Cyber Criminals Scam Construction Firm Out of Cash

Posted on November 29, 2019 by Marijana Dabic

Compared to many other industries, construction companies have been slower to take up cyber insurance. Because they typically don’t hold large amounts of sensitive data and aren’t solely reliant on their computer systems to carry out their business operations, construction companies don’t often believe that they are overly exposed to cyber risk.

Nevertheless, even if a business doesn’t hold vast quantities of data or isn’t wholly dependent on their systems to function, it is still likely that the business in question has some form of cyber exposure. Most modern businesses will hold some data on employees and third parties, use email to communicate with customers and suppliers, and use business bank accounts to receive and disburse funds electronically.

The construction sector is no different, and one area where they are particularly exposed is funds transfer fraud. Most construction companies will regularly work with suppliers and subcontractors to carry out their projects, and these partners will usually invoice the construction firm for the goods and services provided. If the company pays these invoices electronically, then they can fall prey to cybercriminals who are constantly looking for opportunities to intercept these payments and divert them to fraudulent accounts.

One of our policyholders affected by such a loss was a small construction firm with revenues below $50 million. The business specializes in commercial construction projects, ranging from office buildings to warehouse units and regularly makes use of specialist subcontractors to assist with projects.

Digging for login credentials

The scam all began when an employee fell for a credential phishing email. Credential phishing emails are used by malicious actors to try and trick individuals into voluntarily handing over their login details, typically by directing them to a link that takes them through to a fake login page.

In this case, the employee received an email purporting to be from Microsoft which stated that in order to implement some urgent new security features on his Office 365 account, he would have to verify his account details by clicking on an attached link. Not wanting to miss out on these new features, the employee clicked on the link and inputted his email login details. However, despite the email appearing to come from a legitimate source, the employee had unwittingly handed his credentials to a fraudster.

To make matters worse, the construction firm had not enabled multi-factor authentication on staff email accounts, so the fraudster was able to use the credentials to access this employee’s email account remotely. This allowed the fraudster to monitor communications to and from the account and gain valuable information about the nature of the policyholder’s business and the employee’s role within it.

The employee whose email account had been compromised was one of the firm’s project managers. As part of his role, he regularly liaised with subcontractors and they would often send invoices over to him, which he would then pass to the finance department for payment. As it happened, a few weeks after the fraudster had gained access to the inbox, an email was sent over to the project manager from the managing director of a firm that had been subcontracted by the construction company to carry out some structural steel fabrication work on a project. The email had an invoice attached for a month’s worth of work done on the project, amounting to $93,425. Having spotted an opportunity, the fraudster chose this moment to strike.

Fraudster hammers out a plan

The first step was to set up a forwarding rule in the project manager’s email account. Forwarding rules are settings that can be applied to an email account which ensure that emails that fall within certain criteria are automatically forwarded to a specific folder or to another email account. In this case, the fraudster set up a forwarding rule that meant that any emails that featured the steel fabrication firm’s genuine domain name were immediately marked as read and sent directly to the account’s deleted items folder.

The next step was to set up an email address impersonating the managing director of the steel fabrication firm. In order to do so, the fraudster created an email address which, to the untrained eye, was exactly the same as the managing director’s, but crucially omitted one character from the domain name. So rather than reading Joe.Bloggs@ABCfabricators.com, it read Joe.Bloggs@ABCfabicators.com.

The final step was to send an email to the project manager. In the email, the fraudster explained that the firm had recently changed banks and that the previous invoice had mistakenly included the old account details. The email went on to say that the new bank account details could be found on the new invoice attached to the email and that the construction firm should update its records so that all current and future payments went to the correct account.

The fraudster had used exactly the same invoice template as before, including the same company address, logo and statement of work, with the only amendment being the bank account details. In order to give the email an added sense of authenticity, the fraudster took the original email that had been sent by the subcontractor to the project manager and forwarded it on to the fake email account. The fraudster then replied to this original email when sending the fraudulent email to the project manager, making it appear as though it was part of the original email chain.

Missed verification opportunity

With the email forming a part of the original email chain and coming from a seemingly identical email address, along with the exactly the same invoice template, the project manager never doubted the legitimacy of the request. Assuming that the change of account was valid, the project manager sent the amended invoice over to the finance department for processing.

