1-888-643-2217 Email ABEX
Keeping you updated

Tag Archives: construction

Cyber Criminals Scam Construction Firm Out of Cash

Compared to many other industries, construction companies have been slower to take up cyber insurance. Because they typically don’t hold large amounts of sensitive data and aren’t solely reliant on their computer systems to carry out their business operations, construction companies don’t often believe that they are overly exposed to cyber risk.

Nevertheless, even if a business doesn’t hold vast quantities of data or isn’t wholly dependent on their systems to function, it is still likely that the business in question has some form of cyber exposure. Most modern businesses will hold some data on employees and third parties, use email to communicate with customers and suppliers, and use business bank accounts to receive and disburse funds electronically.

The construction sector is no different, and one area where they are particularly exposed is funds transfer fraud. Most construction companies will regularly work with suppliers and subcontractors to carry out their projects, and these partners will usually invoice the construction firm for the goods and services provided. If the company pays these invoices electronically, then they can fall prey to cybercriminals who are constantly looking for opportunities to intercept these payments and divert them to fraudulent accounts.

One of our policyholders affected by such a loss was a small construction firm with revenues below $50 million. The business specializes in commercial construction projects, ranging from office buildings to warehouse units and regularly makes use of specialist subcontractors to assist with projects.

Digging for login credentials

The scam all began when an employee fell for a credential phishing email. Credential phishing emails are used by malicious actors to try and trick individuals into voluntarily handing over their login details, typically by directing them to a link that takes them through to a fake login page.

In this case, the employee received an email purporting to be from Microsoft which stated that in order to implement some urgent new security features on his Office 365 account, he would have to verify his account details by clicking on an attached link. Not wanting to miss out on these new features, the employee clicked on the link and inputted his email login details. However, despite the email appearing to come from a legitimate source, the employee had unwittingly handed his credentials to a fraudster.

To make matters worse, the construction firm had not enabled multi-factor authentication on staff email accounts, so the fraudster was able to use the credentials to access this employee’s email account remotely.  This allowed the fraudster to monitor communications to and from the account and gain valuable information about the nature of the policyholder’s business and the employee’s role within it.

The employee whose email account had been compromised was one of the firm’s project managers. As part of his role, he regularly liaised with subcontractors and they would often send invoices over to him, which he would then pass to the finance department for payment. As it happened, a few weeks after the fraudster had gained access to the inbox, an email was sent over to the project manager from the managing director of a firm that had been subcontracted by the construction company to carry out some structural steel fabrication work on a project. The email had an invoice attached for a month’s worth of work done on the project, amounting to $93,425. Having spotted an opportunity, the fraudster chose this moment to strike.

Fraudster hammers out a plan

The first step was to set up a forwarding rule in the project manager’s email account. Forwarding rules are settings that can be applied to an email account which ensure that emails that fall within certain criteria are automatically forwarded to a specific folder or to another email account. In this case, the fraudster set up a forwarding rule that meant that any emails that featured the steel fabrication firm’s genuine domain name were immediately marked as read and sent directly to the account’s deleted items folder.

The next step was to set up an email address impersonating the managing director of the steel fabrication firm. In order to do so, the fraudster created an email address which, to the untrained eye, was exactly the same as the managing director’s, but crucially omitted one character from the domain name. So rather than reading Joe.Bloggs@ABCfabricators.com, it read Joe.Bloggs@ABCfabicators.com.

The final step was to send an email to the project manager. In the email, the fraudster explained that the firm had recently changed banks and that the previous invoice had mistakenly included the old account details. The email went on to say that the new bank account details could be found on the new invoice attached to the email and that the construction firm should update its records so that all current and future payments went to the correct account.

The fraudster had used exactly the same invoice template as before, including the same company address, logo and statement of work, with the only amendment being the bank account details. In order to give the email an added sense of authenticity, the fraudster took the original email that had been sent by the subcontractor to the project manager and forwarded it on to the fake email account. The fraudster then replied to this original email when sending the fraudulent email to the project manager, making it appear as though it was part of the original email chain.

