Cyber Losses Are Hitting Design Firms Now (A Practical Advisory)
Promark Partners Insurance Services March 2026
Over the past week, we have seen a series of cyber incidents affecting design and professional service firms that serve as a clear reminder: cyber risk is no longer theoretical, and it is not limited to large organizations with complex systems.
One firm experienced a ransomware attack severe enough to shut down operations entirely. Another was persuaded, over the phone, to transfer $50,000 to a fraudulent party posing as a trusted contact. A third unknowingly paid $75,000 due to manipulated invoice instructions that appeared legitimate. Each of these events occurred in otherwise well-run organizations, and none involved particularly sophisticated technical vulnerabilities.
What these incidents share is not a failure of technology, but a breakdown in process and trust.
Cybercriminals have shifted away from traditional “system hacking” and instead focus on exploiting how firms operate day to day. They monitor communications, learn workflows, and insert themselves at the precise moment when money is about to move. In many cases, they do not need to breach a network in a dramatic way. A compromised email account, or even carefully crafted impersonation, is enough.
The most concerning trend is how convincing these interactions have become. Requests to update payment instructions or release funds often come from what appears to be a known vendor or client. Increasingly, they are reinforced with phone calls that create urgency and remove hesitation. Staff members, acting in good faith and under time pressure, follow instructions that seem entirely reasonable in the moment.
For design firms, this exposure is particularly acute. The nature of project-based work, reliance on consultants and vendors, and frequent movement of funds create multiple opportunities for interception. Payment processes are often handled by trusted employees who are accustomed to moving quickly to keep projects on track. That efficiency, while necessary, can also create vulnerability if verification protocols are not firmly in place.
The good news is that these losses are largely preventable, but prevention requires deliberate structure. The single most effective control we continue to see is independent verification. Any request involving a change in payment instructions or transfer of funds should be confirmed using a known, trusted contact method, not the information provided in the request itself. This simple step alone can stop the vast majority of fraudulent transactions.
Equally important is ensuring that no single individual has unilateral authority to move funds without oversight. Dual authorization, even at relatively modest thresholds, introduces a pause point that allows questionable transactions to be identified before they are completed. These controls are not about slowing down operations, they are about protecting them.
Technology still plays a role, but it is not a complete solution. Multi-factor authentication, active monitoring of email accounts, and involvement from competent IT professionals are essential baseline protections. However, even well-secured systems cannot fully prevent social engineering. That is why staff awareness remains critical. Employees should be comfortable questioning unusual requests, even if they appear to come from leadership or long-standing partners.
Ransomware, while different in execution, underscores a related issue: resilience. Firms that suffer the most disruption are often those without reliable, tested backups or a clear recovery plan. The ability to restore systems quickly can mean the difference between a temporary interruption and a prolonged shutdown.
Insurance is frequently viewed as a backstop for these risks, but it is not a substitute for internal controls. Many policies include sublimits for funds transfer fraud that are significantly lower than the potential loss. In addition, coverage can be impacted if agreed-upon procedures are not followed or if incidents are not reported in a timely manner. We have seen situations where firms assumed they were protected, only to find that key aspects of a loss fell outside the scope of coverage.
What is most striking about the recent incidents is how quickly they unfolded. These were not prolonged attacks that developed over weeks or months. In each case, the critical moment (the transfer of funds or the encryption of systems) occurred within a very short window. Once that moment passes, recovery becomes significantly more difficult.
For professional service firms, the takeaway is straightforward. Cyber risk is now an operational risk, not just an IT issue. It intersects directly with financial controls, employee decision-making, and day-to-day business processes. Addressing it effectively requires attention at both the leadership and staff levels.
The firms that are best positioned are not necessarily those with the most advanced technology, but those with clear procedures, consistent verification practices, and a culture that supports careful decision-making, even under pressure. The events of the past week are not outliers. They are representative of what is happening across the industry. Taking steps now to review internal processes, reinforce controls, and ensure appropriate insurance alignment is not just prudent, it is necessary to protect the continuity of the business.