In theory, it was at this point that the scam should have been thwarted. The construction firm had previously sent out an email to staff regarding the verification of account changes, stating that all requests for account changes should be followed up with a call to an individual at the company requesting the changes to confirm that everything is in order. If this verification procedure had been carried out, it’s unlikely that the fake invoice would have been paid. Unfortunately, the member of the finance department dealing with the request failed to carry out this procedure and updated the bank details, resulting in the full $93,425 being transferred to the fraudulent account.

It was only when the managing director of the steel fabrication firm called up the project manager, several weeks later, to inquire about the status of the payment that the scam was uncovered. Both the banks involved and local law enforcement agencies were informed about the loss, but by this point it was too late and the funds had already been transferred out of the fraudulent account. With the funds deemed unrecoverable and the steel fabrication firm still expecting payment, the construction firm had little choice but to pay the invoice for a second time, resulting in a significant loss to the business. Thankfully, however, the construction firm was able to recoup the funds under the cybercrime section of its cyber policy with CFC.

Smarter criminals and other key takeaways

This case highlights a few key points. Firstly, it shows just how skillful cybercriminals are becoming at parting businesses from their money and how difficult it is for businesses to spot a fake.

In this case, the fraudster managed to successfully impersonate Microsoft and manipulate the project manager into volunteering his email login details; set up a forwarding rule to prevent any emails from the real subcontractor reaching the project manager and jeopardizing the scam; set up a fraudulent email address that was virtually identical to the genuine subcontractor’s; make it look as though the fake email sent to the project manager was part of the original email chain; and send over an identical invoice template to the one used by the genuine sub-contractor.

Secondly, it illustrates how human error plays a major role in cyber losses. Many organizations don’t think they need to purchase cyber insurance because they believe they have the IT security and risk management procedures in place to prevent a cyber loss. But as with so many cyber-related events, this loss stemmed from human error and it’s very difficult for any business to eliminate this risk entirely. The fraudster was able to compromise the email account because the project manager fell for a sophisticated credential phishing scam, and the funds were successfully intercepted because an employee in the finance department failed to carry out a verification procedure.

Finally, it highlights how almost all modern businesses have some form of cyber exposure. Even though the policyholder in this case was a construction firm that didn’t solely rely on its computer systems to carry out its business operations, the company still used emails to communicate with subcontractors and made payments electronically. All it took was for just one email account to be breached for the business to be defrauded out of $93,425. But by having a cyber insurance policy in place, the company was able to successfully recover the loss, illustrating the value that cyber insurance can bring to any modern business.

Source: www.cfcunderwriting.com

Cyber Risk Heat Map

Posted on November 18, 2019 by Marijana Dabic

When speaking to clients about cyber insurance, it’s important to focus on areas that are relevant to the industry in which they operate.

Cyber insurance has a long reputation as a privacy liability product for businesses that hold sensitive data – but privacy exposure isn’t the only risk facing businesses today. In fact, cybercriminals are increasingly targeting traditional industries that hold almost no sensitive data at all, whether through ransomware attacks that halt operations or business email compromise scams that result in wiring payments to fraudulent accounts.

CFC’s cyber risk heat map was built from data relating to 2,500 cyber claims they have dealt with in the last two years as well as trends that their incident response team is witnessing externally. This color-coded graph ranks the severity of different industries’ exposure to business interruption, privacy, and cybercrime and includes a few examples of how these exposures can play out for different types of organizations.

Click here to download the infographic

Source: www.cfc.com

Traditional versus Project Insurance

Posted on October 29, 2019 by Marijana Dabic

Large construction projects create a mosaic of risks for all project participants—owner, architects, engineers, manufacturers, vendors, and contractors. In the standard form agreements for construction, the owner attempts to shift the risk to the construction manager/general contractor (CM/GC) via various provisions, including indemnification, consequential damages, cost, and schedule, just to name a few.

Despite this attempt to transfer the risks of the project contractually to third parties, the owner still may be liable for certain risks: extra hazardous operations, claims arising in common areas, owner-provided equipment, owner-retained contractors, or owner-provided design, assuming safety responsibilities or other liabilities or obligations in the construction agreement and vicarious liability arising out of the operations of the contractors.