Missed verification opportunity

With the email forming a part of the original email chain and coming from a seemingly identical email address, along with the exactly the same invoice template, the project manager never doubted the legitimacy of the request. Assuming that the change of account was valid, the project manager sent the amended invoice over to the finance department for processing.

In theory, it was at this point that the scam should have been thwarted. The construction firm had previously sent out an email to staff regarding the verification of account changes, stating that all requests for account changes should be followed up with a call to an individual at the company requesting the changes to confirm that everything is in order. If this verification procedure had been carried out, it’s unlikely that the fake invoice would have been paid. Unfortunately, the member of the finance department dealing with the request failed to carry out this procedure and updated the bank details, resulting in the full $93,425 being transferred to the fraudulent account.

It was only when the managing director of the steel fabrication firm called up the project manager, several weeks later, to inquire about the status of the payment that the scam was uncovered. Both the banks involved and local law enforcement agencies were informed about the loss, but by this point it was too late and the funds had already been transferred out of the fraudulent account. With the funds deemed unrecoverable and the steel fabrication firm still expecting payment, the construction firm had little choice but to pay the invoice for a second time, resulting in a significant loss to the business. Thankfully, however, the construction firm was able to recoup the funds under the cybercrime section of its cyber policy with CFC.

Smarter criminals and other key takeaways

This case highlights a few key points. Firstly, it shows just how skillful cybercriminals are becoming at parting businesses from their money and how difficult it is for businesses to spot a fake.

In this case, the fraudster managed to successfully impersonate Microsoft and manipulate the project manager into volunteering his email login details; set up a forwarding rule to prevent any emails from the real subcontractor reaching the project manager and jeopardizing the scam; set up a fraudulent email address that was virtually identical to the genuine subcontractor’s; make it look as though the fake email sent to the project manager was part of the original email chain; and send over an identical invoice template to the one used by the genuine sub-contractor.

Secondly, it illustrates how human error plays a major role in cyber losses. Many organizations don’t think they need to purchase cyber insurance because they believe they have the IT security and risk management procedures in place to prevent a cyber loss. But as with so many cyber-related events, this loss stemmed from human error and it’s very difficult for any business to eliminate this risk entirely. The fraudster was able to compromise the email account because the project manager fell for a sophisticated credential phishing scam, and the funds were successfully intercepted because an employee in the finance department failed to carry out a verification procedure.

Finally, it highlights how almost all modern businesses have some form of cyber exposure. Even though the policyholder in this case was a construction firm that didn’t solely rely on its computer systems to carry out its business operations, the company still used emails to communicate with subcontractors and made payments electronically. All it took was for just one email account to be breached for the business to be defrauded out of $93,425. But by having a cyber insurance policy in place, the company was able to successfully recover the loss, illustrating the value that cyber insurance can bring to any modern business.

Source: www.cfcunderwriting.com


Builders Risk: Minimizing Uncertainty at Bid Time

At the bid preparation stage, contractors often do not have full information on the builders risk insurance that will be provided by the project owner. The insurance requirements may be unclear or missing altogether. This often results in misunderstandings down the road. But it does not have to be that way.

The clarity and completeness of builders risk insurance requirements can and do vary considerably. I have encountered bid documents that do not contain builders risk requirements at all. I have also seen builders risk insurance addressed by a single sentence. These are actual examples:

  • “Owner will provide builders risk coverage.”
  • “The Owner shall provide property insurance upon the Work, but Contractor is responsible for all deductibles and uninsured losses.”
  • “Intentionally left blank.”

These examples all have one thing in common: The contractors are left to speculate on what, if any, coverage will be provided to them in the event of damage to the project. This is not a good way to start a project.

On the other hand, the insurance requirements may be complete and each contractor knows what risks are transferred to the builders risk insurer. This removes uncertainty … and any time you remove uncertainty, bid pricing is more favorable for the project owner. (Owners, please take heed.)

Why Aren’t Insurance Requirements Clear?

