes insight from insurance companies and other experts  This year, the title of the article says it all: 2015 was “Smooth Sailing” for the professional liability insurance industry, and that means good things for architects and engineers.

“The ACEC Risk Management Committee worked with the American Institute of Architects, the AIA Trust, and the National Society of Professional Engineers to survey 18 carriers.” With construction spending higher than it’s been in years and expected to rise, the number of insurance companies providing professional liability insurance to architects and engineers is also growing. New markets increase the competition for more established companies, and keep rates stable, which means Eric Moore, President of a/e ProNet and Vice President of Moore Insurance Services, is optimistic.

“Nonrenewal is about the only reason Moore would suggest changing carriers” this year. “If you do see a claim, a carrier you’ve been with a few years is less likely to drop you, he says.”

Also quoted in the article are representatives from several of the top-tier professional liability insurance carriers, like a/e ProNet sponsors Travelers, Beazley, and Victor O. Schinnerer, as well as Tim Corbett of SmartRisk, a performance management consultant for the design and construction industry, who has written for a/e ProNet many times.

You can read a digital version of this article in the January/February 2016 issue of Engineering, Inc.

As always, if you have any questions about this report or the professional liability market, please contact your local a/e ProNet broker today.

drone

They offer a bird’s eye view of construction sites. They provide breathtaking photographic opportunities for architects looking to showcase their work. And they’re fun to fly. However, while they may be intriguing tools for architects and engineers, drones open up the design firms that use them to many possibly unanticipated risks. These days, obtaining a drone is as simple as stopping at your local WalMart, but all drones are not created equal, nor are all drone pilots equally skilled and certified.

Victor O. Schinnerer’s Risk Management Blog recently offered an overview of this issue. Should your design firm use a drone in your administration of contracted services? Read on:

“Professional service firms have to be aware that the use of drones is not a simple transition in the process of observing the work on a project site. As with web cameras, drone cameras often produce far more images than are used in the evaluation of a project. If not properly denoted in a contract, the scope of the firm’s services could include the use of all the available images as part of the firm’s duty to observe and evaluate the project as part of construction contract administration duties.

“Additionally, while licensed drone operators are undoubtedly careful about having general liability insurance that protects others from their negligence in aerial activities, and follow the FAA’s rules and guidelines, many firms using drone photography are doing so as amateurs. Turning hobby activities into commercial uses is likely to be unlawful, dangerous, and uninsured.”

Continue reading Drone use can put firms at risk beyond their knowledge by Frank Musica

Screenshot 2015-10-16 13.03.11Design firms may not seem like prime targets for hackers, many of whom are after sensitive, personal information, etc., but this assumption can be dangerous for architects and engineers. Intellectual property must be kept secure, and the threat can come from outside hackers, as well as from employees.

As detailed in Schinnerer’s most recent issue of Constructive Comments, the “(t)he Federal Trade Commission (FTC) has developed cyber security principles in its Start with Security: A Guide for Business. The publication’s guidance is based on the FTC’s data security settlements. Lessons from more than 50 FTC cases show how companies can improve their cyber security practices.”

The guide breaks the strategy down into the following ten steps:

 

1. Start with security.

2. Control access to data responsibly.

3. Require secure passwords and authentication.

4. Store sensitive personal information securely and protect it during transmission.

5. Segment your network and monitor who’s trying to get in and out.

6. Secure remote access to your network.

7. Apply sound security practices when developing new products.

8. Make sure your service providers implement reasonable security measures.

9. Put procedures in place to keep your security current and address vulnerabilities that may arise.

10. Secure paper, physical media, and devices.

Access the PDF version of Start with Security: A Guide for Business here.

DesignBuildRisk management best serves design professionals when it’s put in place prior to the acquisition of risk. Not damage control strategies, but damage avoidance strategies. In the case of design-build projects–arguably some of the riskiest in the business–this preemptive management of risk should include a number of questions asked by all parties involved. Among those questions: How should the design-build project be structured?

At Victor O. Schinnerer’s most recent Annual Meeting of Invited Attorneys, Jonathan C. Shoemaker, of the Lee & McShane law firm, answered this question and others based on his own research “on the contractual and professional risks of participants in design-build projects.”