Certain risks on the project are insurable, and the construction agreement requires the CM/GC and their subcontractors to provide certain insurance coverages and a certificate of insurance evidencing that the stated coverages are in force. This approach of having the CM/GC and all subcontractors provide the required insurance is often referred to as the “traditional insurance” approach and is used in many construction projects.

However, larger construction projects, generally over $50 million on commercial projects and $10 million-plus on “for sale” residential projects, lend themselves to be considered for insurance coverage on a project-specific basis, otherwise known as “wrap-up” insurance. Insurable risks that are commonly considered for project-specific coverages include the following.¹

Commercial general liability and umbrella or excess liability
Workers compensation
Contractor’s pollution liability
Professional liability

The following advantages of project-specific coverage over traditional insurance are well documented.

Sponsor retains first-named insured status and more direct control over claims process
Completed operations extension or “tail” coverage (GL/XS/CPL/PL)
Higher catastrophic insurance limits
Broad coverage terms
Increases the size of the pool of bidders
Increased scrutiny on safety
Reduced internal time and expense devoted to insurance compliance
Potential for cost savings of the insurance line item by bundling the insurance spend of all the parties

Routinely, an owner is faced with two options to access the advantages of project-specific insurance coverages: the owner can purchase, or “sponsor” the coverage, known as an owner controlled insurance program (OCIP); alternatively, the CM/GC can purchase the coverage, known as a contractor controlled insurance program (CCIP). For purposes of this article, we will be limiting the discussion to OCIP versus CCIP insuring workers compensation and/or general liability/excess liability coverages.

OCIP versus CCIP—an Owner’s Perspective

Many midsized and large contractors have established CCIP programs, and it is common for them to propose utilizing their CCIP coverage for large projects.² This is a good thing; it provides the owner with the options of relying on traditional insurance, purchasing an OCIP, or paying the CM/GC to provide the project-specific insurance coverage via a CCIP.

Once the owner’s chief financial officer or risk manager becomes aware of the capital project, it is quite common for them to engage their insurance broker or a consultant to prepare a financial pro forma to determine the extent of potential cost savings by sponsoring an OCIP. Routinely, the pro formas generate significant savings to the owner by assuming a large deductible or self-insured retention and controlling the claims expense; however, the owner should be cautious, relying on the projected savings as there are many variables and assumptions that go into the pro forma. This is particularly relevant if the owner is comparing the costs and savings in the OCIP pro forma to the cost of a CCIP.

Ideally, both parties (the owner’s broker or consultant and the CM/GC) will provide OCIP/CCIP cost estimates based on the same set of data, which can either be provided by the owner’s broker or consultant or the CM/GC.

Project description
Desired lines of coverage and limits
Project term (estimated start/end dates)
Project budget
Workers compensation payroll by workers compensation code

By having both the owner and the CM/GC provide pricing based on the same data set, it will enable the owner to evaluate the costs of both OCIP and CCIP on a consistent basis.

Advantages of a CCIP versus OCIP—an Owner’s Perspective

Bifurcation of construction risks. To me, this is the leading reason to consider project-specific insurance. Because an OCIP or CCIP insures all contractors and the owner under a single policy, it allows the owner to insulate its corporate insurance program from losses arising out of construction operations, which can prevent adverse loss experience arising out of the construction project from driving up insurance rates on its core business. The CCIP accomplishes this bifurcation of construction risk.

Expertise. Owners with large capital expenditure (CapEx) programs may have sponsored OCIPs in the past or may have a “rolling” OCIP program for their CapEx program. However, there are many other owners that build a large project every several years and have limited experience with OCIPs. Internally, they may not have the expertise to evaluate, implement, and manage an OCIP; whereas, the contractor deals with construction risk every day and likely has robust risk management programs and personnel experienced in implementing and administering their CCIP. A common contractor sentiment is “if I have the risk, I should be able to purchase my own insurance to protect my risk.”

Resources. Owners have indicated to me on numerous occasions that, while they are attracted to the potential cost savings of an OCIP, their staff is lean and they lack the capacity to administer an OCIP. While the insurance broker or OCIP administrator provides many of the transactional services of marketing the insurance coverages, providing program documents, enrolling subcontractors, and collecting certificates of insurance and monthly payroll reports, the owner retains certain responsibilities as the sponsor of an OCIP, often within the owner’s risk management department.