Insurance requirements may not be clear for two reasons. First, if model contract forms are used (e.g., American Institute of Architects, ConsensusDocs, Engineers Joint Contracts Documents Committee, Design-Build Institute of America), the builders risk provisions may be unclear or lacking to begin with. Many people assume that if a provision is contained in a model contract form, it must be appropriate. This is not true. Depending on circumstances, some provisions may be inappropriate. Other important loss exposures may not be addressed at all.1

For example, the standard builders risk insurance requirement in one model contract form requires coverage on an “all risks” basis. This is desirable, but in the section that lists the causes of loss that must be covered, there is no reference to ensuing loss exceptions. Many say that the most commonly litigated provisions in builders risk policies are the exclusions applicable to faulty design, workmanship, and materials. The breadth of coverage is very different between a policy that has these exclusions and another that has these exclusions followed by ” … unless direct physical loss or damage by an insured cause of loss ensue and then this policy insures only such ensuing loss or damage.” The latter example has an ensuing loss provision, which is very beneficial to all those entities insured by a builders risk policy.

The second reason for unclear insurance requirements is that the drafter may not have the technical or practical experience necessary to properly structure the requirements. We have all reviewed insurance provisions that are poorly conceived and executed. Enough said.

What Can Contractors Do?

The construction bid process generally provides opportunities for a contractor to obtain clarifications or answers to questions. These are set forth in the bid documents and may include pre-bid meetings or procedures for submitting questions. With private work, a contractor may also qualify its bid to include certain assumptions regarding insurance.

Many contractors wisely seek additional information and answers to their questions. Others may know there are potential problems but hope for the best, and still others are not aware of the issues.

Checklist Tool

It is suggested that contractors compile a builders risk insurance checklist and request the owner to confirm what is contemplated/provided by the builders risk policy. A sample checklist is reproduced below. This template should be customized by the contractor to suit its needs. Regular use of a checklist can minimize uncertainty for all parties and further risk management programs.

Coverage or Feature Minimum Requirement/Comments
1 Owner Responsibilities
Insurer selection AM Best “A X” or better
Naming of insureds Owner, general contractor, subcontractors of all tiers
Premiums and deductibles Owner is responsible
Policy format Inland marine policy and forms
Provide copy of policy Within 60 days of project start
Policy term In compliance with the contract
Partial occupancy prior to project completion Secure approval of insurer
2 Covered Property Replacement cost; no coinsurance
Work at project site Full contract value and modifications; owner’s supplied property
Property in transit Limits to be agreed upon
Property at off-site locations Limits to be agreed upon
3 Covered Causes of Loss/Other Features
“All risks” Full policy limit
Wind Full policy limit
Collapse Full policy limit
Water damage (incl. sewer backup and sprinkler leakage Full policy limit
Collapse Full policy limit
Faulty design, workmanship, materials (resulting damage) Full policy limit
Terrorism Full policy limit
Flood Limits to be agreed upon
Earth movement Limits to be agreed upon
Equipment breakdown Limits to be agreed upon
Hot testing Limits to be agreed upon
Debris removal Limits to be agreed upon
Pollution, mold, fungus Limits to be agreed upon
Additional costs due to building laws Limits to be agreed upon
Extra expense (contractors) Limits to be agreed upon
Waivers of subrogation In compliance with contracts

Source: www.irmi.com


1 For a detailed analysis of builders risk insurance requirements in different standardized contract forms, refer to The Builders Risk Book, by Steven A. Coombs and Donald S. Malecki, published by International Risk Management Institute, Inc., in 2010.


How Well Does That Blanket Cover Your Client?

Blanket additional insured endorsements are useful tools for preventing administrative oversights and reducing paperwork, but they also carry risks for both the named and additional insureds. Discover methods contractors and subcontractors can use to minimize the risks of breaching their contracts when using blanket AI endorsements.

One of the age-old problems in obtaining additional insured status under a contractor’s or subcontractor’s insurance policy is making sure the appropriate actions have been taken to effect the required coverage. Certificates of insurance are commonly used to verify that the certificate holder has been added as an additional insured, but because they are not part of the policy, information contained on certificates may not be binding on the insurer. This article examines the use of blanket endorsements to effect additional insured status as a means of overcoming at least some of the imperfections of the process.

