Cyber-crime is an increasingly prominent threat to many industries, and construction is no exception. With the growing use of digital technologies in what was once a primarily “offline” industry, cyber-attacks can pose a significant threat at every level of the construction industry. The construction industry routinely handles sensitive information that is of value to cybercriminals, including project plans, client information, financial records, and employee data. Furthermore, due to the tight project deadlines and complicated project scheduling common in the construction industry, it can be particularly susceptible to ransomware attacks that disrupt critical digital assets to extort “ransom” from their victims. Struck by a ransomware attack at the wrong time, a contractor, construction manager, or design professional may face the unenviable position of choosing between contractual penalties for delay or paying an anonymous hacker large sums of money to free compromised data or digital systems.
As with the many other business risks faced by the industry, the response of many players in the industry is to obtain insurance. While cyber-attacks are usually excluded from standard Commercial General Liability (CGL) policies, many major insurers now offer optional coverage under a Professional Errors and Omissions policy or through standalone cyber insurance. While insurance can afford some degree of protection against attacks, this is an imperfect defense at best. Disruption or damage caused by a cyber-attack can be expensive, with data breaches and ransomware attacks often costing even comparatively small victims millions of dollars per attack in direct costs. These amounts can easily exceed policy limits. Downstream costs (such as loss of intellectual property, reputational damage, and in some cases, legal liability to the owners of compromised information) are often nearly or entirely uninsurable.
Additionally, companies have seen a rise in cyber-attacks lead by hostile state actors. Often originating from countries hostile to the United States (such as Russia, China, North Korea, and Iran), these attacks are uniquely dangerous to companies due to their sophistication and because most cyber insurance policies contain exclusions for “hostile or warlike actions.” Although still a developing area of the law, particularly given the ambiguity about whether a cyber-attack that does not cause physical damage, but nonetheless carries heavy economic costs, is a “warlike” action, the exclusion risks a denied policy claim. Further, because cyber-attacks by state actors often involve state secrets or national security concerns, insureds often have difficulty developing the facts around the cyber-attack, complicating efforts to recover under their policy.
Despite its limitations, construction industry actors may want to consider obtaining or at least looking into cyber insurance or adding it as coverage to one of its existing forms of insurance. While it should not be relied upon as a sole means of protection, it may help mitigate the risk that modern construction companies face. Practicing proper digital hygiene by implementing strong cybersecurity measures like firewalls, multi-factor authentication, encryption, and air gapping sensitive data, could be an essential, and unfortunately often neglected, safeguard in today’s digital economy.