Prevent the Chain Reaction of Cybercrime in Construction

Ken Chapman and Frank Tanzola

Ken Chapman is Executive Vice President and Frank Tanzola is Senior Vice President & Chief Legal Officer at IAT Surety ( Reprinted with permission from Construction Executive. For more information on how to protect yourself from a devastating cyber incident and ensure compliance with new regulations, contact the IAT team.

August 1, 2022

Cybercriminals are now branching out to what they consider softer targets—construction companies. The construction industry was the most frequently hit by ransomware in 2021, as hackers held hostage key information that affected project timelines. Through schemes such as business email compromise, cybercriminals are also hacking or impersonating construction company emails to divert contract payments.

This escalating concern is far-reaching, as breached networks not only can delay project timelines but also expose sensitive information that impacts contractors and the vendors, suppliers, and owners with whom they contract.

It is not a matter of if, but when, a company will experience a cyber intrusion. To minimize the impact of these intrusions and their financial consequences, computer and network systems preparedness, as well as cyber insurance consideration, are more important
than ever.

Considerations for Systems Preparedness and Cyber Coverage

Like other industries that have long been impacted by the threat of cybercrime, construction companies need to take security into their own hands. Some considerations include:

  • Procedures and policies enacted to prevent a breach;
  • Procedures and policies enacted post-breach (i.e., intrusion response); and
  • Educating employees and contractors on cyber threats and requiring them to follow security measures such as multi-factor authentication when accessing the network.

For some organizations, these areas assume a level of IT sophistication beyond their current state. In these cases, engagement with a cyber consultant and/or enlisting the help of their insurance professional is critical. Should cyber coverage be an option, the cyber underwriter will need this baseline detail as well.

If cyber coverage is an option, make sure to consider:

  • Limits;
  • Incident response by a third party (such as an attorney firm or cyber consultant); and
  • Notification expense.

Notification expenses come into play for larger businesses that, if breached, could face substantial notification fees while contacting hundreds or thousands of impacted parties.

Beyond a company’s own coverage, business owners should be asking the companies they contract with—whether vendors, suppliers, or clients—what type of cyber insurance they have, if any.

Heightened Risk for Government Contractors

In October, the Department of Justice announced a Civil Cyber-Fraud Initiative to increase prosecutions of cybersecurity violations by parties contracting with the government via complaints filed under the Claims Act (FCA).

Contractors doing business with the federal government that do not have the cybersecurity measures in place required by their contract face potential exposure to fines, treble damages, and other penalties under the FCA. Depending on the standards incorporated in the specific contract, violations can range from deficient data security measures to failure to report a cyber breach in a timely manner. Accountability extends to anyone who is handling data or information for the party that is contracted with the government and puts into focus the importance of understanding all third-party relationships throughout the supply chain.

At the same time that federal government agencies are imposing more stringent cybersecurity requirements on federal contractors, the Civil Cyber-Fraud Initiative also encourages whistleblowers to pursue cases of potential fraud or contract breach. Much of this encouragement involves devoting government resources to investigating whistleblower allegations. As an example of this trend, the Infrastructure Investment and Jobs Act created the Office of the National Cyber Director.

Companies ill-prepared for a cyberattack are facing risk from multiple sides, from the bad actors online to members of their organization who are now more incentivized to file qui tam complaints under the FCA.

To ensure compliance with federal regulations, contractors should pay close attention to the following two standards.

  • Basic Safeguarding of Covered Contractor Information Systems applies to most parties that contract with the federal government and is focused on controlled unclassified information. Contractors are required to have systems in place to identify malware as well as limit access to systems where federal government information is stored. Requirements also include multi-factor authentication practices to access the system and a documented cyber incident response plan.
  • Safeguarding Covered Defense Information and Cyber Incident Reporting is required for Department of Defense (DOD) contractors and expands on the Basic Safeguarding of Covered Contractor Information Systems standard to protect covered defense information. A major feature of this standard is providing greater specificity to the process of investigating and reporting cyber incidents to the DOD.

The reach of cybercriminals is constantly growing. For contractors, the chain of impact of cybercrime can be extensive. From vendors to suppliers to clients such as the federal government, a breach of one company’s network could span all parties and leave a financial and reputational loss beyond recovery in its wake.