Additional insured status is a common and effective tool for protecting one party from certain risks arising out of another party’s activities. For example, municipalities typically require additional insured status from anyone holding a public event on city property, such as concerts, parades, and carnivals. The rationale behind this requirement is that the activities expose the city to certain risks that would not otherwise exist, so the person or organization that creates the risk should assume responsibility for any losses incurred as a result of the activities. In the case of a public concert, for example, if someone is injured when the crowd gets unruly, both the city and the concert sponsor will likely be sued. As an additional insured under the sponsor’s policy, the city can tender the claim under that policy instead of having to file the claim under its own insurance. The risk has been effectively transferred to the concert sponsor (assuming the available policy limits are sufficient to cover the claim.)

On a construction project, the owner typically requires additional insured status under the general contractor’s liability insurance policies; general contractors may do likewise with subcontractors. As in the example above, the rationale is that the construction activities create certain risks that would not otherwise exist and increase the magnitude of certain other risks. For example, a construction project in a retail district carries the risk that a pedestrian will be injured from flying debris, collapsed scaffolding, or a tool dropped from several stories up. These risks are directly related to the contractor’s operations on the site. Further, goes the rationale, the contractor (or subcontractor) performing the work is generally in the best position to prevent or control losses arising out of the work, and should therefore bear the corresponding financial risk.

However, requiring additional insured status does not necessarily guarantee that you will get it. The named insured (contractor or subcontractor) must notify the insurance company of the request, and absent a provision to the contrary, the person or entity requesting additional insured status must be listed, or “scheduled”, by name on an endorsement that is attached to the policy.

Because this requirement is so common in construction contracts, some contractors may handle hundreds of requests for additional insured status in a given year. Further, because the contracting process is often drawn out, and the insurance requirements given little more than a cursory review, this method of providing additional insured status carries inherent risks of error and oversight. Whether the result of failing to forward the request for additional insured status to the broker or insurer, failing to ensure additional insured status under a new or renewal policy, or some other oversight, a contractor (or subcontractor) can easily find itself in breach of a contract, among other unpleasant outcomes. Likewise, the would-be additional insured may find itself embroiled in a coverage dispute with the insurer and a contract dispute with the named insured contractor; meanwhile, it may be forced to tender the claim to its own insurer (or, if self-insured, fund its own defense). All of these possible outcomes frustrate the intent of the contracting parties.

Blanket additional insured endorsements were introduced as a means of avoiding administrative errors and oversights in providing additional insured status. These endorsements typically contain language indicating that additional insured status is automatically provided when the named insured agrees to provide such status. To avoid overly broad grants of coverage, these endorsements typically limit their application to certain types of written contracts, such as construction contracts or equipment rental agreements.

The obvious benefits of blanket, or automatic, additional insured endorsements are that they protect against failure to add a party as an additional insured in accordance with the contractual agreement, and reduce the administrative burden of making each request individually. However, from the additional insured’s perspective, there are also some potential drawbacks to obtaining additional insured status in this manner. First, in the past, blanket additional insured endorsements had to be manuscripted as no standard endorsements were available. Because they are not standardized, manuscript endorsements can differ from one policy to the next. Consequently, they offer less predictability in terms of scope of coverage, as well as how a court might interpret the language of the endorsement.

Because blanket additional insured endorsements typically require a contractual obligation on the part of the named insured to provide such status, those who obtain additional insured status through such an endorsement must retain proof of the contractual requirement to effect coverage. Even when the additional insured’s coverage does not apply to completed operations, claims arising out of occurrences that took place during the course of construction may not surface until years later. Some additional insureds assume that a certificate of insurance showing additional insured status at the time of the occurrence will be sufficient to trigger the insurer’s duty to defend and indemnify. That is not necessarily true. The additional insured will also need evidence that there was in fact a contract requiring such coverage. While a certificate of insurance indicating that the certificate holder has been added as an additional insured is evidence of a contractual requirement, a better approach may be to require the certificate to refer to the contract requirement. For example, the following language could be required on the certificate:

“In compliance with the contract requirements, certificate holder is an additional insured under the policy.”

