For many years, the construction industry has avoided the cyberthreat spotlight because of the appeal of other industries and large companies storing larger volumes of sensitive and therefore lucrative data. But this lack of attention from bad actors may be lulling some construction companies into a false sense of safety.
By Ken Chapman and Frank Tanzola
Cybercriminals are now branching out to what they consider softer targets – construction companies. The construction industry was the most frequently hit by ransomware in 2021, as hackers held hostage key information that affected project timelines. Through schemes such as business email compromise (BEC), cybercriminals are also hacking or impersonating construction company emails to divert contract payments.
This escalating concern is far reaching, as breached networks not only can delay project timelines, but also expose sensitive information that impacts not only contractors but the vendors, suppliers and owners they contract with.
It’s not a matter of if, but when a company will experience a cyber intrusion. To minimize the impact of these intrusions and their financial consequences, computer and network systems preparedness, as well as cyber insurance consideration, are more important than ever.
Considerations for Systems Preparedness and Cyber Coverage
Like other industries that have long been impacted by the threat of cybercrime, construction companies need to take security into their own hands. Some considerations include:
- Procedures and policies enacted to prevent a breach
- Procedures and policies enacted post breach, i.e., intrusion response
- Are employees and contractors educated on cyberthreats and required to follow security measures such as multi-factor authentication when accessing the network?
For some organizations, these areas assume a level of IT sophistication beyond their current state. In these cases, engagement with a cyber consultant and/or enlisting the help of their insurance professional is critical. Should cyber coverage be an option, the cyber underwriter will need this baseline detail as well.
Should cyber coverage be an option, make sure to consider:
- Incident response by a third party (such as an attorney firm or cyber consultant)
- Notification expense
Notification expenses come into play for larger businesses who, if breached, could face substantial notification fees while contacting hundreds or thousands of impacted parties.
Beyond a company’s own coverage, business owners should be asking the companies they contract with — whether vendors, suppliers, or clients — what type of cyber insurance they have, if any.
Heightened Risk for Government Contractors
In October, the Department of Justice announced a Civil Cyber-Fraud Initiative to increase prosecutions of cybersecurity violations by parties contracting with the government via complaints filed under the False Claims Act (FCA).
Contractors doing business with the federal government and not having the cybersecurity measures in place required by their contract face potential exposure to fines, treble damages and other penalties under the FCA. Depending upon the standards incorporated in the specific contract, violations can range from deficient data security measures to failure to timely report a cyber breach. Accountability extends to anyone who is handling data or information for the party that is contracted with the government, and puts into focus the importance of understanding all third-party relationships throughout the supply chain.
At the same time that federal government agencies are imposing more stringent cybersecurity requirements on federal contractors, the Civil Cyber-Fraud initiative also encourages whistleblowers to pursue cases of potential fraud or contract breach. Much of this encouragement involves devoting government resources to investigating whistleblower allegations. As an example of this trend, the Infrastructure Investment and Jobs Act created an Office of the National Cyber Director.
Companies ill-prepared for a cyberattack are facing risk from multiple sides, from the bad actors online to members of their organization who are now more incentivized to file qui tam complaints under the FCA.
To ensure compliance with federal regulations, contractors should pay close attention to these two standards:
- Basic Safeguarding of Covered Contractor Information Systems applies to most parties that contract with the federal government and is focused on controlled unclassified information (CUI). Contractors are required to have systems in place to identify malware as well as limit access to systems where federal government information is stored. Requirements also include multi-factor authentication practices to access the system and a documented cyber incident response plan.
- Safeguarding Covered Defense Information and Cyber Incident Reporting is required for Department of Defense (DOD) contractors and expands on the Basic Safeguarding of Covered Contractor Information Systems standard to protect covered defense information (CDI). A major feature of this standard is providing greater specificity to the process of investigating and reporting cyber incidents to the DOD.
The reach of cybercriminals is constantly growing. For contractors, the chain of impact of a cybercrime can be extensive. From vendors to suppliers to clients such as the federal government, a breach of one company’s network could span all parties and leave a financial and reputational loss beyond recovery in its wake.
For more information on how to protect yourself from a devastating cyber incident and ensure compliance with new regulations, contact the IAT team.
 The United States Department of Justice. “Deputy Attorney General Lisa O. Monaco Announces New Civil-Fraud Initiative,” October 6, 2021.