JESSICA RASULO: Hello, and welcome to our Construction Blueprints Podcast, I'm Jessica Rasulo, New York Metro Construction Industry vertical leader for Willis, and your podcast host for today. I'm delighted to be joined by Jason Krauss, North American Cyber Thought and Product Leader. And in this episode, we're going to explore cyber exposures, insurance, and the industry and its impact on the construction industry.
The Willis Construction Industry vertical specializes in serving contractors, developers, and professionals within the construction industry. And cyber exposures, obviously, have become more integral to all industries and certainly, construction. And, Jason, as you know from many long and in-depth conversations with me, I'm often thinking about all of the unique impacts to construction.
I could go down a lot of dark rabbit holes when it comes down to robots and smart equipment. But even just starting from a more traditional cyber exposure perspective, clearly, as all of our systems are reliant upon connectivity to the internet, there's vast exposure there. And I'm excited to talk to you a bit today about your thoughts on where those intersectionalities lie, and how the cyber insurance industry impacts us and unique impacts to construction versus other industries.
So with that, I guess I'm going to ask you, can you tell us a little bit about your thoughts on the cyber threat landscape today, and what are your views on the risks and exposures unique to construction.
JASON KRAUSS: Yeah. Well, thanks for having me. Jessica, you and I have spent some time for sure discussing some of the potential exposures that are out there but I'm just going to start out with some stats that are out there. Although the fourth quarter of 2024 saw a significant decrease in median ransomware payments, other data suggests that we shouldn't expect a drastic slowdown when it comes to ransomware.
According to Coveware, while the median ransomware payments fell 45% between quarter three and quarter four of last year, the average ransomware payments rose 16% during the same time period. There were 5414 published attacks on organizations worldwide. This was an 11% increase compared to 2023.
And then the number of known ransomware attacks increased in 2024 by 13%. And this included the largest ransomware payment ever by a victim. This was a fortune 50 company. It was a $75 million ransomware attack. These are some stats that are out there. Just keeping everyone aware of what the ransomware trends have been. It's certainly worth bringing up the CrowdStrike global technology outage last July. It was triggered by a botched software update. It has been called the largest IT outage in history.
Organizations across a wide range of industries were impacted. Insurers have estimated the outage will cost US fortune 500 companies $5.4 billion. And really the important thing about this incident particularly, it really brought to light how important system failure coverage is. This incident was not caused by a security incident or a cyber attack.
Again, as far as other exposures that I think are keeping risk managers up at night, there are potential exposures related to AI. We're still trying to get our heads around that, talking to a lot of clients, trying to understand exactly how they're using AI in their business. And, Jess, have you had a lot of conversations with clients about that lately?
JESSICA RASULO: Certainly. I think AI comes up on a regular basis in terms of-- and one of my things is we're talking about is even narrowing down what does one mean when you say AI. It's so pervasive in everything we do. I don't even think everybody's aware of when they're using it at this point. But really narrowing down, are you talking about AI in what you're doing, in what your underwriters are doing, in what your vendors are doing, and what specifically? Is it on your software systems or whatever that is really? In order to talk about it, you need to have a specificity around the parameters of it.
JASON KRAUSS: Sure. Yeah, I think we'll get into this in a little bit. But I mean, I think there are a number of different exposures related to AI. And it's a matter of determining where you should be protected. Under what policy you should be protected.
JESSICA RASULO: Exactly.
JASON KRAUSS: There are certain exposures that should be picked up under a cyber policy. There are certain exposures that should be picked up under, let's say, an EPL policy or a DNO policy. And there's a few of us, others in my role for other lines that we've been talking about this and trying to make sure there are no gaps in coverage for our clients.
JESSICA RASULO: Certainly. I think in addition, just from the insurance perspective and the coverage perspective, there's also, what are you doing to protect yourself. And do you think our clients are doing a good job of taking the right precautions in this from that perspective?
