No one is safe

Understand your cyber vulnerabilities and how to protect yourself

Construction job sites have long been attractive targets for thieves enticed by valuable, portable equipment and contractors’ limited ability to physically secure property. The theft of machinery, equipment and supplies can carry great cost to a business, particularly during a time of supply chain constraints. But a newer threat has emerged: cybercrime.

You are a target

Although corporate cybercrime has been an issue since at least 2015, hackers now are targeting smaller, more vulnerable enterprises because that is where hackers can have the most success. Smaller companies’ systems are less complex and secure, employee training is not widespread and often one person can issue checks for large amounts of money.

The trend of cybercriminals targeting smaller companies is increasing at an eye-popping rate. The FBI reported a 400% increase in cybercrimes since the start of 2020. And the more roofing contractors rely on technology, the more susceptible they are to cyberattacks.

For example, roofing contractors are just as reliant on technology as other industries, using numerous tools, including telematics, onboard computers, sensors, GPS and building information modeling to name a few. Factor in the increasing number of vendors entering the marketplace, the high rate of personnel turnover, data and file sharing outside of the company, and the use of mobile offices and devices, and it is easy to see how roofing companies have become attractive targets for cybercriminals.

In 2019, 61% of all cyber incidents occurred in small and midsize businesses, according to a survey highlighted in a Technology Trends article. The survey polled nearly 5,400 professionals from companies with fewer than 100 employees. Nearly 97% of those polled had some knowledge of cyber insurance coverage, but only 41% had coverage in place. According to Netwrix’s 2017 IT Risk Report, one out of four small businesses failed a cyber readiness test, with most respondents citing lack of budget and time and insufficient staff training.

What are the weaknesses?

There are several reasons why roofing companies can be particularly vulnerable to cybercrimes.

First, most roofing companies do not have sufficient security defenses and firewalls to effectively fend off cyberattacks. Second, construction executives mistakenly believe the data they store isn’t valuable. But what would happen if your data were to disappear? How would your company operate? Would you be willing to pay to get it back, and how much would you pay?

A roofing company’s multiple technology systems for accounting, communication and estimation, for example, are probably not protected under one large security system, which increases vulnerability. Additionally, access to multiple vendors’ and subcontractors’ systems often is reciprocal. These connections are additional pathways into systems for opportunistic cybercriminals.

Further exposure to vulnerable systems such as unsecured home or hotel Wi-Fi networks or unsecured mobile devices also leave a company open to attack.

And smaller companies often do not update computers and operating systems as often as needed, leaving older systems more vulnerable to attack. Attackers have more time to find weaknesses, and security patches become less frequent as these systems age.

What can happen?

If a hacker were to successfully infiltrate your systems, what could happen? There are several scenarios.

Hackers could go straight to extortion and make ransom demands. They would shut down a system, which could, for example, affect your email, estimation software or accounting software, until you pay.

Even BPM Insurance, Prairie Village, Kan., which specializes in cybersecurity coverage and has a full-time IT team, fell victim. About 10 years ago, the company’s systems were locked down by a hacker. The company contacted the police and FBI, and the agencies suggested the company pay the ransom because there was little chance law enforcement could retrieve the data safely. The company paid the ransom, got the data back and has since invested significant time, capital and redundancies into its systems, including purchasing a cyber insurance policy.

Another scenario is hackers can release sensitive financial or personal information. This means private client or partner data would be made public.

And there is the possibility of hackers stealing money directly from your company via fraudulent wire transfers or something disguised as “authorized” payments. Because banks typically have better security and some insurance to cover their fault in wire frauds, the latter happens more often.

It usually works like this: An employee gets an email that appears to have been sent by a trusted person or entity. The email has an invoice attached with instructions to send payment to a new bank. The invoice amount is low enough or the relationship trusted enough that the invoice is approved, and the payment is then legally sent. The imposters posing as a “trusted” entity continue to send different invoices until someone finally notices the money was never received by the actual trusted entity. By then, the money is long gone.


Now that you know some of the ways you can be at risk, what can you do?

Just like the relationship between safety training and workers’ compensation insurance, it’s a combination of training, upgrading systems and making sure you have adequate insurance coverage.

To help with your company’s cyber liability insurance needs, NRCA has partnered with BPM Insurance and Acrisure LLC, Grand Rapids, Mich., to offer an association-sponsored cyber liability insurance program.

The NRCA-endorsed cyber liability insurance coverage is a best-in-class coverage and a standalone policy, so there is no need to change insurance companies.

A bright spot to consider is cyber liability insurance premiums are stabilizing after years of steep increases. A recent study by insurance advisory company Marsh, White Plains, N.Y., showed the pace of rate increases is slowing. Demand remains high for cyber insurance coverage, but the stabilization of rates is being attributed to improved security awareness across all industries and improved resiliency within insured companies. NRCA’s program offers two types of coverages:

First-party coverage covers you and your business for financial losses arising from a cyber event. A cyber event is defined as any actual or suspected unauthorized system access, electronic attack or privacy breach, or system downtime. It is important to note a vast majority of cyber claims stem from first-party losses.