According to Shoemaker, there are many ways “to structure design-build teams, including teaming agreements, joint ventures, partnerships, and newly-formed companies owned by the design-build team.” The following is an excerpt from a post on the Schinnerer website:

[Shoemaker] defines the organization of a design-build team as either a vertical relationship (e.g., a traditional prime contractor/subcontractor organization) or a horizontal relationship. And he points out that the vast majority of design-build teams are contractor-led, with the design firm serving as a subcontractor to the contractor.

According to Shoemaker, a horizontally structured relationship is where a contractor and a design firm come together to form a joint venture, a partnership, or a new company to provide fully integrated design-build services. He defines the most common horizontal structure, the joint venture, as “a business undertaking by two or more persons engaged in a single defined project.” A joint venture structure typically includes:

joint control over the joint venture’s decisions (as opposed to the prime contractor having control);

liability for the joint venture’s losses (as opposed to liability for only the design professional’s losses);

and profit sharing (as opposed to only the profit earned under the design agreement).

Shoemaker also examines the risks to the design professional on a design-build project and discusses how the risks vary depending on the design firm’s involvement.

Visit the Schinnerer website to read the entirety of the post.

PNN_1407The construction phase is a dynamic time of a project and a design professional’s involvement is significant from a risk management perspective since it allows the design professional the opportunity to provide input during the construction of the project.  Since no designs are perfect (and, moreover, are not expected to be perfect to still meet the standard of professional skill and care), all designs require some level of interpretation that is best done by the design professional who created them.  During construction, the design professional can visit the jobsite to determine if construction is proceeding in general accordance with the plans and specifications and clarify the design intent when necessary.  This article addresses issues design professionals should consider if they provide services during this phase.

Do you have the resources?

The firm must have sufficient staff to devote to this important phase of the project.  The services during this phase require experienced professionals who know how to handle themselves on the jobsite and how to successfully complete tasks in the office.  If junior professionals perform construction phase services, the firm must ensure senior professionals are available to (and actually do) mentor the junior staff.  A successful mentoring program requires regular and meaningful communication between junior and senior staff who need to be proactive to nurture the mentoring relationship.  Mentoring is a two-way street:  it will not be effective if busy senior professionals do not devote time to advance junior professionals’ development and junior staff must take the initiative to seek out senior staff for guidance.

What does your contract say?

Industry standard documents have relatively balanced language regarding the construction phase.  However, design professionals are often faced with a client-

proposed document that may not include appropriate language for the design professional’s involvement in the construction phase. Continue reading “Construction Phase Services: Considerations for a Successful Outcome”

umbrellaWhat sets top-tier Professional Liability insurance companies apart from the rest are their risk management resources. These can include webinars and pre-claims assistance, which are usually made available only to their insureds. Other examples are contract review guides and newsletters. Travelers is one of the longest standing carriers of Professional Liability insurance (or Errors & Omissions insurance) for architects and engineers, and it makes several excellent resources available to all design professionals. In case you need a reason to visit their website, we suggest checking out their Lessons Learneda series of examples of claims causing loss and recommendations to mitigate risk in the future related to the type of loss. We pulled a recent one up to give you a taste!

The Incident

An architect contracted to provide design services for a retirement complex in the southwestern United States. In an effort to control costs, the owner chose not to retain the architect to perform construction phase services.

Upon project completion, the residents started complaining about various quality issues, including water intrusion, flashing problems and cracking stucco exteriors. The owner hired a forensic engineer who found numerous construction defects.

While many of the problems appeared to be construction related, the architect came under fire for failing to specify two layers of building paper as part of the exterior wall design. There was some question whether the architect, by specifying a single layer, had violated the local building codes.

The case failed to settle in mediation and went to arbitration.
During the three weeks of testimony, there were long debates about whether the contractor was required to provide one or two layers of building paper. The contractor argued that the specifications were confusing, which led to the installation of the single layer. The architect took the position that the specifications required the contractor to comply with applicable code requirements, which took precedence over the specified single layer of building paper.

The arbitration proceedings closed and the arbitrator rendered her decision. The architect was ordered to pay the owner in the
range of $500,000.

Lessons Learned

1. Construction Phase Services – Limiting or eliminating the design professional’s involvement during construction can be problematic. Many questions relating to the design intent can arise during construction. Keeping the design team on the sidelines can lead to problems during construction.

2. Specification Ambiguity – Clearly written specifications are important. Ensure that the specifications make sense. Have the specifications reviewed by someone who is unfamiliar with the project. As the author of the specifications, ambiguities most often become the design professional’s problem.

