The Scope of the Threat. Five or ten years ago, the most widely recognized cybersecurity threats involved the risk of compromises of personally identifiable information (PII) such as Social Security numbers, payment card information, and the like.  The high-profile data breaches frequently involved retailers, health care providers, or other consumer-facing companies and industries.  Many of the warnings about cybersecurity threats focused on these kinds of risks, and state data breach laws in the U.S. focused on the obligation to notify individuals if their PII had been breached.

In recent years, however, the cybersecurity threat landscape has become increasingly complex, and businesses of all kinds – including the construction industry – face ever-growing risks to their reputation, their finances, their continuity of operations, and even to the safety of their job sites and equipment.  The Department of Homeland Security has deemed a number of construction-related sectors at risk for cyber-attacks, including highway infrastructure, mass transit and passenger rail, and pipeline systems.  In addition to the cyber threats that arise in transportation construction, there are a number of threats that arise across all kinds of construction activities and sites.

Why Cyber Threats to Construction are on the Rise.  The construction industry, like so many other sectors of the economy, is increasingly dependent on the internet and on internet-enabled technologies.  Shared resources like integrated project delivery and building information modeling increase the risk that an authorized user will unintentionally introduce malware into shared systems.  The widespread use of vendors and subcontractors who have connectivity to shared information technology (IT) networks increases the risk that a cyber incident involving one company will become a vulnerability for many companies.  In addition, the steady growth in connected and remote-controllable devices – broadly known as the “Internet of Things” – has vastly increased the potential attack surface for cyber threats.  Perhaps the most famous example of the ways in which these threats can intersect with and magnify each other is the Target department store data breach, in which millions of Target customers’ credit card information was exposed, and Target suffered millions of dollars in breach response costs, litigation fees, lost revenue, and incalculable reputational harm.  The breach originated with an HVAC vendor who was responsible for managing “smart” thermostats at Target facilities.  Once inside the network, the hackers were able to traverse the connected IT architecture and penetrate Target’s payment card information databases.  

What is at Risk?  Cyber threats can expose all of a company’s digital assets: business plans and acquisition strategies; proprietary construction plans and designs; customer, contractor, and supplier lists and pricing; personally identifiable information of employees and contractors; protected health information of personnel; and facilities security information.  Cyber risk can also cause business interruption and reputational harm: for example, a ransomware attack might not lead to a loss of information, but by shutting down a company’s computer networks, and potentially destroying information, it can cause an enormous amount of lost productivity and business delay.  And the ability for cyber attackers to hijack physical devices – from security cameras to vehicle telematics to industrial control systems – means that there is an ever-increasing risk of property damage and personal injury due to cybersecurity incidents.

How to Mitigate Cyber Risk.  There are a number of low- and moderate-cost ways to mitigate cybersecurity risk.  These include:

  • Policies and training.  The very best IT can’t prevent human error.  So it’s essential to implement clear policies on cybersecurity basics like use of strong passwords, multi-factor authentication, use of encryption for sensitive data, and restrictions on the use of removable media.  It’s also essential to train employees on best practices, including how to recognize potential phishing emails and sensitive information to which they have been granted access.  Having a tailored and up-to-date incident response plan, and clear privacy policies and data handling practices that comply with all applicable data privacy laws, are also critical components of an effective cybersecurity and privacy program.
  • Vendor management.  Contracts with subcontractors, suppliers, and others are an essential component of mitigating cyber risk.  Legal review of representations and warranties about the cyber practices of a business partner, along with appropriately tailored indemnification and hold harmless provisions, can be a foundation stone for mitigating the party cyber risk associated with doing business with third parties.
  • Insurance.   Cyber insurance is widely available, and can be an effective component of an overall insurance program.  It’s important to read policy language carefully: some policies require specific technical cyber hygiene measures (such as annual penetration testing), and others offer discounted policy rates for undertaking a cyber vulnerability assessment.  Most cyber policies cover the costs of forensic investigation and breach notification associated with a cyber incident, but many do not cover other costs that could be associated with a cyber incident.  For instance, a business email compromise, in which a spoofed email dupes a company into wiring money or employee information to a fraudulent account, is often covered under a crimes policy.   However, property damage, personal injury, and environmental damage, all of which are possible consequences of a cyber-attack on IoT devices, may be more likely excluded from cyber coverage and, instead, covered under general liability or other policies.  Because of the many ways in which cyber threats can play out, and the intricacies of the intersection of various insurance coverages, it is essential to assess cyber coverage in the context of a comprehensive insurance program.
  • Treat Cyber Risk as a Business Risk.  Cybersecurity risk is too important – and the potential negative consequences of a cyber incident are too grave – to dismiss cybersecurity as something that should be the sole responsibility of an IT vendor or in-house IT department.  Senior management of the company – or the Board if there is one – should treat cybersecurity risk like it would other kinds of business risk that could have significant negative financial, operational, and reputational impact.  A comprehensive, organization-wide approach – that includes participation from the legal office, chief financial officer, head of operations, human resources, and marketing, communications, or public relations – along with IT – can provide the framework for a holistic cybersecurity program and plan.

Although these steps can’t eliminate cyber risk altogether, they can greatly reduce the likelihood of an incident, and reduce its cost and impact if one occurs.