Construction companies continue to face wide-ranging, dangerous threats from cyber criminals. Whether it be intellectual property, financial information, customer data or classified material, construction companies possess data that make them targets for cyber thieves. However, when armed with the right information, executives can take meaningful steps to protect their companies from falling prey to the dangers of today’s cyber threats. With 2018 in the books, it is time to look at what should be top of mind in 2019. 

Key Cyber Developments - 2018

A look back at 2018 reinforces two key cybersecurity bellwethers for the construction industry. First, the industry continues to be the target of a wide range of cyber threats, and the following attack vectors have directly impacted construction companies:

• system compromise due to ransomware;
• fraudulent wire transfer due to successful phishing schemes; and
• theft of intellectual property, pricing models – due to direct hacking.

These forms of attack evolved throughout 2018 and demonstrate that cyber criminals continue to develop new and more effective means to steal data, dupe unsuspecting employees into sending money to phony receivers and disable networks.

2018 also saw a significant increase in regulatory frameworks that create challenging mandates for securing cyber data, protecting personal information and subsequent notification of a cyber breach. The European Union’s long-awaited General Data Protection Regulation took effect May 25, 2018, with the goal of providing individuals with control over their personal data. It applies to all companies, regardless of geographical location, who process or control data of EU citizens. The regulation also provides for potentially extreme penalties for failure to comply.

Likewise, the State of California passed the California Consumer Protection Act, which becomes active on January 1, 2020. Much like GDPR, the CCPA provides California citizens with a host of rights relative to their personal information. The law also places tight deadlines and compliance challenges for companies. More states are expected to follow California’s lead, so construction executives must understand how these new laws and regulations impact their business operations and what new obligations are being placed on protecting customer data. 

Seven Action Items for Construction Executives in 2019

Heading into 2019, construction executives would be well-served to take the following seven steps to help protect their companies from cyberattacks:

1. Continue to train employees, with an emphasis on protecting personal devices. Employee training will continue to be a key trend for construction companies in 2019. Employees are the initial line of defense against cyberattack, but unfortunately, are often times the weakest link. Companies which allow employees to bring and utilize their own personal devices create cyber vulnerabilities for their companies. The increased efficiency realized from a BYOD policy must be weighed against the security risk. Unsecure mobile devices are a leading cause of data breaches. It is imperative for construction executives to create and communicate a company-wide BYOD security policy. Mobile devices must be protected with a passcode or biometric gatekeeper, and users must be counseled to avoid public, unsecure networks.
2. Develop an Incident Response Plan. In order to properly respond to any type of cyber incident, minimize any damage and restore operations in an effective manner, construction companies must develop and implement an Incident Response Plan – before an actual incident occurs. The IRP should set forth the framework in which the company will respond to a variety of attack scenarios. The plan should include a detailed workflow – for both action and communication – internally and externally. Key players in an incident response scenario must be identified, and trained on the plan. Once an IRP has been developed, it must be practiced, revised and updated annually. Although this will require additional resources and time from key personnel, it should be noted that reactively trying to develop an incident response plan during a breach is too late.
3. Require third-party vendors to adequately guard against cyber threats. Third-party vendors continue to be a weak link in cyber protection, particularly in the construction industry where so many third-parties have access to software in the system. Vendors must be required to do three things. First, they must be required to put in place on their own systems adequate protection from cyberattacks. Second, these vendors should obtain cyber liability insurance, naming the contractor as an additional insured. Finally, strong contractual indemnity language must be included in any vendor subcontract to ensure that a contractor will be wholly indemnified should a cyber incident occur.
4. Obtain tailored cyber liability insurance. Cyber liability insurance should continue to be a safety net for construction companies to protect themselves from cyber risks. However, construction executives would be best served to be wary of “off-the-shelf” cyber policies and procure cyber insurance specifically suited to protect the needs of their individual company. Cyber insurance is NOT a “one size fits all” product. Rather, cyber insurance policies must be carefully crafted to ensure that appropriate protection is provided to the uniqueness of each company. The language should be reviewed by experienced cyber coverage counsel to provide security in the unfortunate, but likely, event of a cyber incident.
5. Prepare to tackle new laws and regulations. Given the new and expanding regulatory framework that will impact the construction industry, executives must familiarize themselves with the new requirements and develop an internal strategy to comply. Executives should not assume that these are static regulations which will simply stagnate until a breach occurs. Rather, the entire industry must accept that aggressive plaintiffs’ attorneys will be testing companies’ compliance with the regulations, and actively bringing lawsuits to force compliance and recover damages. These regulations will impact construction companies and must be taken seriously, now.
6. Be aware of the Chinese threat. The Chinese government continues to be linked to a variety of cyber hacks, including a Navy contractor, the U.S. Office of Personal Management, EU communications and a host of U.S. companies, including the recent Marriott/Starwood breach. Construction companies that provide services for the U.S. government are a favored target for the Chinese. But regardless of whether a company provides services for the government, if a company possess any sensitive data (including trade secrets/intellectual property), the Chinese government has demonstrated an active effort to steal it.
7. Develop a strategy surrounding the Internet of Things. As smart technology continues to play a larger role in construction, companies are introducing a wide variety of technology – commonly referred to as the Internet of Things. Quite simply, IoT is defined as the network of devices, vehicles and appliances that contain the necessary software to connect, interact and exchange data. It is estimated that there will be 30 billion devices in the IoT by 2020. These devices present an obvious cyber risk, yet the construction industry must continue to meet demand by introducing more and more of these products to customers. Construction executives should develop a strategy to properly disclose potential IoT threats to customers, ensure that appropriate security measures are in place to safeguard these devices, and monitor the coming regulatory framework related to IoT.

Construction executive must continue to act to protect their companies from the ongoing, ever-changing cyber threat landscape. Although these seven action items will not guarantee the avoidance of a cyber incident, they will assist construction companies with good cyber hygiene, the ability to respond to a threat, and protection in the event of a cyber-related loss.