Stay up to date with the latest industry insights
Sign up for blog updates
By Ken Chapman and Frank Tanzola
Cybercriminals are now branching out to what they consider softer targets – construction companies. The construction industry was the most frequently hit by ransomware in 2021, as hackers held hostage key information that affected project timelines. [1] Through schemes such as business email compromise (BEC), cybercriminals are also hacking or impersonating construction company emails to divert contract payments.
This escalating concern is far reaching, as breached networks not only can delay project timelines, but also expose sensitive information that impacts not only contractors but the vendors, suppliers and owners they contract with.
It’s not a matter of if, but when a company will experience a cyber intrusion. To minimize the impact of these intrusions and their financial consequences, computer and network systems preparedness, as well as cyber insurance consideration, are more important than ever.
Considerations for Systems Preparedness and Cyber Coverage
Like other industries that have long been impacted by the threat of cybercrime, construction companies need to take security into their own hands. Some considerations include:
For some organizations, these areas assume a level of IT sophistication beyond their current state. In these cases, engagement with a cyber consultant and/or enlisting the help of their insurance professional is critical. Should cyber coverage be an option, the cyber underwriter will need this baseline detail as well.
Should cyber coverage be an option, make sure to consider:
Notification expenses come into play for larger businesses who, if breached, could face substantial notification fees while contacting hundreds or thousands of impacted parties.
Beyond a company’s own coverage, business owners should be asking the companies they contract with — whether vendors, suppliers, or clients — what type of cyber insurance they have, if any.
Heightened Risk for Government Contractors
In October, the Department of Justice announced a Civil Cyber-Fraud Initiative[2] to increase prosecutions of cybersecurity violations by parties contracting with the government via complaints filed under the False Claims Act (FCA).
Contractors doing business with the federal government and not having the cybersecurity measures in place required by their contract face potential exposure to fines, treble damages and other penalties under the FCA. Depending upon the standards incorporated in the specific contract, violations can range from deficient data security measures to failure to timely report a cyber breach. Accountability extends to anyone who is handling data or information for the party that is contracted with the government, and puts into focus the importance of understanding all third-party relationships throughout the supply chain.
At the same time that federal government agencies are imposing more stringent cybersecurity requirements on federal contractors, the Civil Cyber-Fraud initiative also encourages whistleblowers to pursue cases of potential fraud or contract breach. Much of this encouragement involves devoting government resources to investigating whistleblower allegations. As an example of this trend, the Infrastructure Investment and Jobs Act created an Office of the National Cyber Director[3].
Companies ill-prepared for a cyberattack are facing risk from multiple sides, from the bad actors online to members of their organization who are now more incentivized to file qui tam complaints under the FCA.
To ensure compliance with federal regulations, contractors should pay close attention to these two standards:
The reach of cybercriminals is constantly growing. For contractors, the chain of impact of a cybercrime can be extensive. From vendors to suppliers to clients such as the federal government, a breach of one company’s network could span all parties and leave a financial and reputational loss beyond recovery in its wake.
For more information on how to protect yourself from a devastating cyber incident and ensure compliance with new regulations, contact the IAT team.
[1] NordLocker “Top industries hit by ransomware,” 2021.
[2] The United States Department of Justice. “Deputy Attorney General Lisa O. Monaco Announces New Civil-Fraud Initiative,” October 6, 2021.
[3] The White House. “Office of the National Cyber Director,” 2021.