In kicking off Cybersecurity Awareness Month 2018, we begin by recognizing that cybersecurity has seeped into our legal consciousness. Laws have emerged that address cybersecurity, such as the New York Department of Financial Services’ Cybersecurity Regulation and Colorado’s Division of Securities cybersecurity regulations. Information technology and software agreements have long incorporated cybersecurity language into their terms and conditions, and this Halloween, construction, an industry not typically associated with cybersecurity issues, is incorporating a cyber insurance requirement in its standard industry contracts.

Approximately every 10 years, the American Institute of Architects (AIA) updates its standard forms and contracts in an effort to reflect industry trends and important court decisions. The AIA released approximately 30 revised AIA forms over the last several months, including several standard A-series owner/contractor agreement forms (A101, A102, A133, etc.), which go into mandatory use starting this October 31, 2018. Among the updates in these new forms is a focus and promotion to obtain cyber insurance.

The updated A-series agreements include many discrete edits attempting to bring the AIA forms up to current industry standard, but of significant import is the new comprehensive insurance and bond exhibit. The AIA has indicated that the intent of the new exhibit is to minimize vagueness and provide clarity as to not only the types of insurance required under the standard language, but to also highlight the various types of insurance construction industry leaders, such as the AIA, highly recommend owners and contractors obtain. Cyber insurance has become foundational.

As owners and contractors alike embark on incorporating the new AIA forms for their upcoming projects, they should be aware of the different types and components of cyber insurance. Not all cyber insurance is equal. Some provide coverage for cyber extortion, i.e., ransomware, and will even reimburse you in the event you feel compelled to pay the ransom demand. Some policies may only cover your expenses in responding to third party claims relating to a cyber incident, while others will pay for both your own first party expenses as well as third party claims. Policies can contain tricky exclusions and requirements on how you manage a cyber incident. It is critical that you understand the coverage you are buying so that you are mitigating the relevant risks to your organization and also do not inadvertently exclude coverage by the way your organization handles an incident.