This audio is automatically generated. Please let us know if you have any comments.
This feature is part of ‘The Dotted Line’ series, which takes an in-depth look at the complex legal landscape of the construction industry. To view the entire series, click here.
As cybersecurity attacks on US-based companies increase, general contractors are not immune. In fact, they have quickly become a target.
“It’s not a matter of if but when,” said attorney Kelly Johnson, a partner at Goldberg Segalla in New York City, who focuses on cybersecurity and technology error and omissions litigation.
Kelly Johnson
Courtesy of Goldberg Segalla
Construction companies may not seem like an obvious cash cow for cybercriminals, but they’ve become vulnerable in part because as other sectors like finance and healthcare have tightened their security postures, construction hasn’t kept pace. . It’s easier for threat actors to go after the least protected industries—the low-hanging fruit.
Construction companies may also be working on critical infrastructure projects, which could make them targets for political opponents.
According to a 2023 survey by Dodge Construction Network in partnership with content management and security company Egnyte, 59% of AEC companies surveyed reported experiencing a cybersecurity threat within a two-year period. General contractors were the most affected, with 70% experiencing a threat and 30% experiencing a ransomware attack in that same time period.
If contractors were locked out of their system by malware or ransomware, the effects could be devastating, especially on large commercial and infrastructure projects with budgets in the hundreds of millions of dollars. According to the report, 77% of architects, engineers and contractors said they cannot go more than five days without accessing their documentation before their projects experience serious schedule impacts.
Johnson said a breach could also cause untold reputational damage to a general contractor and its clients. Then there’s the legal risk if they and their subordinates don’t have basic cybersecurity measures in place and don’t properly disclose an attack if it occurs.
“You’re not only dealing with your own cyber breach damage, you’re also dealing with your client’s damages,” he said.
Here’s what general contractors need to know about what they can do through legal, contractual and insurance channels to protect themselves.
GC is vulnerable to sub attacks
General contractors’ liability for being affected by a cyberattack may not end with their own digital footprint. For example, if a subcontractor is hacked, what happens next largely depends on the contract, said Philadelphia-based Mark McCreary, chair of Fox Rothschild’s artificial intelligence practice and co-chair of its data privacy and security.
Mark McCreary
Courtesy of Fox Rothschild
“Normally, the customer doesn’t want to deal with seven different companies. They want to deal with one,” he said. “If there’s a compromise and data is lost … in most scenarios, it’s the responsibility and liability of the general contractor.”
To help protect against attacks on subcontractors, general contractors should do due diligence on subcontractors to make sure “they take cybersecurity seriously and it’s not an afterthought,” he said. In subcontracting agreements, a general contractor should include “requirements relating to good data security practices, deletion of data at the end of a project, confidentiality, indemnification of third party claims arising from a breach that is not subject to any limit of liability or a much higher limitation of liability and the cyber insurance requirements”.
This can be difficult with smaller subcontractors who often don’t have the resources to do a full-scale cybersecurity review. But general contractors can also protect their data, and that of their client, by withholding it and limiting the information subcontractors receive.
That way, if there is a breach, what the hackers get can at least be contained. “If you don’t need to give them a litany of data, give them only what they need. There is less to lose,” he said.
Contractors can do this by not sharing sensitive information beyond the scope of what the subcontractor needs. For example, if the subcontractor does not need pricing information from another subcontractor or contact information for the owner’s employees, the general contractor must ensure that the portion of its network that has this sensitive data is not shared with the subcontractors.
Insurance against attacks
There is also cyber security insurance to protect general contractors, insurance that can be extended to subcontractors. “It’s usually covered, but you want to make sure you’re dealing with one[n insurance] seller who knows what they’re talking about,” McCreary said.
Johnson said contractors who don’t have the experience or knowledge of how to put basic security measures in place can also turn to potential cybersecurity insurance providers, who often partner with security professionals to help put clients on form of security
“Some will even include it in the price of the policy,” he said. “There are creative options for companies that feel lost at sea when it comes to cybersecurity.”
General contractors may also have an underwritten policy that also covers subcontractors if the subcontractor also has the same level of cybersecurity protections as the prime contractor.
On the other hand, whether or not to require it as part of a risk assessment when choosing subcontractors for a job may also be overkill, he added. The reason has to do primarily with the amount of data subscribers have online.
Smaller subcontractors may not even have their own enterprise software system. In an industry known for using hammers and power tools instead of computers, they often don’t even work on the computer, which means they don’t keep a lot of information online. “You probably have a lot of circumstances where a subcontractor default would probably have zero effect on the project or the general contractor,” Johnson said.
When attacks occur
Despite the best efforts of contractors, attacks do happen. In this case, Johnson said the first person a general contractor should turn to is their cybersecurity insurance provider.
Most likely, the provider will provide the company with an attorney who can guide them through what they are legally required to disclose according to the Securities and Exchange Commission, which published new public disclosure rules in 2023.
Following those requirements will help protect a general contractor from third-party litigation if personal information is involved in a hack, he said.
Construction companies also won’t be out in the wild looking for help, he added, as cybersecurity insurance has become more commonplace since the 2010s for the industry. This means it’s easier today for contractors to get pre-hack insurance that actually covers them. In the past, there were only a handful of cybersecurity insurers covering construction companies, to the point where they didn’t even know what questions to ask contractors on an application.
If your company is overwhelmed, don’t be, Johnson added. No general contractor breaks new ground with this type of protection anymore.
“Let your insurer help you,” Johnson said. “Not only does this get you an expert, but it will also lower your rates because your insurer will be more confident that you’re covered.”
Correction: This story as originally published was misspelled by Fox Rothschild.
____________________________________________________________
AIA Contract Documents® brings you the Dotted Line Series, a recognized leader in design and construction contracts. To learn more about their 250+ contracts and to access free resources, visit their website here. AIA Contract Documents has no influence on Construction Dive’s coverage within the articles, and the content does not reflect the views or opinions of The American Institute of Architects, AIA Contract Documents, or its employees.