If possible, the contracts themselves should be retained. (This should not impose a significant additional burden in most instances, as construction contracts are typically retained for access to indemnity and other provisions that may come into play well after the project is completed.)

Finally, blanket additional insured endorsements restrict insurers ability to provide notice of cancellation to additional insureds. Most insurance policies require such notice to be provided only to the named insured. Additional insureds often try to obtain a guarantee of notice of cancellation by modifying the certificate language, but this is an unreliable approach.

Summary

Blanket additional insured endorsements are useful tools for preventing administrative oversights and reducing paperwork, but they also carry some risks for both the named insured and the additional insured. Fortunately, these risks can be managed fairly effectively.

Owners and contractors requiring additional insured status should make certain the additional insured requirement is part of a written and properly executed contract, and retain copies of these contracts (as well as the certificates of insurance) for an appropriate period of time—at least 3-5 years if completed-operations coverage was required and included in the additional insured’s coverage. Further, they should stipulate in the contract insurance requirements a minimum scope of coverage to be provided to them as an additional insured.

Contractors and subcontractors using blanket additional insured endorsements to provide contractually required coverage can minimize the risks of breaching their contracts by sticking with language that has been tested, and making sure the endorsement extends the contractually required scope of coverage.

Source: irmi.com


5 Major Construction Trends

In order to stay competitive and set your construction firm up for success, the following are five major construction trends to follow this year:

  1. Technology advancements—The construction industry is notoriously slow at adopting new technologies. However, firms may soon have no choice but to pivot their business practices, as 3D printing, cloud applications and drone usage will likely boom.
  2. Modular and prefabrication construction—In 2017, modular and prefabrication construction grew in popularity due to its cost effectiveness and efficiency. This trend will likely continue, especially when you consider that material prices aren’t expected to fall.
  3. An increased focus on safety—The construction industry is consistently ranked as one of the most dangerous. Following higher levels of scrutiny, expect a continued focus on crafting better safety procedures and utilizing more safety technology.
  4. Continued labour shortages—Labour shortages in the construction industry are nothing new and will likely continue to plague firms across the country. With a small pool of qualified candidates, firms may struggle to find enough skilled craft workers to meet growing demands.
  5. Sustainability—Over the last few years, firms may have noticed a greater emphasis on green products and construction practices. Sustainability will be important throughout 2018, and companies that fail to consider their environmental impact may lose out on new projects.

Organizations can’t always predict what factors will have the greatest impact on future business. However, with the above trends in mind, companies can avoid major risks and ensure they remain competitive.

© Zywave, Inc. All rights reserved


The Importance of Disaster Preparedness in Construction

Natural disasters and other emergencies can strike without warning, potentially leading to major losses for construction firms that aren’t prepared. In fact, in the absence of a recovery plan, contractors and construction firms risk exposing their business to liability and serious reputational damages.

Although you can’t prevent disasters, you can prepare for them. The following are four important steps all construction firms should take before disaster strikes:

  1. Clearly define the terms used in your contracts. While hurricanes and wildfires will likely excuse you from fulfilling a contract, vague definitions—such as severe rain—may cause confusion. Define such events ahead of time to relieve uncertainty.
  2. Prepare an emergency plan that assigns actions to designated individuals.
  3. Provide disaster preparedness training to employees. Include evacuation processes and proper use of emergency equipment.
  4. Protect project records. Contracts, permits and other physical files can be easily destroyed in the event of a disaster. Cloud-based storage can protect valuable data and ensure you have access to it from any location.

It may also be a good idea to develop an emergency response plan. This plan should account for hazard identification, communication methodology, plan administration and emergency response procedures. In addition, review your insurance policies before beginning big projects.

© Zywave, Inc. All rights reserved


Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn