Cyber risk and incidents remain a regular feature in news headlines around the world, most recently illustrated by the colossal breach of Panamanian law firm Mossack Fonseca. The threat is so wide ranging that tackling the subject and deciding how to mitigate the risk can be a real challenge for any company which holds data; this includes both contractors and insurers of construction risks.
In some ways the term "cyber" has been helpful in raising awareness of technology-linked risks but at the same time this amorphous term can be confusing when it comes to identifying what the related risks are. If national governments and global financial institutions have yet to agree the scope of cyber risk (there is no comprehensive framework for the risk assessment of cyber catastrophes), then there should be a healthy dose of sympathy for a typical contractor trying to do the same.
One simple view of “cyber risk” is to break it down into two concepts: operational and informational risk.
Operational cyber risk arises out of a company's unprecedented reliance on electronic systems and the devastating effect on business that can occur when those systems are interrupted or interfered with. Companies often fall into the trap of thinking that because they do not have an online retail presence, that their business will not be financially affected by a cyber attack. However, it is often the prolonged loss of simple electronic systems that can have a devastating effect.
Imagine just losing access to emails for a week. Whilst that might sound like a heavenly bliss for many employees, conducting business as usual without email is almost inconceivable: from pitching for new work and meeting contractual deadlines to invoicing for completed work and paying suppliers.
Prolonged interruptions are not unheard of. In January, Lincolnshire County Council lost access to its systems for over a week following a fairly unsophisticated cyber attack.
Earlier this year, as part of a seminar on cyber business interruption, we considered a case study involving a fictional law firm called Uber Law which fell victim to a malware attack and suffered 3 days of interruption as it had to rectify 300 infected computers. You can watch a summary of the case study here, and the entire seminar here.
The financial losses suffered by businesses due to operational cyber risks are not always insured under their traditional insurance policies, and this has driving demand for new dedicated cyber coverages either as standalone policies or as an “add-on” to existing policies.
Informational cyber risk arises out of the legal and commercial risks attaching to data and information. Construction companies are no different to any other company in holding ever increasing volumes of electronic data. While many companies will have already taken steps to ensure the security of the data that they hold, the ever-changing cyber environment means that it can be challenging for businesses to keep up with new developments and the associated risks. As a result, cyber security measures should be reviewed and updated regularly.
Recent highly publicised data breaches have grabbed headlines around the world and demonstrated the informational risk that companies carry not only for their customers or clients, but also the data that they hold on their employees. Thousands of employees of a UK supermarket chain are suing their employer after a data breach leaked their personal data. In the recent case of Axon v MOJ  the judge opined that employees could vicariously liable for similar legal breaches.
Various high profile data breaches in the UK and around the World have served to highlight how unacceptable it is for companies not to have a clear understanding of what data they hold, what they are doing with it, and how it is secured.
It is important to note that risk attaches to all types of data and information, not just personal information. Data that must be kept secure and confidential might include intellectual property, commercially sensitive information, project plans and financial information. Construction projects, particularly those sponsored by public bodies, are frequently being managed using Building Information Modelling. This involves storing certain project information, such as schedules, design drawings, emails etc, which is being shared between members of the project team. This can include confidential design information and design details, the copyright of which is owned by individual members of the design team. If there was a breach resulting in this confidential information, as well as information protected by copyright, being released, a wider range of legal obligations could be infringed.
When considering the operational and information aspects of cyber risk, it quickly becomes clear that cyber is a risk that can only be mitigated and not eliminated. Therefore, companies should also prepare and rehearse for cyber and data breach incidents, and consider purchasing appropriate and adequate cyber insurance coverage.
Ensuring that the following precautions are in place and up to date may help minimise the risk of a data attack:
Ensure there is appropriate vetting of employees with access to confidential data;
Require employees to change passwords frequently;
Use additional layers of IT security for those accessing data remotely such as home workers;
Ensure IT is properly managed and overseen by senior IT members responsible for an efficient and modern system (adopting the best security practices available);
Ensure appropriate IT education is given to staff;
Restrict those employees/officials who can access the entire internal system;
Spread data across multiple infrastructures to limit the impact of a leak;
Prepare a response plan that will respond in the event the system is attacked; and
Review your IT policy and cyber security measures regularly to ensure that they are up to date and effective.