For more information, visit our Web site, contact your Risk Control consultant or email Ask-Risk-Control@travelers.com.

rmplusonline.com / Travelers Casualty and Surety Company of America and its property casualty affiliates. One Tower Square, Hartford, CT 06183
The information provided in this document is intended for use as a guideline and is not intended as, nor does it constitute, legal or professional advice. Travelers does not warrant that adherence to, or compliance with, any recommendations, best practices, checklists, or guidelines will result in a particular outcome. In no event will Travelers or any of its subsidiaries or affiliates be liable in tort or in contract to anyone who has access to or uses this information. Travelers does not warrant that the information in this document constitutes a complete and finite list of each and every item or procedure related to the topics or issues referenced herein. Furthermore, federal, state or local laws, regulations, standards or codes may change from time to time and the reader should always refer to the most current requirements. This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by Travelers, nor is it a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law. © 2014 The Travelers Companies, Inc. All rights reserved. Travelers and the Travelers Umbrella logo are registered trademarks of The Travelers Indemnity Company in the U.S. and other countries. Doc#: LL1202 Rev. 3-14

chicagobean

Dozens of a/e ProNet members from across the country are gathering in Chicago this week for the annual fall meeting. They will be joined by representatives from several top tier professional liability insurance companies and a few major design industry organizations, including the AIA, NSPE, and ACEC.

Over the course of three days, members will receive presentations from the following insurance carriers: Beazley, Ironshore, HCC, Victor O. Schinnerer, Axis, Catlin, Hanover, RLI, All Risks, Liberty, Travelers, Navigators and Arch. These presentations will help inform the specialist brokers of a/e ProNet about industry trends, policy language changes, new coverage opportunities, and the like. It will also give our members a chance to ask questions and make suggestions pertinent to their own clients.

Along with insurer presentations, there will also be ample opportunity for the brokers to network with one another, alerting the group to trends around the country and problem solving in the collective.

To open the week, the Board of Directors will meet, and to close, Kent Holland of Construction Risk will present to the membership on the second edition of a/e ProNet’s Risk Management and Contract Guide for Design Professionals.

The Travelers Contract Solutions Matrix

travelerslogoWhen it comes to insuring architects, engineers, and design consultants, one thing the top-tier Professional Liability insurance providers have in common is a wealth of risk management resources for their clients. Some of these resources are even made available to the public. For example, in the past, we’ve blogged War Stories: Real-life Claims Scenarios from Victor O. Schinnerer and Beazley Pro, a new publication from Beazley.

But if, in the course of the day, you come up against an insurance term you wish you understood better, the Travelers Contract Solutions Matrix is a good place to look for your answer

Organized glossary style, this index begins with A Well-Written Contract and ends with Waiver of Subrogation. It’s a place to find definitions, explanations, examples, and answers to frequently asked questions, each presented in the form of a concise two-page document. Other relevant topics included are Additional Insureds, Duty to Defend, Requests for Information, and Unauthorized Changes.

The following is an excerpt from the Travelers Contract Solutions Matrix document on Insurance Requirements:

III. Negotiating points

Policy Limits. You may be asked to provide higher limits than you maintain under your current professional liability or other insurance policy. You may be able to recoup that additional cost of higher limits from the other party to the contract through higher fees. In some cases, specific job excess or specific client excess coverage is available to increase limits on a single project or for a single client.

Length of Obligation. Since professional liability coverage is written on a claims-made basis, you may be asked to maintain the coverage for years following completion of the project. You should negotiate a reasonable period of time in light of the economics of the project and the applicable statute of limitations/statute of repose.

Insurability. Typically, professional liability policies do not cover express warranties and guarantees or liability assumed by contract (liability beyond what a design professional would normally have under the law). Therefore, it is important to evaluate each provision in a proposed contract to verify that you are not guaranteeing your work or being held to a standard of care that is greater than what is imposed by law. In particular, any indemnity clause should be carefully reviewed for this issue.

Download the full PDF version of this resource to find information on Professional Liability, Commercial General Liability (CGL), Workers’ Compensation and Employers’ Liability, and Commercial Auto Liability.

We hope this perk from Travelers is helpful to you. Of course, if you have insurance questions, you can always contact your local a/e ProNet broker and get a quick, straight, specialized answer.