Cyber risk in the construction industry
Is your business protected?
Article information and share options
Design, engineering, and construction have a multitude of project risks. Most of these are identified, well-defined, and, hopefully, allocated to the party most capable of managing the risk. However cyber intrusion and its potential impact on your business – or your project owner's business – is probably the least appreciated of all construction risks, and it has no clear path to risk allocation or management.
From smart roads to cloud computing, technology permeates almost every aspect of design and construction. Multi-user platforms let contractors, designers and owners use project data simultaneously, which compounds the risk to all parties. But coverage for claims involving data breaches in technology-driven applications – such as integrated project delivery (IPD), building information modeling (BIM), estimating, scheduling programs and virtually any electronic client interface – is largely excluded from commercial liability insurance, many forms of property insurance, as well as various forms of design and construction professional liability insurance.
Who's at risk?
Cyber risk can affect businesses, including those in the construction industry, which handle, host, store and transmit sensitive and proprietary information such as:
- Client data or confidential project information
- Intellectual property
- Sensitive commercial material
- Subcontractor data or financials
- Employee data, including health data
Throughout the industry, common platforms are used to distribute and manage all kinds of engineering and construction data. This creates vulnerability – and a shared responsibility – for everyone involved. A hacker with access to construction data could wreak havoc not only operationally but also through the physical destruction of data, servers and infrastructure, or by threatening the safety of people onsite. Such incidents can also cause harm to an owner’s design and security systems.
Even attackers who don't intend physical harm may still be interested in obtaining valuable corporate data, such as intellectual property or data that provides a competitive edge. Furthermore, hackers who aren't interested in your company's data may still capitalize on weaknesses in your system to reach other IT networks. This could hold true for contractors who may have access to other targeted systems and, even more so for government contractors who may have such data stored or flow through their IT systems which increasingly are tied to a government's IT network.
As a result, anyone in the construction industry should ask the following fundamental questions:
- How secure is your network? What do you know about data protection and the associated risks?
- How much data is there? Where is it stored?
- Do you encrypt your data at rest, in transit, and in mobile devices?
- Do outside vendors have access to sensitive information? If so, do you perform due diligence assessments before granting them access? What precautions are you taking to ensure that third party access is granted on a need to know basis only? How do you ensure that this information is not disseminated elsewhere?
- Is there security and privacy training for your staff?
Does your traditional insurance protect your business from cyber risk? (Hint: probably not.)
Websites have evolved into active business platforms with attendant risks. And many of these platforms have remotely accessible controls or internet-connected capabilities. In addition to losses caused by data breaches, other types of losses from technology-related incidents may not be covered by your existing insurance program. Traditional policies don't generally cover damages caused by data breaches.
- Commercial liability policies don't respond to damages to intangible property and they often have data and technology exclusions.
- Property policies provide loss of business income coverage only if there was direct physical damage caused to your property. They don't cover damage caused by hackers or rogue employees who shut down your or your project owner's website or computer systems or the systems of a service provider you rely upon to conduct business.
- Professional liability insurance – design, design-build, or engineering-procurement-construction E&O – may not respond to a cyber intrusion and the resulting losses or damages.
Like other industries, the construction industry is also subject to administrative or industrial compliance regulations, as well as state and federal privacy laws, all of which involve cyber exposures.
What does cyber insurance cover?
Cyber insurance covers first and third party losses – damage to internal IT systems as well as third party liability. It will help mitigate losses from various cyber and electronic issues, such as unauthorized access, business interruption and network damage caused by a virus, malware or human error. It acts as a separate insurance tower in addition to commercial liability coverage. Cyber liability policy can cover a wide range of exposures:
- Third party liability:
- Security and privacy liability arising out of the failure to protect confidential corporate information, including personally identifiable information
- Liability for transmission of malicious codes
- Impaired access or denial of service attacks
- First party loss:
- The cost of compliance with legal and regulatory obligations to notify compromised individuals
- IT forensics and expenses
- Crisis management and public relations expenses
- The cost of compliance with regulatory investigations and the resulting fines
- The loss of business income due to network interruptions and the cost to recover systems and data
- Cyber extortion loss
- Content liability:
- Intellectual property
Project owners are becoming increasingly concerned about the information and supply chain security of their design, engineering and construction companies. As a result, owners are beginning to add contractual requirements for cyber liability coverage in certificates of insurance before any work is performed. It's only a matter of time before most design, engineering, and construction contracts will stipulate hold harmless and indemnity provisions to protect the client from cyber-related losses caused by the contractor or design firm's negligence.
How to mitigate risk before a cyber event
You should prepare for a cyber event before it occurs to ensure a streamlined and coordinated response, and to minimize the consequences. Best practices include:
- Create an incident response plan: Appoint a cross-functional incident response team with advisors in legal, compliance, privacy, public relations, government affairs, audit matters, and ethics, as well as IT and information security.
- Designate leadership: Establish clear roles – security is only effective if people know how to fulfill their duties – then outline escalation procedures and communication protocols, including guidelines for external communications.
- Train employees: Train all employees, not just a select few. Security is everyone's responsibility.
- Update security protection and user authentication: Implement two-factor authentication. Username/password authentication is insufficient. Depending on the complexity of the password requirement, passwords can be cracked in a matter time, and a compromised password can be used by anyone, anywhere. However, by adding another layer of security – with tokens, fobs, biometrics, and similar user-related features – two-factor authentication helps thwart attacks, even when passwords have been compromised.
- Protect against denial of service (DDoS): Take steps to prevent DDoS attacks – it's key for managing risk and avoiding potential extortion. If users can't access project data, it might as well be lost.
- Manage unauthorized entry: Don’t assume your project's security can't be compromised. Invest in a security operations center (SOC) team to constantly monitor traffic, trends, and activity to keep the platform, and its data, safe.
- Conduct cyber exercises: Perform simulated cyber exercises to look for unknown vulnerabilities or unanticipated gaps that aren't readily apparent. Execution is the best training.
Authors: Yujin Basetto, Senior Products Manager, Cyber Technology E&O, and Sasha Beamish, Senior Product Underwriter, Financial & Professional Services