Jason Kosek is a shareholder with New York City-based law firm Anderson Kill. He assists clients in issues including insurance coverage, regulatory, FCPA, labor law, negligence, nuisance, trespass, products liability and breach of contract, and acts as outside general counsel to several construction companies. Opinions are the author’s own.
Cybercriminals are increasingly targeting construction firms, drawn by large financial assets and tight project timelines, rendering both large and small projects vulnerable. Notable attacks — such as the ransomware attacks on Bouygues Construction in France, where 200 gigabytes of data were locked in Jan. 2020, according to Le Monde Informatique, and against Canada’s Bird Construction the prior month, per CBC News, where 60 gigabytes were frozen — highlight the need for robust cyber insurance.
The 2021 Infrastructure Investment and Jobs Act has spurred more projects, amplifying cyber risks as firms digitize, which creates new attack vectors. Sophisticated tactics like phishing — through email, voice and SMS messages — exploit weak passwords, a lack of multifactor authentication and careless data sharing.
Construction companies must prioritize cyber hygiene to safeguard data and projects, as well as cyber insurance to protect themselves in case an attack breaks through their defenses.
Why construction is attractive, and vulnerable
Several factors make the construction industry at risk for cyberattacks. One is the recent digitization of the construction industry.
In recent years, the construction industry has undergone a technological boom, with innovations of technology that include Building Information Modeling, or BIM, and cloud-based project management platforms. The amount of sensitive data that the construction industry maintains in cloud-based software and project management platforms — such as banking information, bid information, personal employee information and proprietary designs — increases year after year.
As the construction industry embraces modernization and digital transformation, it also inherits the evolving cybersecurity threats that come with it.
General contractors increasingly require subcontractors to upload payment requisitions, including sub-subcontractors’ financial details, bank accounts and wire instructions to online software platforms vulnerable to cyberattacks. Subcontractors face liability if a hack compromises this data, causing damage. Time-sensitive decisions, critical for cost and schedule management, often prioritize speed over security — a shortsighted approach that risks significant project delays and losses.
Consequences of a cyber attack or data breach
Cyberattacks can have a devastating impact on construction companies. Generally, if a construction company suffers a data breach, depending on state-specific notification requirements, it may have to alert the affected individuals and the state attorney general. The consequence of such a breach, apart from the obvious direct monetary loss, can include civil penalties and consumer restitution. The fallout will also delay any construction projects and may cause irreparable reputational harm within the industry.
A ransomware attack can effectively halt a construction company’s operations. Ransomware attackers encrypt a company’s critical data, such as digital project management systems, design files or other critical software, and render them inaccessible until the ransom is paid. This type of cyberattack may cause a construction company to miss a bid on a large project or experience disruption of ongoing operations, causing delays to the critical path on ongoing projects, and potentially long-term brand damage.
How builders can protect themselves
Construction companies should be proactive to avoid becoming victims of a cyberattack. Steps vital to cyber hygiene include:
- Develop a team within your company with digital and managerial skills.
- Learn the language of the digital world with its risks and rewards.
- Focus on maintaining a robust and vigilant cyber policy for all employees.
- Provide training, and regular refresh training, with updated issues and techniques.
- Consult experts in the field, from IT, brokers and response counsel.
- Know what you will do, who to call and how to mobilize for an event.
- Review and reinforce contractual relationships to ensure adequate safeguards for all participants, remembering that the weakest link exists.
- Meet in person with contractors, specialty contractors, vendors, suppliers and communication platforms to ensure that everyone addresses risk.
- Add cyber risk to the on-site safety meeting agenda and stay current on developments in this area.
Purchase cyber insurance
Since even the most carefully designed and executed cyber defenses may be breached, it’s also essential to purchase effective insurance protection, either via a stand-alone cyber insurance policy or a cyber endorsement to an existing policy. Certain policies may include downstream contractual penalty coverage, which is advertised to cover loss as a result of contractual penalties due to construction and/or production delays resulting from a cyber security breach or system failure.
Construction companies should also look for insurance policies that provide crisis management services. As cyber insurance for construction companies has only recently been introduced, it is important to review policies carefully to ensure that they match a company’s most salient risks.
Cyberattacks in the construction industry are becoming the rule, rather than the exception. If they have not already done so, construction companies should take basic immediate steps to reduce cyber risks and frequently review their cyber practices and training to stay abreast of new types of attack. They should also seek the advice of their attorneys to assess whether their contracts and insurance coverage provide adequate protection.
Seán McCabe, an attorney in Anderson Kill’s New York office, contributed to this op-ed.
