Blogs

The Chain Reaction of Cybercrime in the Construction Industry

  

By Ken Chapman and Frank Tanzola of IAT Surety, a member of IAT Insurance Group
Published May 3, 2022

 

For many years, the construction industry has avoided the cyberthreat spotlight because of the appeal of other industries and large companies storing larger volumes of sensitive and therefore lucrative data. But this lack of attention from bad actors may be lulling some construction companies into a false sense of safety.

 

Cybercriminals are now branching out to what they consider softer targets—construction companies. The construction industry was the most frequently hit by ransomware in 2021, as hackers held hostage key information that affected project timelines.[1] Through schemes such as business email compromise (BEC), cybercriminals are also hacking or impersonating construction company emails to divert contract payments.

 

This escalating concern is far reaching, as breached networks not only can delay project timelines, but also expose sensitive information that impacts not only contractors but the vendors, suppliers, and owners they contract with.

 

It’s not a matter of if, but when a company will experience a cyber intrusion. To minimize the impact of these intrusions and their financial consequences, computer and network systems preparedness, as well as cyber insurance consideration, are more important than ever.

 

Considerations for Systems Preparedness and Cyber Coverage

 

Like other industries that have long been impacted by the threat of cybercrime, construction companies need to take security into their own hands. Some considerations include:

 

  • Procedures and policies enacted to prevent a breach
  • Procedures and policies enacted post breach, i.e., intrusion response
  • Are employees and contractors educated on cyberthreats and required to follow security measures such as multi-factor authentication when accessing the network?

 

For some organizations, these areas assume a level of IT sophistication beyond their current state. In these cases, engagement with a cyber consultant and/or enlisting the help of their insurance professional is critical. Should cyber coverage be an option, the cyber underwriter will need this baseline detail as well.

 

Should cyber coverage be an option, make sure to consider:

 

  • Limits
  • Incident response by a third party (such as an attorney firm or cyber consultant)
  • Notification expense

 

Notification expenses come into play for larger businesses who, if breached, could face substantial notification fees while contacting hundreds or thousands of impacted parties.

Beyond a company’s own coverage, business owners should be asking the companies they contract with—whether vendors, suppliers, or clients—what type of cyber insurance they have, if any.

 

Heightened Risk for Government Contractors

 

In October, the Department of Justice announced a Civil Cyber-Fraud Initiative[2] to increase prosecutions of cybersecurity violations by parties contracting with the government via complaints filed under the False Claims Act (FCA).

 

Contractors doing business with the federal government and not having the cybersecurity measures in place required by their contract face potential exposure to fines, treble damages and other penalties under the FCA. Depending upon the standards incorporated in the specific contract, violations can range from deficient data security measures to failure to timely report a cyber breach. Accountability extends to anyone who is handling data or information for the party that is contracted with the government, and puts into focus the importance of understanding all third-party relationships throughout the supply chain.

 

At the same time that federal government agencies are imposing more stringent cybersecurity requirements on federal contractors, the Civil Cyber-Fraud initiative also encourages whistleblowers to pursue cases of potential fraud or contract breach. Much of this encouragement involves devoting government resources to investigating whistleblower allegations. As an example of this trend, the Infrastructure Investment and Jobs Act created an Office of the National Cyber Director[3].

 

Companies ill-prepared for a cyberattack are facing risk from multiple sides, from the bad actors online to members of their organization who are now more incentivized to file qui tam complaints under the FCA.

 

To ensure compliance with federal regulations, contractors should pay close attention to these two standards:

 

  • Basic Safeguarding of Covered Contractor Information Systems applies to most parties that contract with the federal government and is focused on controlled unclassified information (CUI). Contractors are required to have systems in place to identify malware as well as limit access to systems where federal government information is stored. Requirements also include multi-factor authentication practices to access the system and a documented cyber incident response plan. 
  • Safeguarding Covered Defense Information and Cyber Incident Reporting is required for Department of Defense (DOD) contractors and expands on the Basic Safeguarding of Covered Contractor Information Systems standard to protect covered defense information (CDI). A major feature of this standard is providing greater specificity to the process of investigating and reporting cyber incidents to the DOD.

 

The reach of cybercriminals is constantly growing. For contractors, the chain of impact of a cybercrime can be extensive. From vendors to suppliers to clients such as the federal government, a breach of one company’s network could span all parties and leave a financial and reputational loss beyond recovery in its wake.

 

 

 

[1] NordLocker “Top industries hit by ransomware,” 2021.

[2] The United States Department of Justice. “Deputy Attorney General Lisa O. Monaco Announces New Civil-Fraud Initiative,” October 6, 2021.

[3] The White House. “Office of the National Cyber Director,” 2021.

  


Ken Chapman is Executive Vice President of Surety at IAT Surety, a member of IAT Insurance Group. He oversees all of the company’s Commercial and Contract Surety operations, bringing nearly 35 years of surety experience to the role. He is also a member of the Surety & Fidelity Association Board of Directors as well as the SFAA Foundation Board of Directors.
He can be reached at Kenneth.chapman@iatinsurance.com or 973.776.8455.

Frank J. Tanzola is Senior Vice President, Chief Legal Officer for IAT Surety, a member of IAT Insurance Group. He has been with the company for over 30 years
and has headed its Legal & Claims Department for the past 13 years. Prior to joining IAT, he practiced law in the areas of commercial litigation, surety and construction law. He is admitted to the New Jersey Bar and to the Federal District Court for the District of New Jersey. He is also a former Vice Chair of the ABA TIPS Fidelity and Surety Law Committee and is a current member of the TIPS Dispute Resolution and Corporate Counsel Committees. He can be reached at Frank.Tanzola@iatinsurance.com or 973.776.8770.

 

0 comments
43 views

Permalink