Cyber Strike: A First-Hand Account

Eman Wilder, CPIA, CISR, M.ASCE Account Executive – ASCE Member Insurance

It started as an ordinary day.

I work with engineering firms to provide quotes for professional liability insurance, which involves receiving hundreds of daily documents—such as applications and policy declaration pages, among others—via email. That day, a firm I was working with sent me a document as an email attachment. I assumed it was related to their quote request, so I opened it just as I had done before with many others.

What I did not know at the time was that, behind the scenes, the firm’s system had been compromised. The attachment contained a virus. My information technology department was alerted to suspicious activity on my account, and we feared that bad actors had gained access to my system. Most shockingly, from my perspective, nothing appeared out of the ordinary. My email account was locked down, and I was immediately suspended from work while IT investigated the incident. I was stuck wondering how far the breach had spread and whether sensitive client information had been exposed.

Imagine the shock and fear that swept over me as I realized how quickly cyber hackers work. Their online presence is silent. Within seconds, they can infiltrate and potentially destroy what you have built. What struck me most was that this had nothing to do with me personally. I did not click on a suspicious link from an unknown sender or visit questionable websites. I was simply conducting legitimate business with a professional firm.

The Vulnerability We All Face

The feeling of being compromised and exposed lingered even after IT cleared me to return to work later that day. That sense of violation, having your professional integrity questioned, and knowing that your actions could have put others at risk, stays with you.

While no damage was done this time, the experience taught me that cyber risk is real and affects all of us. The cyber liability insurance policies I recommend to my clients not only protect those firms, but also every other person or entity they interact with. When my systems were suspected of compromise, I did not just become a victim; I became a potential vehicle for spreading the threat to the engineering firms I work with in addition to my colleagues, clients, and business partners in my professional network.

Why Engineering Firms Are Prime Targets

The ASCE Cyber Liability Program recognizes that civil engineers face unique cyber risks. Ask yourself the following questions:

• Do you process client fees and payments electronically?
• Do you store project plans and designs digitally?
• Do you rely on email for project updates and client correspondence?
• Do you send and receive attachments and links?
• Do you use a cloud service to store or access project data?
• Do you check on your website for your business?

If you answered yes to any of these questions, you could be a target for cyberattacks. Engineering firms face common threats, including phishing attacks targeting sensitive information, ransomware attacks encrypting project files, data breaches exposing client and project data, and malware infecting systems that can compromise operations.

Comprehensive Protection That Goes Beyond Insurance

The ASCE Cyber Liability Program offers guaranteed coverage, regardless of your risk profile, with several key features^* that address real-world needs:

• Financial Protection: Coverage for financial losses due to cyber incidents, ensuring your firm can recover from direct damages like stolen funds or fraudulent transactions.
• Breach Response Support: Assistance with data breach response, including notification expenses and credit monitoring, because compliance obligations kick in immediately after a breach.
• Business Continuity: Coverage for profit loss and extra expenses due to cyber incidents. Even a day of suspended operations, as I experienced, represents real financial impact.
• Extortion Coverage: Reimbursement for extortion expenses related to threats to release sensitive information, specifically addressing the ransomware epidemic.
• Recovery Assistance: Coverage for costs associated with data and system recovery, because getting back to business often requires forensic investigation and system rebuilding.
• Legal and Regulatory Support: Support for forensic investigations, legal expenses, and regulatory fines, recognizing that compliance costs often exceed direct damages.

Expert Support When You Need It Most

In my opinion, the most valuable benefit of cyber insurance is 24/7 access to cyber risk professionals for risk assessment and management. When a cyber incident occurs, time is critical. Having immediate access to experts who can guide incident response and help make crucial decisions about recovery is invaluable.

The program also includes comprehensive risk management resources to help identify, assess, and mitigate vulnerabilities before an incident occurs—proactive protection that can prevent the fear and disruption I experienced.

The Bottom Line

In the end, no damage was done, but my experience transformed my perspective on cyber insurance. I went from viewing it as simply another policy option to understanding it as essential business protection and a safeguard for everyone in your professional network. The speed at which cyber threats work, the ripple effect they create, and the vulnerability they expose—even when you have done nothing out of the ordinary—make cyber coverage not simply important, but critical.

Do not wait until your business is under attack while you’re scrambling to understand what happened and worried about who else you might have put at risk. Secure the missing piece in your business protection today.

^*Coverage features may vary, and approval is subject to underwriting review. Please refer to the actual policy for complete terms and conditions.