The Growing Cyber Liability Gap in Architects and Engineers E&O Coverage

Design professionals face an escalating threat that many traditional professional liability policies fail to adequately address: cybersecurity risks. As architectural and engineering firms increasingly rely on digital platforms, cloud-based project management systems, and electronic file sharing, they’ve become prime targets for cybercriminals. Many design professionals assume their existing errors and omissions insurance provides sufficient protection against cyber incidents, but significant coverage gaps often exist.

Why Design Firms Are Cybercrime Targets

Many architectural firms mistakenly believe they’re safe from cyberattacks because they don’t consider their data “sensitive” enough to attract criminals. Industry research indicates that this thinking is flawed. Design firms possess valuable assets that extend far beyond typical personally identifiable information.

Design professionals maintain detailed building plans, infrastructure schematics, and expertise in integrating smart components into modern structures. This intellectual property is highly attractive to cyber attackers. Additionally, cybercriminals can use a design firm’s digital connections as a gateway into their clients’ environments, making architectural and engineering firms valuable access points for broader attacks.

Recent industry data reveals the severity of this threat. Approximately 60% of engineering companies have suffered from cybersecurity incidents in recent years. The time-sensitive nature of design projects makes these firms particularly vulnerable to ransomware attacks. When a firm gets locked in a ransomware attack mid-project, clients demand immediate resolution regardless of the circumstances.

The Professional Liability Coverage Problem

Traditional professional liability insurance policies often exclude or provide only limited coverage for cyber-related claims. While E&O insurance protects architects and engineers against claims of negligence, errors, or omissions in professional services, these policies typically don’t address the full spectrum of cyber risks facing modern design firms.

Industry research on professional liability trends indicates that cybersecurity exposure is rising, with more clients requiring cyber insurance coverage. Insurance professionals note that obtaining a dedicated cyber liability policy represents best practice, as professional liability coverage may not fully address these risks.

Standard E&O policies generally cover claims related to design flaws, incorrect calculations, and project delays due to design issues. However, cyber incidents create different types of exposures that fall outside traditional coverage parameters.

Common Cyber Threats Facing Design Professionals

Data Breaches and Unauthorized Access

Unauthorized access to client files and proprietary designs can lead to significant financial losses and reputational damage. Design firms store vast amounts of confidential information across multiple projects simultaneously, creating numerous potential breach points.

Ransomware Attacks

Cybercriminals encrypt project files and demand payment for restoration. Real-world cases include a prominent Seattle design firm held up by ransomware, and another architecture firm that suffered losses exceeding $500,000 in billable hours after ransomware attacks rendered files unusable for days.

Phishing and Social Engineering

Attackers trick employees into divulging credentials or sensitive information. One Maryland architectural firm was deceived into sending its insurance premium payment to a hacker, demonstrating how social engineering attacks result in direct financial losses.

Third-Party Vendor Vulnerabilities

Many firms rely on external software providers and cloud-based platforms. Security vulnerabilities within these services can expose firms to cyber threats beyond their control. Design professionals who transfer data to business associates or cloud storage companies remain responsible for safeguarding that data under most privacy laws.

Types of Claims Not Covered by Traditional E&O

Design professionals often discover their professional liability policies exclude several cyber-related exposures:

First-Party Costs: Traditional E&O policies typically don’t cover immediate costs firms incur following a cyber incident, including forensic investigation, notification services, credit monitoring, data restoration, and business interruption losses. Forty-seven states, the District of Columbia, and the federal government have privacy laws requiring prompt notification when personally identifiable information is compromised. Compliance represents a significant expense not covered by standard professional liability policies.

Cyber Extortion and Ransom Payments: Hackers may threaten to steal data, encrypt networks, or create disruptions unless ransom is paid. Standard E&O policies generally exclude coverage for ransom payments and associated response costs.

Network Security Failures: When cyber-attacks disable or corrupt a design professional’s computer network, operations cease and profits are lost. The resulting business interruption represents an exposure traditional professional liability insurance wasn’t designed to address.

Regulatory Fines and Penalties: Data breaches often trigger regulatory investigations and potential fines under various privacy laws. Professional liability policies typically exclude coverage for regulatory penalties resulting from cybersecurity failures.

The Project Delay and Contractual Challenge

Cybersecurity incidents create unique professional liability exposures through project delays and contractual disputes. According to research from Willis Towers Watson, ransomware and cyberattacks can halt project work, causing missed deadlines and contract breaches.

This creates a gray area where cyber incidents intersect with professional services. While a design professional didn’t commit a traditional error in their design work, the cyber incident prevents them from delivering services according to contract terms. Some professional liability policies may provide limited coverage if the breach directly impacts professional services delivery, but this coverage is often inadequate.

Project owners increasingly recognize cybersecurity risks and now require design professionals to carry dedicated cyber liability insurance as a condition of contract awards. This trend is particularly evident in large commercial projects, public infrastructure work, and projects involving sensitive data. The 2017 AIA Insurance and Bonds Exhibit provided the option of requiring cyber security insurance, and many owners are now making cyber coverage mandatory rather than optional.

What Dedicated Cyber Insurance Covers

Comprehensive cyber liability insurance addresses the gaps in traditional professional liability coverage:

First-Party Coverage typically includes forensic investigation costs, legal expenses for determining notification requirements, breach notification services and credit monitoring, data restoration expenses, business interruption losses, cyber extortion and ransom payments, and public relations costs to manage reputational damage.

Third-Party Coverage provides liability protection for claims by clients or other parties alleging damages from unauthorized disclosure of confidential information, failure to protect personally identifiable information, regulatory defense costs and certain fines, and damages arising from network security failures.

The Insurance Market and Risk Management

According to Willis Towers Watson’s analysis of the architects and engineers insurance marketplace, the cyber insurance market shows signs of stabilization after several years of significant rate increases. Design firms with proper cybersecurity protocols have seen more favorable renewal terms, though underwriting scrutiny remains elevated.

Industry research indicates that carriers continue monitoring cyber exposures closely as the full impact of technology dependencies and emerging risks remains uncertain. Insurers increasingly differentiate between firms demonstrating strong cybersecurity governance and those with weaker controls, with pricing reflecting this risk assessment.

Design professionals can strengthen their cybersecurity posture through several key practices: implementing comprehensive cybersecurity policies following frameworks like the National Institute of Standards and Technology Cybersecurity Framework, conducting employee cybersecurity training, maintaining current antivirus software and security patches, using multi-factor authentication, establishing secure file-sharing protocols, conducting annual incident response exercises, vetting third-party vendors for adequate security, and documenting all cybersecurity policies for insurance underwriting purposes.

Risk management experts recommend that firms develop a defensible cybersecurity strategy that provides a framework for creating a more cyber-resilient organization and helps develop a validated, auditable response to the question: “How does your firm manage cyber risk?”

Conclusion

The cyber liability coverage gap in architects and engineers E&O insurance represents one of the most significant emerging risks facing design professionals. Traditional professional liability policies provide essential protection against claims of negligence, errors, and omissions, but they were not designed to address the full spectrum of cybersecurity exposures confronting modern design firms.

As clients increasingly require cyber coverage, regulatory requirements expand, and cybercriminals continue targeting the design profession, obtaining dedicated cyber liability insurance has become a critical component of comprehensive risk management. Design professionals who proactively address this coverage gap position themselves for better protection and competitive advantage in a marketplace where cybersecurity capabilities are becoming a differentiating factor in client relationships and project awards.

About PDI

PDI is an Indianapolis-based wholesale brokerage firm with a national network that includes thousands of insurance agents, brokers, architects, engineers and contractors in all 50 states. Since PDI’s beginning in 1980, we’ve handled a single line of coverage: errors & omissions (E&O) for design professionals. Contact Us today for a review of your design client’s insurance program.