ORLANDO – Cyber resilience is critical for contractors, especially with the resurgence of ransomware attacks and as hackers start to exploit weaknesses in artificial intelligence, insurance experts say.

Multifactor authentication, employee cyber training and incident response plans are among the controls that contractors should put in place, these experts said during a session Monday at the IRMI Construction Risk Conference in Orlando.

Contractors should also review their reliance on vendors, sub-contractors and third parties and use contracts as a way to mitigate cyber risks, they said.

Ransomware attacks are huge and not going away, said Tara Albin, Chicago-based director, Midwest region cyber leader, at Willis Towers Watson PLC.

“We’re starting to see an uptick again. It doesn’t help that we’ve got two wars going on in the world and sympathizers that are on both sides, with all countries involved,” Ms. Albin said.

“Not a week goes by when one of our clients does not call us and say, ‘I think we’ve got a ransomware attack,” she said.

Back in 2017 and 2018, threat actors were demanding ransoms of about $20,000, said Michelle Chia, New York-based head of professional liability and cyber for Zurich North America.

“Ransom demands are on average in the millions right now,” Ms. Chia said. “Typically, it’s in the $5 million range, but for a large or medium org the ransom demands get up to $70 (million) or $100 million,” she said.

Whether to pay a ransom demand is a business decision that organizations have to make, Ms. Chia said. Businesses need to consider whether they are going to be able to get a backup running and how much that is going to cost in terms of business interruption, she said.

Large companies such as MGM Resorts International and Caesars Entertainment Inc. are not the only ones getting hit by ransomware attacks, Ms. Albin said. “Small, middle-market companies with close to $400 million in revenue, privately held companies are being hit all the time.”

Having an incident response plan and making sure everybody knows what they’re doing is critical, she said. Cyber policies also give businesses access to extra services provided by insurers that can help them get through and get back up and running, she said.

When it comes to using AI, companies need to have an employee usage policy in place, so everybody knows what is and is not allowed, Ms. Albin said.

“So many times, an innocent employee posts something on ChatGPT to find an answer or do something more efficiently and the content posted puts the company at risk and has huge privacy issues,” she said.

AI is already being exploited by hackers for voice records so they can mimic the voice of a CFO to carry out social engineering attacks such as fraudulent wire transfers, Ms. Albin said.

Publicly available AI that employees shouldn’t be using to do their particular job, is being deployed by some organizations, Ms. Chia said. A recent case where an attorney used ChatGPT to write some of his briefs led to him being disbarred, she said. “That should not be done,” she said.

Private AI, in which organizations work with another company to develop AI specifically for their organization to improve efficiency may bring great benefits and is not as big of a privacy or security concern, Ms. Chia said.

Having an AI policy in place that dictates when employees are permitted to use AI and what risks an organization is taking on by using generative AI is important, she said.