The Hidden Construction Industry Threat: Cyber Risk

Running a construction firm, you are certainly aware of the number of risks that you face every day from worker safety and protecting the worksite to contractual obligations. But, as your back office relies more on technology to keep your business going, there is an emerging risk for the construction industry that you need to stay on top of: the cyber intrusion threat.

New machinery increasingly is computerized and wired, and most design, engineering and construction firms are using some form of cloud computing. As you know, by using multi-user platforms, contractors, designers and project owners can use and share data simultaneously. Technology-driven applications – such as integrated project delivery, building information modeling, estimating and scheduling programs – and other electronic client interface systems are increasingly being used.

While there are a number of obvious efficiencies with this method, the risk of intrusion increases when multiple parties have access to the project data. If that data is compromised, it could force a halt in construction while you determine the extent of the breach.


If your firm uses any of these client interface or data sharing technologies, there is plenty of data that risks being exposed, including:
• Sensitive client data
• Confidential project information
• Proprietary data
• Subcontractor data or financials
• Employee data, including personally identifiable information
The biggest issue is that sharing data on common platforms makes everybody in the project vulnerable.

If cyber criminals gain access to construction data, they could seriously disrupt a project by destroying data servers and infrastructure, or by threatening the safety of people onsite. Hackers can also cause harm to an owner’s design and security systems.

Hackers can also get their hands on your intellectual property or data that gives you a competitive edge.

It doesn’t stop there. Some hackers may skip on your company data and use weaknesses in your system to reach other IT networks, like your business partners in the project and vendors.

The damage can be especially far-reaching for contractors who have access to other targeted systems, and particularly for contractors who have data stored or flowing through their IT systems that are tied to a government IT network.

What you can do
You should ask yourself these questions to identify deficiencies:
• Is your network secure and are you confident you are protecting your data?
• How much data do you have and where are you storing it?
• Do you encrypt your data when it is on your or your employees’ mobile devices and laptops?
• Do outside vendors have access to sensitive information? Perform due diligence assessments before granting them access.
• Are you taking precautions to ensure that third parties are granted access on a need-to-know basis only?
• Do you have policies and safeguards in place to ensure shared information is not disseminated elsewhere?
• Are you training your staff in cyber security and privacy?

Commercial insurance won’t cut it
Your commercial insurance policy will not cover damages caused by data breaches. That’s because such policies don’t cover damages to intangible property – and many have exclusions for data and technology.
And your property policy will not cover you for loss of business if there is no direct physical damage to your property. Property policies don’t cover damage caused by hackers or rogue employees who shut down your or your project owner’s website or computer systems, or the systems of a service provider you rely upon to conduct business.
Professional liability insurance also will typically not cover damages associated with a cyber attack.

The answer: Cyber insurance
Cyber insurance will cover the costs of recovering from a data breach or malicious attack on your data systems.
It can cover losses from various cyber and electronic issues, including:
• Unauthorized access.
• Business interruption.
• Network damage caused by a virus, malware or human error.
• Any state-mandated notification costs if personally identifiable information was exposed.
• Costs of regulatory penalties, and compliance costs.
• Third-party security and privacy liability arising out of the failure to protect confidential corporate information, including personally identifiable information.
• Costs associated with impaired access or denial-of-service attacks.
• IT forensics and expenses.
• Crisis management and public relations expenses.
• Loss of business income due to network interruptions.
• Cost of recovering systems and data.
• Cyber extortion loss.

One final note about insurance: Many project owners have started including in their contracts requirements for cyber liability insurance coverage to be included in certificates of insurance.