Selection of broker and/or OCIP administrator
Gather and provide underwriting information required to obtain the quotes
Review and approve OCIP documents prepared by the broker and/or administrator: underwriting submission, quotes, OCIP contractual addendum, and OCIP manual
Select insurer, coverages, and limits of coverage
Execute any legal agreements with insurer and post collateral, typically a letter of credit (LOC), if applicable
Review periodic OCIP reports
Review claims loss runs and participate in claims meetings
Make claims settlement decisions

If the contractor has experience sponsoring CCIPs, especially if they have a “rolling” CCIP insuring multiple projects, they have established protocols and experienced risk management and field personnel to manage all aspects of the program.

Collateral requirements. As mentioned above, if the OCIP is written with a large deductible program ($250,000–$500,000 each occurrence is common), the insurer will require the sponsor to post a clean, irrevocable LOC to securitize that claims obligation. If the sponsor does not reimburse the insurer for paid claims, the insurer can present the LOC to the owner’s bank and draw down on the LOC. While LOCs have a cost element (typically .75–1 percent annual rate on the amount of the LOC), the important item to note is that the LOC obligation will likely remain in force by the insurer, generally through the statute of repose, which can be 5–12 years after substantial completion, depending on the state. In the case of a CCIP, the CM/GC holds this obligation.

Upfront insurance premiums. As a sponsor of an OCIP, you will be responsible for paying certain costs upon binding coverage. Typically, the primary insurance coverage will have a deposit premium (25–40 percent), with the remaining balance spread throughout the project. Excess/umbrella insurance coverages are typically paid 100 percent upon binding, and the broker/administrator typically requires an initial installment as well. The CM/GC will also require a payment for the CCIP coverage, sometimes 100 percent upon binding coverage, or it may be spread out as the work is billed.

Known insurance costs. For the lines of insurance provided by the CCIP, the cost of the CCIP is known at the beginning of the project. CMs/GCs typically charge for the CCIP on a percent of construction costs (e.g., 2.5 percent of contract value).³ In addition, if the payroll estimates in the pro forma were lower than the final audited payroll, the owner may be subject to additional premium⁴—the CM/GC bears this risk under a CCIP.

Drawbacks of a CCIP versus OCIP—an Owner’s Perspective

Loss of first-named insured status. As a sponsor of an OCIP, the owner attains first-named insured status on the general liability/excess or umbrella liability policies. In contrast, some CCIP sponsors and some insurers limit the owner to additional insured status. Their biggest concern is that they do not want the CCIP to inadvertently insure the operations of the owner (e.g., manufacturing or hospital operations) under the OCIP. Suffice it to say, in the event the owner is listed as an additional insured, it must be satisfied that the language in the additional insured endorsement provides it with an adequate mechanism to attain protection under the CCIP.

Speaking of “insureds,” It is also important for an owner to confirm that there is no “insured versus insured” or “cross-liability” exclusion on the CCIP. This provision, which prevents one insured from suing another insured, is common on wrap-up programs, particularly those placed in the excess and surplus lines market, and may prevent the owner from suing the CM/GC. Some of the endorsements restrict “named insureds” from suing other “named insureds” and other versions restrict suits between any insured under the policy. In either case, if requested, the underwriters will typically carve out an exception to the exclusion by allowing cross-suits between the owner and CM/GC.

Indirect involvement in claims. OCIPs can be an effective tool for owners to address liability claims that arise from members of the public. Because the programs often have large deductibles, the owner has input in the claims settlement process, particularly when the value of the claim falls within the deductible. Municipalities, healthcare facilities, universities, and others with a sensitivity to public liability exposure prefer more direct involvement in the claims process. In contrast, when the project is insured under a CCIP, the CM/GC is the party directing the claims and has the financial incentive to minimize claims payments.

Project with multiple CM/GCs. If the project utilizes a multiprime delivery model or involves multiple CM/GCs, an OCIP lends itself better to drive consistent insurance coverage, administrative protocols, and claims management across the entire project.

CCIP may cost more than an OCIP or traditional coverage. The cost of the CCIP, established between the owner and CM/GC, may cost more than an OCIP or traditional insurance. In most cases, the OCIP cost is not known until the end of the project because the two greatest variables in the savings formula are the amount of insurance credits or deductions from the GC/CM and subcontractor bids along with favorable claims experience. Of course, if either of these elements is deficient, the OCIP can cost more than a CCIP or traditional insurance.

Additionally, the cost of the CCIP may include an array of services such as an on-site medical trailer, claims management services, CCIP administration, and internal administrative time, which may not be fully accounted for in an OCIP pro forma.

Loss of statutory immunity. In certain states, there is established case law that a sponsor of an OCIP (i.e., the owner) enjoys statutory immunity protection from civil claims from employees of contractors insured under the OCIP. This owner benefit is negated under a CCIP.

Loss of completed operations coverage. One of the greatest coverage benefits of an OCIP or CCIP is the dedicated single limit and the extension of time the general liability and excess/umbrella policies will insure bodily injury and property damage included in the products-completed operations (PCO) hazard, typically out through the statute of repose. This is accomplished via a completed operations extension endorsement, or it may be included in a wrap-up endorsement on the policy.

Each insurer has specific language in their policies that address when the coverage is effective and under what conditions the coverage is void. Common terms that void the PCO coverage extension include (varies by insurer) the following.

The policy is canceled or nonrenewed for any reason prior to the policy expiration date.
There is a failure to pay premiums, audits, or deductible losses when due.
The work is not complete or abandoned prior to the policy expiration date.
There is a material misrepresentation by the sponsor.
There is a failure to comply with loss control recommendations or peer reviews.
There is a failure to provide requested enrollment documentation.

These same exclusions are also commonly found in OCIP policies. However, in an OCIP, the owner has control over these variables. In the case of a CCIP, the owner has limited control and may be surprised if the PCO is canceled. If the PCO coverage is canceled, either due to one of the conditions stated on the policy or the CM/GC is replaced with another CM/GC, it will be very difficult to find an insurer to assume the PCO liability during the middle or the end of a construction project.

It is suggested that the reasons for cancelling the PCO extension be minimized and that the owner requires the CM/GC to warrant that the CCIP coverage remains in force both during construction and during the PCO extension period. The owner will also be well served by requiring the CCIP policies are endorsed to provide 30- or 60-days’ notice to the owner for nonpayment or cancellation.

Conclusion

Owners should weigh all available options available to them to ensure the risks arising out of construction projects are adequately protected. Project-specific insurance coverage, OCIP or CCIP, offers many coverage benefits over the traditional approach of having the CM/GC and subcontractors providing their respective insurance protection. Either OCIP or CCIP allows the owner to bifurcate its construction risk away from its core insurance program loss experience.

A CCIP affords the owner the opportunity to capture many of the protections of project-specific coverage without the internal time, expertise, expense, and resources required to administer an OCIP. That said, owners should also be aware of the drawbacks to the CCIP approach and address insurance coverage concerns during the decision process.

¹Builders risk insurance is also commonly written on a project-specific basis.

²The owner will sometimes request the CM/GC provide pricing for a CCIP as part of their proposal to construct the project.

³The cost of the CCIP varies by contractor, on the services provided, premiums, the state in which the project is located, limits, and project type.

⁴The OCIP insurer may offer a guarantee not to charge additional premium if the audited payroll is no greater than 10 percent of the payroll used to calculate the deposit premium.

Source: www.irmi.com

Is Cyber Insurance Right for Your Business?

Posted on October 18, 2019 by Marijana Dabic

Have you considered cyber insurance for your business? Here are a few reasons why it might be smart to do so.

Cyber insurance is finding its way onto the agendas of businesses everywhere, but it’s still a relatively misunderstood class of insurance. Because of this, many companies find themselves confused about how cyber insurance actually works and are skeptical about whether it makes sense for their business to purchase a policy. We hear you. In an effort to answer some of your big questions and put your concerns to rest, here are six big reasons why buying a standalone cyber policy may be a smart decision for your business.

You get cybersecurity tools and support, for freeFor most small-to-medium sized businesses, having a robust in-house IT security team isn’t always possible, or even necessary. But this can leave you without a place to turn in the event that the worst does happen. Would you know what to do if you walked into the office one morning and your systems had been disabled? Cyber insurance is a highly cost-effective way to gain access to the support you need in order to both prevent and respond to cyber events.Most cyber policies come with a number of proactive risk management tools, such as employee cybersecurity training programs, which help reduce successful phishing attacks, and dark web monitoring, which scans the dark web for signs that data relating to your business has been compromised. Most importantly, when it comes to responding to a cyber event, a good policy will give you access to IT experts, forensic specialists, PR firms, lawyers, and more, and often with a nil deductible.
Over half of all cyberattacks are aimed at small-to-medium sized businessesWhile the headlines focus on major security breaches at major companies, over half* of all cyber attacks are aimed at small businesses. What you don’t often hear about is the local law firm that mistakenly transfers $100,000 to a fraudster after being duped by a social engineering scam or the doctor’s office unable to use their computer systems for days because of a destructive malware attack. Just because events like these aren’t reported in the mainstream media doesn’t mean they aren’t happening.Cybercriminals see smaller organizations as low hanging fruit because they often lack the resources necessary to invest in IT security or provide cybersecurity training for their staff, making them an easier target.
Your employees will probably click on something they shouldn’tApproximately three quarters of the cyber claims we deal with involve some kind of easily-preventable human error. Theft of funds, ransomware, extortion and non-malicious data breaches usually start with a human error or oversight such as clicking on a phishing link, which then allows cybercriminals to access your systems from the inside.The fact remains that humans are the weakest link in the cybersecurity chain no matter how hard we try. Cyber insurance is a cost-effective way to not only get access to risk management tools like phishing-focused employee training programs, but also to cover the financial loss if someone makes a mistake.
You aren’t covered under other lines of insuranceCyber cover in traditional lines of insurance often falls very short of the cover found in a standalone cyber policy. Property policies were designed to cover your bricks and mortar, not your digital assets; crime policies rarely cover social engineering scams – a huge source of financial losses for businesses of all sizes – without onerous terms and conditions; and professional liability policies generally don’t cover the first party costs associated with responding to a cyber event.So, while there may be elements of cyber cover existing within traditional insurance policies, it tends to be only partial cover at best. A good standalone cyber policy, on the other hand, is designed to cover the gaps left by traditional insurance policies, and importantly, comes with access to expert cyber claims handlers who are trained to get your business back on track with minimum disruption and financial impact.
Cyber insurance covers far more than just data privacyTwo of the most common sources of cyber claims we see aren’t related to privacy at all – funds transfer fraud is often carried out by criminals using fraudulent emails to divert the transfer of funds from a legitimate account to their own, while ransomware can cripple any organization by freezing or damaging business-critical computer systems. Neither of these types of incidents would be considered a data breach, but both can lead to severe financial damage and are insurable under a cyber policy.Many businesses think that cyber insurance won’t be useful to them because they don’t collect sensitive data. However, more than 50% of our cyber claims come from events unrelated to breaches of privacy, and any business that uses technology to operate will have a range of other cyber exposures which a cyber policy can address.
Cyber insurance pays more claims than any other type of insuranceCFC has paid more than 1,500 cyber claims in the last 12 months, a number that eclipses previous years and is steadily growing, and the vast majority of these are from small and medium sized business. The industry as a whole is showing similar trends and low declinature rates. In fact, it was recently revealed that 99% of cyber insurance claims were paid in 2018, which means cyber has one of the highest claims acceptance rates across all insurance products.**Information like this shows that cyber policies are doing what they set out to do, which is provide broad coverage for a range of technology and privacy-related risks affecting modern businesses, all backed up by proactive risk management and expert incident response and claims handling.

Source: www.cfcunderwriting.com

Builders Risk: Minimizing Uncertainty at Bid Time

Posted on September 30, 2019 by Marijana Dabic

At the bid preparation stage, contractors often do not have full information on the builders risk insurance that will be provided by the project owner. The insurance requirements may be unclear or missing altogether. This often results in misunderstandings down the road. But it does not have to be that way.

The clarity and completeness of builders risk insurance requirements can and do vary considerably. I have encountered bid documents that do not contain builders risk requirements at all. I have also seen builders risk insurance addressed by a single sentence. These are actual examples:

“Owner will provide builders risk coverage.”
“The Owner shall provide property insurance upon the Work, but Contractor is responsible for all deductibles and uninsured losses.”
“Intentionally left blank.”

These examples all have one thing in common: The contractors are left to speculate on what, if any, coverage will be provided to them in the event of damage to the project. This is not a good way to start a project.

On the other hand, the insurance requirements may be complete and each contractor knows what risks are transferred to the builders risk insurer. This removes uncertainty … and any time you remove uncertainty, bid pricing is more favorable for the project owner. (Owners, please take heed.)

Why Aren’t Insurance Requirements Clear?

Insurance requirements may not be clear for two reasons. First, if model contract forms are used (e.g., American Institute of Architects, ConsensusDocs, Engineers Joint Contracts Documents Committee, Design-Build Institute of America), the builders risk provisions may be unclear or lacking to begin with. Many people assume that if a provision is contained in a model contract form, it must be appropriate. This is not true. Depending on circumstances, some provisions may be inappropriate. Other important loss exposures may not be addressed at all.¹

For example, the standard builders risk insurance requirement in one model contract form requires coverage on an “all risks” basis. This is desirable, but in the section that lists the causes of loss that must be covered, there is no reference to ensuing loss exceptions. Many say that the most commonly litigated provisions in builders risk policies are the exclusions applicable to faulty design, workmanship, and materials. The breadth of coverage is very different between a policy that has these exclusions and another that has these exclusions followed by ” … unless direct physical loss or damage by an insured cause of loss ensue and then this policy insures only such ensuing loss or damage.” The latter example has an ensuing loss provision, which is very beneficial to all those entities insured by a builders risk policy.

The second reason for unclear insurance requirements is that the drafter may not have the technical or practical experience necessary to properly structure the requirements. We have all reviewed insurance provisions that are poorly conceived and executed. Enough said.

What Can Contractors Do?

The construction bid process generally provides opportunities for a contractor to obtain clarifications or answers to questions. These are set forth in the bid documents and may include pre-bid meetings or procedures for submitting questions. With private work, a contractor may also qualify its bid to include certain assumptions regarding insurance.

Many contractors wisely seek additional information and answers to their questions. Others may know there are potential problems but hope for the best, and still others are not aware of the issues.

Checklist Tool

It is suggested that contractors compile a builders risk insurance checklist and request the owner to confirm what is contemplated/provided by the builders risk policy. A sample checklist is reproduced below. This template should be customized by the contractor to suit its needs. Regular use of a checklist can minimize uncertainty for all parties and further risk management programs.

	Coverage or Feature	Minimum Requirement/Comments
1	Owner Responsibilities
	Insurer selection	AM Best “A X” or better
	Naming of insureds	Owner, general contractor, subcontractors of all tiers
	Premiums and deductibles	Owner is responsible
	Policy format	Inland marine policy and forms
	Provide copy of policy	Within 60 days of project start
	Policy term	In compliance with the contract
	Partial occupancy prior to project completion	Secure approval of insurer
2	Covered Property	Replacement cost; no coinsurance
	Work at project site	Full contract value and modifications; owner’s supplied property
	Property in transit	Limits to be agreed upon
	Property at off-site locations	Limits to be agreed upon
3	Covered Causes of Loss/Other Features
	“All risks”	Full policy limit
	Wind	Full policy limit
	Collapse	Full policy limit
	Water damage (incl. sewer backup and sprinkler leakage	Full policy limit
	Collapse	Full policy limit
	Faulty design, workmanship, materials (resulting damage)	Full policy limit
	Terrorism	Full policy limit
	Flood	Limits to be agreed upon
	Earth movement	Limits to be agreed upon
	Equipment breakdown	Limits to be agreed upon
	Hot testing	Limits to be agreed upon
	Debris removal	Limits to be agreed upon
	Pollution, mold, fungus	Limits to be agreed upon
	Additional costs due to building laws	Limits to be agreed upon
	Extra expense (contractors)	Limits to be agreed upon
	Waivers of subrogation	In compliance with contracts