The Toughest Cyber Challenges Facing the Construction Industry
By David Anderson, Bridget Choi, and Jamin Valdez of Woodruff Sawyer
The construction industry is at the crossroads of innovation and vulnerability. Escalating cyber threats, tightening regulations, and increasing reliance on technology has created a need for rapid cyber maturity and tailored risk transfer solutions so that construction firms can better weather these challenges.
In this article we will discuss some of the toughest cyber challenges:
- The rise in social engineering attacks and fraudulent fund transfers
- Threats to building management systems
- Contractual risk management
Cybercrime That Exploits Vulnerabilities in Construction Businesses
One of the most pervasive and costly cyberattacks affecting the construction industry is a social engineering attack. In the context of cybercrime, social engineering schemes seek to trick victims into sharing data, downloading malware, or giving access to restricted systems. The most common form is fraudulent fund transfer. This is when cybercriminals use electronic communication to trick victims into diverting funds to the criminal’s account. Cyber criminals may use a variety of methods, including the following:
- Spoofing: Impersonating the victim’s executives, customers, or business partners, such as a supplier, attorney, or company CEO.
- Fake invoices or payment instructions: Sending fraudulent and/or manipulated documents to the victim.
- Business email compromise (BEC): Using a legitimate employee’s stolen or guessed email credentials to request invoice, electronic funds transfer (EFT), or credit card payments from customers disguised as the victim.
Criminals are successful in tricking recipients by instilling a sense of urgency, trust, or other common social engineering techniques.
To combat these attacks, construction companies and contractors must implement strong funds transfer and payment account controls. Dual control for changes to payment accounts, including a separate call-back verification by a second person to a previously known number, is an effective strategy to avoid being defrauded.
The basic loss prevention controls for phishing scams are painfully simple but often overlooked. Losses usually occur when a breakdown in these controls occurs, or exceptions are made “because of an emergency.” Removing the variable of human nature in your controls is a surefire way to minimize phishing risk.
Because of the human element, construction companies should also ensure they have a cyber insurance and commercial crime policy that responds to these schemes.
Given the amount of funds contractors exchange every day, funds transfer fraud should be a top priority for any company’s risk management strategy.
Threats to Building Management Systems
A building management system (BMS) or building automation and control system (BACS) manages and monitors all building systems, including the electrical system, HVAC system, renewable energy production, and electricity and gas meters.
Integrated building management systems (IBMS) will extend to access control, video surveillance, and fire prevention systems, among others. All these use cases create immense simplicity in managing a building but present a large attack surface area for cyber criminals.
Common vulnerabilities in BMS or BACS include:
- End of life systems: Many buildings still operate on outdated BACS technologies that lack robust security features, making them susceptible to cyberattacks.
- Lack of segmentation: The interconnected nature of BACS means that a breach in one component can potentially compromise others.
- Remote access: Remote monitoring and control capabilities, while convenient, open doors to cyber threats if not properly secured.
- Third-party integration: Integration with third-party applications and services can introduce additional security risks.
- Human error: Employees or contractors may inadvertently introduce vulnerabilities through misconfigurations or unsafe practices.
BMS or BACS, like any other computer system, are vulnerable to cyberattacks from industry competitors, industrial spies, transnational cyber criminals, or nation-states. In other words, the computer system, which may have vulnerabilities, now controls elevators, HVAC systems, water purification systems, and building security, which can present novel impacts, including operation disruptions, physical safety threats, equipment damage, or tampering with energy levels or consumption. This may result in the manipulation of building operations—leading to adverse impact on HVAC, lighting, access controls, or even safety systems, which can cause safety hazards for occupants.
To build a defense into the design, consider the following:
- Construction companies, architects, and engineers must contemplate network security and resilience, which is the ability to continuously deliver, despite cyberattacks, as they design and build out BMS in their properties.
- Property managers must contemplate safety and evacuation requirements without the benefit of connectivity or power to the building in an emergency.
Contractors, landlords, and developers must understand that traditional cyber insurance and property insurance policies absolutely do not cover physical damage to buildings and equipment when arising out of a cyberattack. Should this exposure exist in a project or property, interested parties need to make sure appropriate insurance coverage is in place.
Read: Exploring Cyber Insurance and Its Intersection with Property Coverage
Contractual Risk Management
Evolving contractual risks in the construction sector means firms must safeguard their interests and uphold cybersecurity requirements.
Government Contracts
Cybersecurity Maturity Model Certification (CMMC) refers to a Department of Defense (DoD) program and Defense Aquisition Regulation System, or DFARS, clause that will require DoD contractors and subcontractors to demonstrate their continual compliance with numerous cybersecurity measures to remain eligible for and win new federal awards.
The CMMC standard ensures that contractors and suppliers protect sensitive information and maintain a strong cybersecurity posture. It builds upon existing standards and practices, such as the National Institute of Standards and Technology (NIST) SP 800-171 and NIST SP 800-53 and introduces a tiered certification model with three cybersecurity compliance maturity levels.