JASON KRAUSS: Yeah, I definitely think clients are doing a better job. I think this is part of the reason for the significant decrease in medium ransomware payments. We've certainly seen in certain industries do better than others. I think it's more challenging for manufacturers and construction clients due to the number of third party vendors organizations in these sectors utilize.
So despite having strong internal security measures, organizations can still be vulnerable if their partners are compromised. And this is tricky. Construction clients, again, they're working with a number of different subcontractors all the time. How are their controls? What sort of work are clients doing to ensure that their vendors are safe?
JESSICA RASULO: I think that's a tricky question. And I think, again, there's also even just assuming that your vendors themselves know what they're doing as far as are they using third party software in their systems as well. And a lot of times, this is where the conversations get tricky because there's actual the operational piece of it, and then there's the contractual risk transfer piece of it. Both of which are still a bit nebulous at this point.
JASON KRAUSS: Sure. It also, I mean, again, we've talked about this before. You could have the best security controls. You've done everything you're supposed to do, and then you have one employee that makes a mistake, that clicks a link that they shouldn't click and everything goes bad from then on. So again, I've said this before, you can have your 10-foot wall constructed, and there's always a bad actor out there with the 11-foot ladder. So--
JESSICA RASULO: Yeah. Actually, we've just come across this week in real time having people not your standard phishing email. But I guess it's what's called phishing if somebody's actually calling and impersonating a human on the phone that they knew. And luckily, it raised the right alarms for people to ask the questions. But you get a call saying, hey, this is blah, blah, blah, who you know and asking questions. And I think that just presents a whole new vulnerability.
JASON KRAUSS: Yep. Jess, did you get the email that our company sent to us this week? And hopefully you did not fall for it.
JESSICA RASULO: I did. I caught that one right away, luckily. And I'm proud to say, actually, several of my other members of my team did and raised the alarm also saying, I've noted this is here. So I think our training is very good, which is great.
JASON KRAUSS: Yes, absolutely. Yes, yeah. A few of us-- I was in our Short Hills office, and a few of us basically got the email at the same time to update our travel portal login information.
JESSICA RASULO: Yes, yeah.
JASON KRAUSS: Yes.
JESSICA RASULO: Yeah. And I think it is important. We have to continuously have those. I mean, again, and I think as we're seeing AI get more sophisticated, those phishing attempts are going to get more sophisticated as well. So it's just a constant learning for all of us.
JASON KRAUSS: Absolutely.
JESSICA RASULO: On that, what would you say the impact is on the state of the current insurance cyber market in general?
JASON KRAUSS: You knew we'd get to the insurance component of this.
JESSICA RASULO: Yeah.
JASON KRAUSS: Again, you could be technologically in as good a shape as possible. Again, you need to have a risk transfer strategy. So I mean, as far as the current state of the cyber market, market has been pretty stable through the first half of the year. Carriers are looking for flat rates on all layers lately, because they had been giving decreases over the past 18 months.
There is real intense competition between cyber markets. They're looking to retain their renewals, meet aggressive growth goals. It is possible we could see more premium increases toward the end of the year, as litigation that intercepted at the end of 2022 and 2023 concludes. This shouldn't come as a surprise. Underwriting decisions are really going to be influenced by security controls a company has in place, in conjunction with pricing and attachment points.
There's plenty of capacity out there in the market, partially thanks to new facilities able to provide significant excess capacity. And these facilities can be deployed anywhere in a program above the primary layer. Well, we're hopeful that this stability is going to continue. We're hopeful to have a little bit more of this soft market that we're in, where we're able to challenge some of the markets that we do business with to enhance coverages.
JESSICA RASULO: Going back a little bit to what you were saying before about how a lot of this is not necessarily completely clear of which line of coverage it should be on, is it a cyber exposure? Is it professional? Is it-- and this has been a major concern of mine through the years as well.
