Design, engineering, and construction have a multitude of project risks. Most of these are identified, well-defined, and, hopefully, allocated to the party most capable of managing the risk. However cyber intrusion and its potential impact on your business – or your project owner’s business – is probably the least appreciated of all construction risks, and it has no clear path to risk allocation or management.
We sit down with John Johnson, Construction Practice Leader at Marsh to learn more about what cyber risks are present in construction and how you can protect your business.
MW: CAN YOU TELL ME WHO NORMALLY IS AT RISK WHEN IT COMES TO CYBER?
JJ: Cyber risk usually affects businesses that handle and transmit sensitive and proprietary information such as client data or confidential project information, intellectual property, sensitive commercial material, subcontractor data or financials, and employee data.
Construction industries are including in this as common platforms are used to distribute and manage all kinds of engineering and construction data. This creates vulnerability – and a shared responsibility. A hacker with access to construction data could wreak havoc not only operationally but also through the physical destruction of data by threatening the safety of people onsite.
Even attackers who don’t intend physical harm may still be interested in valuable corporate data, such as intellectual property or data that provides a competitive edge. Hackers who aren’t interested in your company’s data may still capitalize on weaknesses in your system to reach other IT networks. This could hold true for contractors who may have access to other targeted systems and, even more so for government contractors who may have such data stored or flow through their IT systems which increasingly are tied to a government’s IT network.
MW: DOES TRADITIONAL INSURANCE PROTECT YOUR BUSINESS FROM CYBER RISK?
JJ: Traditional policies don’t generally cover damages caused by data breaches. Commercial liability policies don’t respond to damages to intangible property and they often have data and technology exclusions. Property policies provide loss of business income coverage only if there was direct physical damage caused to your property. They don’t cover damage caused by hackers or rogue employees who shut down you or your project owner’s website, computer systems or the systems of a service provider you rely upon to conduct business. Professional liability insurance – design, design-build, or engineering-procurement- construction E&O – may not respond to a cyber intrusion and the resulting losses or damages.
MW: WHAT EXACTLY DOES CYBER INSURANCE COVER?
JJ: Cyber insurance covers first and third party losses – damage to internal IT systems as well as third party liability. It will help mitigate losses from various cyber and electronic issues, such as unauthorized access, business interruption and network damage caused by a virus, malware or human error. It acts as a separate insurance tower in addition to commercial liability coverage.
Project owners are becoming increasingly concerned about the information and supply chain security of their design, engineering and construction companies. As a result, owners are beginning to add contractual requirements for cyber liability coverage in certificates of insurance before any work is performed.
MW: HOW CAN YOU MITIGATE RISK BEFORE A CYBER EVENT?
JJ: Start by creating an incident response plan: Appoint a cross-functional incident response team with advisors in legal, compliance, privacy, public relations, government affairs, audit matters, and ethics, as well as IT and information security. You should also designate leadership. Establish clear role and outline escalation procedures and communication protocols, including guidelines for external communications. Finally, make sure ALL of your employees are trained. Not just a select few.
Michelle A. Wesolowski