Third-party coverage covers you and your business for liability actions against you arising out of a cyber event.

Let’s look at the key elements of a good cyber insurance policy: incident response, system damage and business interruption, cybercrime, network security and privacy liability, and media liability.

Incident response

Incident response is at the heart of any good cyber policy. This coverage generally will pick up all the costs involved in responding to a cyber incident in real time, including IT security and forensic specialist support, gaining legal advice in relation to breaches of data security, and the costs associated with having to notify any individuals who have had their data stolen. One of the most important aspects of a cyber policy is it provides speedy access to the right specialists as well as pays for their services.

Look for insurance providers that have a proven track record of responding to claims, an in-house cyber claims team and local specialists.

Damage and interruption

System damage and business interruption coverage helps keep your business up and running and covers the costs for your data and applications to be repaired, restored or recreated in the event your computer systems are damaged from a cyber event. It also reimburses the loss of profits and increased cost of work stemming from an interruption to operations caused by a cyber event or prolonged system downtime.

Look for coverage that not only is triggered by malicious cyber events but also by accidental system failure, meaning a cyber event does not have to take place for coverage to apply. You also will want to make sure the policy addresses consequential reputational harm.


Within the context of a cyber insurance policy, cybercrime usually refers to attacks that involve theft of funds as opposed to theft of data or other digital assets. This usually happens in one of three ways:

  • Electronic compromise: Attackers hack into the insured’s network and gain access to online accounting or banking platforms.
  • Extortion: Hackers use the threat of exposing or destroying data they have already compromised to extort money from the victim.
  • Social engineering: Attackers imitate a senior executive or third party and trick the insured into legally sending funds.

Look for policies that cover the full range of cybercrime types from funds transfer, fraud and ransomware to targeted extortion and the unauthorized use of computer resources. Ask your underwriter whether any risk management warranties apply.

Security and privacy

Network security and privacy coverage covers third-party claims arising out of a cyber event be it transmission of harmful malware to a third party’s systems or failing to prevent an individual’s data from being breached.

Media liability

Media liability coverage applies to any third-party claims arising out of defamation or infringement of intellectual property rights. Media coverage started out in cyber policies to offer protection with respect to online content only, but as policies have broadened, it is common for full media coverage to be provided.

Best practices

As with any risk, you should try to prevent cybercrime before it happens or at least mitigate the damage. Here are some best practices your company should implement:

  • Email security. Protect your business with phishing monitoring, impersonation defense and account takeover protection.
  • Advanced anti-virus protection. With more sophisticated threats to your business possible, your anti-virus solution should offer ransomware protection, real-time threat prevention, and 24/7 managed detection and response.
  • Vulnerability management. To protect against a cyberattack, it is important to identify where to focus the risk mitigation. Your vulnerability assessment and monitoring should include real-time risk prioritization; cloud, virtual and container assessment; and accelerated vulnerability remediation.
  • Information and event management. This should be integrated with your vulnerability management component and enable you to easily spot anomalous activity or threats, speed up investigations and response via automation, know how to respond via built-in detections library, and leverage internal and external threat intelligence.
  • Data backup and disaster recovery. To avoid your data being lost or a major business disruption, it is important to have the right security backups and a disaster recovery plan. Implement malware detection and back up to a private or public cloud.
  • Security awareness training. Cyber security awareness training is an effective way to educate employees about how to identify and avoid potential cyber threats. Find a training solution that offers videos, phishing simulations and games to ensure employee engagement, teach employees how to avoid being tricked by cybercrime andinals enhance overall cybersecurity posture.

Most insurance companies include several free services with their cyber coverage. We recommend you locate an agent who is familiar with the cyber market and can help analyze your needs and find the best solution for your company.

For more information about NRCA’s cyber liability insurance program, go to


Follow these guidelines to enhance your company’s cybersecurity:

  • Require strong passwords and use multifactor authentication for users with access to critical data and applications or involved with wire transfer changes or approvals.
  • Have a procedure in place to authenticate the legitimacy of requests for payment and changes to wire transfer instructions.
  • Ensure critical vulnerabilities are patched within 30 days of release by the vendor and only run operating system services that are absolutely required for network operation.
  • Maintain frequent backups and encrypt or store backups offline to prevent cybercriminals from encrypting or destroying your backups as part of the attack.
  • Have an incident response plan. This prescribes the way your business will respond to and manage the effects of a security attack.

CHERYL AMBROSE, CHST, OHST, is NRCA’s vice president of enterprise risk management, and ANDY METZLER is P&C producer for BPM Insurance, Prairie Village, Kan.


Be the first to comment. Please log in to leave a comment.