Special thanks to Courtney Way (Summer Associate) for her contributions to this post.
When we imagine cyberattacks, we often picture hackers breaking into websites and stealing credit card or social security information. We think of companies full of financial or personal information falling victim to these attacks. What we don’t often think of is a construction company’s information being held hostage, its checks for services being redirected to unknown accounts, or construction equipment being hijacked. Unfortunately, because we aren’t expecting these attacks is exactly why construction companies are exposed.
Hackers are learning that the construction industry is a vulnerable target. These companies constantly manage complex projects while handling data exchanges among many parties including partners, subcontractors, regulators, and suppliers. Daily communications between these parties occur over e-mail, providing hackers a perfect opportunity to strike.
Typically, hackers will use a fake e-mail account or even mirror a familiar account in order to ask the company to send funds to a “new” or “different” bank account. Since the communication appears to come from a person that the company deals with on a routine basis, the company assumes that the new bank account is legitimate. Yet, theft of funds is not the only type of cyberattack construction companies may face; hackers also use information to lock data or destroy or control hardware and equipment.
Given the sophistication of today’s cybercriminals, construction companies must recognize their risk as targets and begin implementing protective measures. The most important steps for companies to take include: (1) conducting security assessments or routine vulnerability scanning; (2) updating software, including advanced e-mail filtering; (3) enforcing password policies; (4) restricting approval rights and administration privileges; and (5) obtaining cyber liability insurance policies.
However, general liability policies typically do not cover harm suffered by a cyberattack. About a decade ago, companies were unsuccessfully fighting with policyholders about general liability policies covering losses resulting from a data breach. Today, commercial general liability policies generally explicitly exclude electronic data from its definition of “property damage.”
Given the need for a policy that would cover the loss of data resulting from a cyberattack, insurance companies began offering separate cyber liability insurance policies. First-party cyber liability insurance typically covers the cost of network business interruptions, forensic investigation and restoration, legal fees, credit monitoring, and cyber threat extortion expenses. Third-party cyber liability insurance typically covers wrongful disclosure, content liability risks, and security or privacy breach regulatory proceedings.
Companies must be well educated and represented when obtaining cyber liability insurance. Unfortunately, many companies that offer these policies seek to limit their liability and in turn, except many incidences. For example, one policy in 2017 attempted to except costs associated with a fraudulent funds transfer that occurred when employees initiated the transfer after receiving a forged e-mail from a hacker. In 2018, another policy attempted to limit its coverage by arguing that the losses incurred by a company were not directly caused by computer fraud, but rather were incidental. Now, policies are attempting to invoke an “act of war” exception where companies argue that large attacks from foreign hackers are in fact “acts of war” and therefore not covered by the policy.
Although it is recommended that companies obtain cyber liability insurance policies in an effort to combat the enormous expense that follows a cybersecurity breach, cyber liability insurance policies are not a simple catch all and are certainly not an alternative route for staying current on training employees, frequently updating software, and conducting regular security assessments.
While construction companies may not appear to be the most profitable targets for hackers, they are the perfect combination of numerous moving parts, people, and complex projects. Add to this their lax cybersecurity measures, and hackers have found an opportune target.
In order to combat the recent uptick in hackers attacking construction companies, we recommend that companies (1) train employees about cybersecurity; (2) frequently update software; (3) conduct regular security assessments; and (4) look into obtaining cyber liability insurance. A cyberattack could cost millions of dollars and your reputation. In a world where three out of four construction companies have reported a breach in the last year, cybersecurity is not to be taken lightly.