Construction companies should consider cyber insurance that may mitigate risks, use strong cybersecurity practices
Cybercrime is an increasingly prominent threat to many industries, and construction is no exception. With the growing use of digital technologies in what was once a primarily “offline” industry, cyberattacks can pose a significant threat at every level of the construction industry.
The construction industry routinely handles sensitive information that is of value to cybercriminals, including project plans, client information, financial records, and employee data. Furthermore, due to the tight project deadlines and complicated project scheduling common in the construction industry, it can be particularly susceptible to ransomware attacks that disrupt critical digital assets to extort “ransom” from their victims. Struck by a ransomware attack at the wrong time, a contractor, construction manager, or design professional may face the unenviable position of choosing between contractual penalties for delay or paying an anonymous hacker large sums of money to free compromised data or digital systems.
As with the many other business risks faced by the industry, the response of many players in the industry is to obtain insurance. While cyberattacks are usually excluded from standard Commercial General Liability (CGL) policies, many major insurers now offer optional coverage under a Professional Errors and Omissions policy or through standalone cyber insurance. While insurance can afford some degree of protection against attacks, this is an imperfect defense at best. Disruption or damage caused by a cyberattack can be expensive, with data breaches and ransomware attacks often costing even comparatively small victims millions of dollars per attack in direct costs. These amounts can easily exceed policy limits. Downstream costs like loss of intellectual property, reputational damage, and in some cases, legal liability to the owners of compromised information are often nearly or entirely uninsurable.
Proper digital hygiene
Additionally, companies have seen a rise in cyberattacks led by hostile state actors. Often originating from countries hostile to the United States, such as Russia, China, North Korea, and Iran, these attacks are uniquely dangerous to companies due to their sophistication and because most cyber insurance policies contain exclusions for “hostile or warlike actions.” Although still a developing area of the law, particularly given the ambiguity about whether a cyberattack that does not cause physical damage but nonetheless carries heavy economic costs is a “warlike” action, the exclusion risks a denied policy claim. Further, because cyberattacks by state actors often involve state secrets or national security concerns, insureds often have difficulty developing the facts around the cyberattack, complicating efforts to recover under their policy.
Despite its limitations, construction industry actors may want to consider obtaining or at least looking into cyber insurance or adding it as coverage to one of its existing forms of insurance. While it should not be relied upon as a sole means of protection, it may help mitigate the risk that modern construction companies face. Practicing proper digital hygiene by implementing strong cybersecurity measures like firewalls, multifactor authentication, encryption, and air gapping sensitive data, could be an essential, and unfortunately often neglected, safeguard in today’s digital economy.