And one of my frustrations has been on the carrier side and on the reinsurance side. How much those are siloed and there being kind of a lack of communication there and lack of coordination, which I think is one of the things that makes it so important that you and I work closely together to make sure we're bridging that gap for our clients here. Do you see any movement of that? Have you seen any improvement in carriers talking better across lines?
JASON KRAUSS: Yeah, I think so. It's interesting with the cyber product, which compared to other lines, is still relatively new. The cyber product has really expanded quite a bit over the past 10, 15 years. And certain coverages that maybe you wouldn't have expected to be in a cyber policy are now there. Just what I mentioned it before, system failure. System failure is just-- think of someone as knocking a plug out of a wall. It's not a security event.
JESSICA RASULO: What if that plug happened to be all of Spain and Portugal?
JASON KRAUSS: Good point.
An excellent point. That's right. That was a system failure. But the problem with that is that that would come in as infrastructure. And that is not something that would be contemplated under a cyber policy.
But anyway, to answer your question in a roundabout way, I think we are doing better in terms of different lines of business working with each other and coming together and say, hey, this sort of exposure really makes sense to be picked up under this type of policy. This type of exposure should be picked up under cyber policy and have the policy coordinate with each other. And have certain language added when necessary to each policy's other insurance provisions.
JESSICA RASULO: Absolutely. Primacy of coverage is super important in those situations.
JASON KRAUSS: Yes, absolutely. So doing better-- there's always definitely more work to do for sure.
JESSICA RASULO: Yeah. and I do think that's an area, I mean, I think that's an area where we should make sure we don't lose focus and help drive the industry in general because it's just going to become-- as it becomes more and more difficult to unravel what is cyber and what is just operations, those conversations are going to just become more and more important. And I think really needs to drive just as it's driven a shift in our entire existence. And society needs to drive a shift in how insurance is placed and contemplated.
OK, so moving on from that, what do you think specifically from a coverage perspective, what are specific enhancements that are of unique to construction that we should be thinking about that are available, aren't available, that we really should be pushing to ensure that we have included for all cyber and for all construction insurance?
JASON KRAUSS: Yeah. We have this industry initiative over the past couple of years, and we've really been asking a lot of questions. What coverage enhancements make sense for each industry? And there are some industries where it's not as clear what those enhancements could be. We've found that with construction, there are a number of enhancements that could be added to an off-the-shelf cyber policy that really speak to the exposures that construction clients are seeing.
So these are just a few enhancements that we've been able to negotiate with certain markets. First one, missed bid coverage. This is coverage that would be available if a plan bid proposal for a future project is not able to be submitted prior to the deadline due to a breach, due to a security breach or system failure.
Coverage is usually sub limited, but it really-- this is an exposure that basically speaks to the construction industry for sure. A few other expansions. We've negotiated expansion of the insured definition to include owners of any property managed by the named insured. We have enhanced policies to include third party liability coverage for bodily injury claims that may arise from cyber incidents. Again, Jess, this is what--
JESSICA RASULO: I was going to say-- I'd love to pause on that one for a bit because that's one that I try not to go too far down the rabbit hole, but I think as we rely more and more on smart equipment, and now certainly robots as well, I see that as being an ever expanding exposure area.
JASON KRAUSS: Absolutely. Look, to be perfectly honest, have we seen a lot of this lately? We haven't. But it is not out of the realm of possibility to see bodily injury resulting from a potential cyber attack.
JESSICA RASULO: Yeah.
JASON KRAUSS: And right now, coverage is available. Again, it's sub limited. I guess this is something you talk about other lines potentially responding to an exposure like this. And this is one that would seem to make more sense, possibly under a casualty policy. And we have had some discussions with our casualty folks here at WTW. Cyber carriers, I think, are recognizing this exposure and have been open to adding this coverage on.
