Rarely does a week go by without a cyber incident making headlines. According to the World Economic Forum’s 2018 Global Risks Report, cyber and data privacy and security threats are the leading risks facing companies operating in North America. The simple truth is that cyber risk is industry agnostic and any business that relies on technology can suffer a loss.
Yet many construction risk professionals do not view cyber risk as a priority for their organizations, leaving them vulnerable to costly cyber-attacks or technology disruptions that can devastate their bottom lines. However, contractors can take action to reduce their risk through a combination of robust internal practices and the purchase of insurance coverage.
Contractors are different than many other businesses in that they collaborate in a digital environment with many project stakeholders to bid on and perform work. Through design-build and other alternative contract delivery methods, contractors — rather than professional service firms — hold ultimate responsibility for the source of systems and software that is incorporated into a building or other form of infrastructure.
More broadly, the construction industry is embarking on a period of rapid digitization, with technology increasingly being embraced both for project modeling and day-to-day operations. A 2016 survey by PwC found that construction companies planned to invest 5% of their annual revenue into digital operations solutions in the coming years. Three specific technologies — building information modeling, geographic information systems, and integrated project delivery — are quickly becoming cornerstones of the industry. And construction equipment and control systems are expected to become increasingly automated in the years ahead.
These and other technological advancements will help the industry become increasingly efficient, but can also make construction companies more attractive targets for cyber criminals looking to steal data, ransom systems, or otherwise disrupt companies’ operations. Virtually all companies in the construction industry rely on IT networks, software applications, and data to maintain general business activities, from payroll and order processing to marketing and communications.
Other industry characteristics can present risks as well. For example, the construction industry’s workforce is fluid; many construction industry employees work in the field — using laptops, smartphones, and tablets — rather than traditional office environments. The reliance on subcontractors can also present unique challenges, including training. Moreover, the completion of any project typically involves dozens of companies and their employees and the sharing of vast quantities of confidential data, including bids, blueprints, employee records, and financial information.
These and other factors translate to several potential cyber risks for contractors, including:
Health care organizations, financial institutions, retailers, and public entities have long considered cyber risk among their most critical exposures, but the same is not true of the construction industry. Relatively few contractors have thoroughly identified and quantified their cyber exposures or developed plans to mitigate and/or transfer that particular risk.
The first step in managing cyber risk is to identify sources of potential risk. Contractors should conduct audits that gauge employee access to and use of critical and sensitive data, including personally identifiable information and proprietary corporate assets. This audit should determine who has access to such information and critical systems and take stock of existing capabilities for monitoring inappropriate system access and potential security events.
Once complete, businesses should develop formal, written policies regarding the use of corporate networks, and ensure that access to sensitive data is restricted only to parties that require it. Organizations should also:
Although all businesses should plan for and take steps to prevent potential cyber-attacks and technology disruptions, the reality for many businesses is that it’s not a question of “if” a cyber-loss will occur but rather “when” one will. To prepare for that eventuality, insurance should be a part of any construction company’s risk management program.
The continual evolution of privacy and computer security risks has left traditional forms of insurance largely unable to adequately cover cyber exposures. For example:
Given the limitations of these and other forms of coverage, contractors should consider purchasing standalone cyber insurance coverage. While cyber insurance policies have historically been most often associated with data and privacy breaches, today’s cyber policies cover the failure of technology and the resulting interruption or loss of revenue. Cyber policies can also be designed to cover:
In addition to coverage for these specific risks, many cyber insurers offer additional services to help manage the effects of a cyber loss and prevent future losses. For example, many insurers can provide data breach “coaches” to help insured businesses better manage their risk. Such coaches are often attorneys who specialize in the unique legal and regulatory issues surrounding breaches, and
can help insured businesses navigate the response process and better ensure compliance with state and federal privacy laws.
Most insurers also have pre-negotiated rates with IT forensics specialists, who can spearhead investigations into what has occurred, what data has been compromised, and how to fix any identified vulnerabilities.
As they attempt to address a range of potential cyber risks, especially the growing threat of ransomware, organizations should seek to optimize their cyber insurance programs, coordinating and aligning cyber, property, and casualty insurance coverages. Working with their insurance advisors, risk professionals should review these policies to determine current levels and areas of coverage, identify any gaps or exclusions — with close attention to potential implications of “other insurance” clauses — and tailor insurance solutions to their organizations’ cyber risk profiles. Organizations should also update policies as needed to provide coverage for new types of risks, including business interruption and cyber extortion, and reevaluate program limits in the face of catastrophic scenarios.
Contractors, like most all other organizations, rely on technology to do business. That can be a source of strength, but any breach or technology interruption that disrupts critical workflows and operations can lead to substantial losses for contractors and other project stakeholders. Although it’s difficult to remove that risk, contractors can create effective cyber risk management programs to reduce it and secure robust cyber insurance coverage to protect against potential losses.