Five Actions Construction and Energy Risk Managers Can Take to Avoid the Catastrophic Consequences of a Cyber Attack

With the ever-increasing usage of technology in the construction and energy industries, risks to business operations have also increased. Property developers and construction contractors rely on electronic data and communications more than ever to streamline projects, ensure efficient and timely supply chain delivery, and facilitate immediate communications between parties. However, with this dependence upon technology comes the heightened risk of cyber criminals frustrating construction operations and driving up costs.

Similarly, as the energy sector has grown more dependent upon online networks for deliverables, vulnerabilities have become more pronounced in trades dependent upon electrical grids. When an entire electricity network must be taken offline in defense of a cyber-attack, this impacts countless industries such as hospitals and health care operations, manufacturers and suppliers, and local and interstate traffic systems.

One of the main avenues by which a cybercriminal organization breaches and infiltrates companies is through a vulnerable network, typically due to a lack of personnel training on cyber dangers. What may appear as a benign email clicked on by an unsuspecting employee could end up costing the victim organization hundreds of thousands of dollars, or even more, to rectify.

Cyber phishing is as commonplace as spam in an email inbox. With email spoofing, criminals pose as legitimate email senders to employees who are tricked by the content of the message. Examples include fallacious emails purporting to be from Human Resources, invoices for services, or innocuous server upgrade messages. Once the email recipient clicks on the link, the network is open and subject to the cyber criminal’s theft of personal data, including customer names, addresses, and even credit card information.

Ransomware attacks, another well-known form of cyber-crime, have received intense media attention in recent years. Once a cyber felon breaches an organization’s computer network, they usurp the company’s control and infect the network with software that, in some cases, locks the entire system. Then, while maintaining control of the network, they extort sums of money from the company under the threat of deleting the network’s backup system and/or releasing stolen information to other criminals. Unfortunately, victims of these crimes often pay huge sums to gain back control of their company’s sensitive data.

The financial and reputational damage caused by these attacks cannot be underestimated. Paying a ransom is costly and incentivizes cybercriminals. Production delays and the detrimental impact on the end-user and reputation of the company are but a few of the damages caused by cybercriminals. Often, in order to repair the damage and upload protective software, the entire network must be taken offline. This causes delays and the degradation of customer relations. Furthermore, if cybercriminals steal customers’ sensitive information, companies find themselves in the business of reparations to customers for years into the future.

The following proactive measures can minimize the financial impact of a cyberattack on the construction and energy industries.

1. Educate Your Organization

Employee education is paramount because an organization’s security is only as strong as its network gatekeeper. Firm procedures and education on password protection and phishing emails are starting points. The use of multifactor authentication is another layer of protection to ward off cyber felons. Reinforcement of good network practices by employees and maintaining a company’s backup separate from the network are less expensive ways to strengthen the defense against cyberattacks. Informing employees on what to do in the event the network has been breached and frequent reminders to employees on procedures assist in risk management.

2. Perform an Organizational Risk Assessment

Determining how vulnerable your organization is to cyber-crimes will undoubtedly lead to measures to shore up these cyber weaknesses. If your company has an Information Technology Department, ensure that its members have the background and expertise to continually assess the organization’s vulnerabilities. Require these employees to attend cutting-edge technology seminars to protect your network.

Performance of a mock attack to test the vulnerability of the company’s network is one way to determine weak links in the system. Surreptitious release of mock phishing emails to employees is another way to assess the network’s susceptibility to attack.

Simulation training is an additional way to determine how a company would hold up against an actual cybercrime. Usually performed with the help of a third-party, an organization’s network and protections are replicated and then attacked. The organization goes through the steps of addressing the threat in real-time and as if it were not a mock drill.

3. Consult with a Cyber Security Expert

Even if your organization has a solid IT Department, consultation with a cybersecurity consultant before catastrophic damage is money well spent. Hiring an expert before the damage is done makes financial sense.

4. Review Your Insurance Portfolio

Often companies rely on their general liability insurance coverages to protect them when they and their customers become victims of cybercrimes. Consult with the brokers who placed the company’s general liability (“CGL”), errors and omissions, crime, and directors’ and officers’ liability insurance policies to determine if the company’s existing coverages would suffice in the event of a cyberattack. Most insurers have sold cyber-crime endorsements at the time for CGL policy renewals. But companies with older CGL policy forms will meet resistance in attempting to shoehorn coverage for cyber losses into a traditional CGL policy. By way of example, insurance companies have previously denied covering cyberattack damages under a traditional CGL policy in reliance upon the War and Hostile Acts exclusion. To the extent the cyberattack is linked to an organization that is deemed an instrument of a foreign government steeped in conflict with another government, expect the insurer to assert such an exclusion.

If the company’s business crosses state and international borders, consult with insurance coverage counsel to perform a policy review from a state by state and international standpoint. Coverage attorneys can identify how courts have construed the coverage you currently have and whether these insurance products would serve to minimize the company’s exposure from a cyberattack.

5. Consider Purchasing Cyber Security Insurance Coverage

There are robust cyber security policy options on the market that cover a wide range of first-party and third-party liabilities such as privacy breach notification expense, business interruption expense, and regulatory defense and penalties. However, depending upon the type of business and how employees and third-parties access a network, insurance coverage for cyberattacks varies in cost. For example, a subcontracting construction company that does not house sensitive customer information and has only a handful of network users will be considered less of a risk than a large general contractor with hundreds of employees with access to the network. If a company has not had a previous cyber breach and employs layers of network security, it will be perceived as a lower risk by insurers.

In recent years, insurers underwriting cyber insurance have presented application questions geared toward the specific types of risk and history of cyberattacks experienced by the applicant. The more measures an organization takes to enhance security, the better the chance of procuring cyber insurance at more reasonable rates. One such question often found on a cyber insurance application is whether the organization routinely offers anti-fraud employee education. Another question insurers ask is whether the company’s network requires two-factor authentication. These examples demonstrate that insurers are carefully considering actions companies take internally, and that simple changes implemented by organizations can protect them from cybercriminals.

Cyber attacks are a threat to every organization with an online network. The energy and construction industries have seen increased ransomware attacks in recent years that have proven costly to organizations’ operations as well as to the end-users of goods and those dependent upon services. Therefore, taking proactive measures makes good business sense.

For additional information on whether your insurance program would protect you from cyber
criminals, contact Eve-Lynn Gisonni, Of Counsel, at egisonni@sdvlaw.com.