JESSICA RASULO: Yeah, I do think that's one where we certainly can continue to drive the industry and make sure they're talking across lines as I have seen certain-- even ISO exclusions pop up on the GL. And certainly, it's an area that deserves conversation because it's a new exposure, but it's an exposure that exists and making sure that we are aligned and where it most appropriate appropriately goes and where there can be components from both. Where certainly intentional primacy of coverage is considered.
JASON KRAUSS: Yep. Yeah, and look, tying in with that, there is an enhancement that's available for coverage for first and third party property damage resulting from a cyber incident. Again, you could have the same conversations here. We always talk about the crane incident. Crane operation goes awry after a cyber attack. Crane falls over property damage and potentially bodily injury damage ensues. Is that possible? Maybe, right?
So anyway, this sort of exposure is something that I think markets have recognized. And again, like Jess says, more coordination needs to be done with our property folks. A couple of other expansions to mention-- there's coverage available for privacy claims alleging a privacy incident due to drone usage. Potential privacy incident could result from drone usage.
We have seen the expansion of the computer system definition to account for BIM, third-party hosted sites and design software that are this type of software typically used by those in the construction industry. And then I will say that there is also some coverage available for downstream contractual penalty coverage due to a business interruption incident, which should include security incidents, system failures, and either voluntary or regulatory shutdown.
These are just some of the enhancements that are available. Again, we've negotiated some of these coverages with a number of markets that we work with. We're trying our best to make sure most, if not all of the exposures are contemplated.
JESSICA RASULO: Any predictions for the future?
JASON KRAUSS: I mean, look, along the lines of what we were just saying, I do think there's going to be more coordination between different lines of coverage. And I think there will be more clarity when it comes to determining which policies should pick up which exposure. And I think, again, going back to AI, I'd like to think we're going to get our heads around that as this technology evolves and determining, again, what type of risks are out there due to the use of AI and just making sure that organizations are protected from these new risks.
JESSICA RASULO: Well, I applaud and appreciate your positivity around the predictions because I think this is actually an area where it's easy to go dark. I mean, we've seen a lot of movies around that, and I think that's actually a very practical approach and certainly also, a field map for us for what we need to do. It's relying upon us driving those things.
JASON KRAUSS: Yes, absolutely. Look, it's an interesting industry to be in. Cyber insurance constantly changing, still evolving. There are things in the news every day and these new events are impacting how coverage is evolving.
JESSICA RASULO: For sure. Well, Jason, I appreciate you taking the time to come on today and talk about this. It is certainly something that impacts all of us daily and also a topic that we can certainly all come back and discuss again in the not too distant future. And we're sure to have some new components to it. So thank you very much.
JASON KRAUSS: Thank you for having me. Appreciate it.
JESSICA RASULO: And thank you to all of our listeners. And please join us again for the Construction Blueprints Podcast.
SPEAKER 2: Thank you for joining this podcast from Willis, a WTW company featuring the latest thinking and perspectives on people, capital, climate, and risk in the construction industry. For more information, visit wtwco.com. WTW offers insurance-related services through its appropriately licensed and authorized companies in each country in which WTW operates.
For further authorization and regulatory details about our WTW legal entities operating in your country, please refer to our WTW website. It is a regulatory requirement for us to consider our local licensing requirements. The information given in this podcast is believed to be accurate at the date of publication. This information may have subsequently changed or have been superseded and should not be relied upon to be accurate or suitable after this date.
This podcast offers a general overview of its subject matter. It does not necessarily address every aspect of its subject or every product available in the market. And we disclaimer all liability to the fullest extent permitted by law. It is not intended to be, and should not be used to replace specific advice relating to individual situations, and we do not offer and this should not be seen as legal, accounting, or tax advice.
If you intend to take any action or make any decision on the basis of the content of this podcast, you should first seek specific advice from an appropriate professional. Some of the information in this podcast may be compiled from third party sources we consider to be reliable. However, we do not guarantee and are not responsible for the accuracy of such. The views expressed are not necessarily those of WTW. Copyright 2025. All rights reserved.