Because CMMC certification cannot be self-certified and requires a third-party audit, most companies will undergo a thorough audit before they attempt to certify. A managed services provider called a C3PAO can help a company go through the CMMC framework, determine whether cybersecurity improvements could occur, and organize the certification process itself.
Once the certification process is complete, a managed services provider can also create a game plan for improving the level of certification, if needed. Contractors are urged to seek their certification now as there are a limited number of C3PAO providers and many entities that will require the certification.
Insurance Contracts
Aside from compliance, the new technological risks in the construction industry have changed the standard insurance requirements. It has become an imperative that those in the construction industry maintain limits of technology errors and omissions insurance and cyber insurance with additional insured coverage.
Limitation of Liability Clauses
Limitations of liability clauses can get overlooked and are an area of exposure. Setting controls with your legal and sales team around limits of liability is crucial to managing the contract risk.
A limitation of liability clause in a contract limits the amount of damages one party can recover from another for breaches or performance failures. Limitation of liability clauses can apply to the entire contract or just certain breaches or failures.
They can also limit the type of damages or claims that can be brought. A company will have to ensure its salespeople practice discipline by not giving away inappropriate or outsized indemnities when compared to the contract’s value.
Indemnity Agreements
Another clause that warrants scrutiny and risk management is indemnity agreements or clauses. Contractual indemnity clauses are a way to allocate risk and shift costs and losses between parties in a contract.
They require one party to pay for damages or losses that another party may incur due to specific future events. This can include reimbursing the other party for costs they have already paid, as well as making advanced payments for unpaid costs and expenses.
Indemnity clauses may also include an obligation to defend against third-party claims and lawsuits, which can include paying for legal defense fees and attorney fees. It is therefore essential to understand which party is responsible for securing data, systems, and for cybersecurity losses in this context.
It is, unfortunately, common for indemnity commitments made in contracts to be vague and imprecise around liabilities and responsibility for wrongful acts. Consult your in-house legal expertise (or outside legal counsel) to construct template contracts and to establish controls and processes for making exceptions.
When purchasing insurance, underwriters will ask how these exceptions are being reviewed, and not having a process makes any company applying for insurance look naïve at best—reckless at worst.
Third-Party Contract Management
Managing third-party vendors has become challenging as vendors are increasingly a source of cyber liability. Third-party contract management is the oversight of written agreements with vendors that provide products or services.
Concerted efforts need to be made by procurement, IT, and legal to ensure vendors are providing adequate protection for data breaches and network security incidents. A well-written critical vendor contract helps protect the organization from hidden risks and optimizes the third-party relationship.
Whether reviewing a new critical third-party contract or negotiating added terms and conditions of an existing contract, there are many elements a company should consider. In relation to cyber risk, the contract should clearly identify the critical vendor’s responsibility to maintain policy and procedures to meet the data security objectives of applicable regulations.
Relying on third-party vendors can create cost efficiencies and turnkey technological benefits to your organization, but it also exposes you to third-party companies’ cyber hygiene in a very interconnected and dependent way.
Indemnities and clearly defined wrongful acts within a third-party vendor contract can provide protection from data breach costs and expenses because of downtime suffered by your organization.
How Cyber Insurance Transfers Risk
The types of insurance required in the construction industry depend on the scope, type, and any specific requirements of the project. It is a market standard in construction for entities to carry, at a minimum, commercial general liability, automobile liability, workers’ compensation, and employers’ liability insurance.
However, cyber insurance is also becoming a standard and can address many of the unique risks associated with contractors at all tiers, including missed-bid coverage, data breach incident report generation to third parties or governmental entities, and indemnification to third parties for data breach loss.
Engaging your insurance broker for the above coverage as well as broader discussions around physical damage, AI (artificial intelligence), and other risks facing the construction industry should be a baseline consideration.
Learn more in the corresponding Woodruff Sawyer on-demand webinars: Cyber Risks in Construction: Building Resilience and Privacy Into Your Organization Part 1 & Part 2
David Anderson is Vice President, Cyber Liability with Woodruff Sawyer. He focuses on complex cyber, privacy, technology, and professional liability issues and is a dedicated and fierce advocate for his clients. He has extensive experience in risk assessment, risk management, and pre-breach network security risk discovery, as well as hands-on, post-incident client support and claims advocacy. He can be reached at [email protected] or 415.399.6471.
Bridget Choi is Lead Product Counsel, Cyber with Woodruff Sawyer. She works with clients to find creative solutions for complex cyber and privacy challenges. With a deep understanding of incident response, privacy law, and insurance policies and claims, she provides coverage solutions and technical services for clients. She can be reached at [email protected] or 415.402.6612.
Jamin Valdez is Vice President, Construction with Woodruff Sawyer. He partners with clients to navigate complex global commercial property and casualty insurance challenges, with a focus on construction risks. He works with clients in all arenas and geographies with an emphasis on construction, professional services, energy, and real estate to develop risk management solutions. Valdez can be reached on LinkedIn, [email protected], or 858.876.4160.