Big-name data breaches and stories of international cybercrime have dominated the news in recent years. While the construction industry has largely avoided making cybersecurity headlines, contractors and subcontractors alike must consider their unique vulnerabilities and take measures to minimize their exposure in the event of a successful cyber attack.

Cyber Threats in the Construction Industry

Anything that can connect to the internet can be “hacked.” This means that drones, connected machinery and wearable technology—all items that are used in the construction industry—could be accessed and controlled by outsiders. As a result, a successful cyber attack can expose sensitive employee information, financial data, trade secrets and intellectual property.

Contractors that service “smart” building systems should pay close attention to their security measures because these systems are especially vulnerable to attack, which makes HVAC, lighting and security systems lucrative targets. Contractors that install and service these systems serve as an access point for attackers. For example, the 2013 Target data breach that exposed approximately 40 million debit and credit card accounts was traced back to an HVAC subcontractor that serviced the retail giant’s facilities.

Protecting the Business

Contractors that fall victim to an attack may face severe financial, reputational and legal consequences. Not only is there the possibility of direct loss and damage to the contractor itself from a data breach, but contractors can also face liability for damages sustained by owners, developers and others in situations where the contractor is the source of the breach.

Taking appropriate steps to secure systems and infrastructure is a key first step; however, it is not fool proof. Hackers have an unending supply of creative ways to infiltrate secure networks. Given this risk, it is important for companies to consider how to mitigate their exposure when a strike occurs. Two ways of protecting a company are:

• appropriately identifying and allocating risk in contracts by including cyber-specific provisions; and
• obtaining appropriate insurance.

Contracts should specify the steps that need to be taken by each party to ensure security during performance of the contract. Additional terms may be added to the contract to allocate and shift risk between the parties by adding “cyber” terms to more general provisions. These terms ensure that the contract covers cyber events. Examples of provisions include: waivers of consequential damages, indemnity provisions and force majeure provisions. Addressing cyber attacks in contracts is a relatively new practice, therefore it is important to tailor existing contracts to address “cyber-specific” issues and ensure that important contract terms apply to cyber events.

Traditional commercial general liability policies typically do not include cyber events within the scope of coverage. Current policies should be reviewed to verify that the company is protected in the event of a successful cyber attack, and if not, contractors and subcontractors should consider adding a cyber policy to their insurance portfolio.

The Bottom Line

The increased use of technology and data sharing between developers, designers and contractors has certainly increased the quality and efficiency in project delivery, but it has also exposed vulnerabilities that need to be addressed and mitigated. Cybercriminals will continue to target the construction industry as companies adopt new technology in the office and at the worksite. However, companies can mitigate the risks associated with a cyber event by incorporating certain provisions into its contracts and obtaining appropriate insurance coverage.