Cybercrime and the Construction Industry: Managing Cyber Security Risks

By Sara M. Bour, Esq., Manager and Counsel, AIA Contract Documents

January 28, 2022

On a global scale, cybercrime incidents have been skyrocketing and permeating all industries. Vulnerabilities have been exposed in networks across all sectors. The FBI’s 2020 Internet Crime Report shows it received 791,790 cybercrime complaints, with reported losses of over $4.1 billion. This was a 69% increase in total complaints from 2019. Construction and design firms are not immune to these attacks, and incidents have become more prevalent against firms of all sizes.

The FBI Cyber Crimes Division defines cybercrime as crimes that involve a computer or a network.[1] It can range from breaching a network, to accessing or obtaining client data and other confidential information. What does this mean in the construction realm? Construction clientele may store two primary types of data: personally identifiable information (PII) and sensitive project data. PII can include employee, customer, contractor, and vendor names, e-mails, social security numbers, payroll information, and other payment information. Sensitive project data may include contract or bid information, intellectual property, or supply chain management data. For design firms in particular, sensitive project information may include intellectual property, like architectural and engineering designs, drawings, and specifications, or other design rights. All PII and sensitive project information has value. For example, it may be used to purchase items with stolen credit card information, collect e-mails for phishing campaigns, gain a competitive advantage when bidding on projects, or extort individual victims.

The construction industry, along with oil and gas and technology, have suffered from historical cyberattacks resulting in severely detrimental outcomes. Victims of both small- and large-scale attacks were subject to significant monetary and reputational damages.

·       In 2021, it was reported that the largest fuel pipeline in the United States, Colonial Pipeline Co., was hacked.[2] Hackers entered Colonial’s network through a VPN account, allowing remote access to the company’s networks. An employee’s password to the breached account was discovered on the dark web. Though the account was deactivated at the time of the hack, it remained accessible. The hack resulted in a fuel shortage across the east coast. Colonial paid a ransom of approximately $4.4 million as a result of the attack.

·       The United Stated Government Accountability Office reported that in 2020, SolarWinds suffered from a large and multilayered cyberattack.[3] Hackers breached SolarWinds’ systems and added malicious coding to the company’s software. SolarWinds then sent the infected software update to its users, including federal agencies and technology contractors, leaving 18,000 of its customers vulnerable to attack. The tainted software update enabled foreign hackers to install malware and spy on SolarWinds’ clients. SolarWinds has said that the breach cost at least $18 million.

·       In 2016, Turner Construction Company was the victim of cybercrime.[4] In response to a spear-phishing email, a Turner employee unknowingly replied to the cybercriminals with both current and former employee PII, including their names and social security numbers.

·       In 2012, Saudi Arabia Aramco Company, one of the largest oil and gas companies, was the victim of a cyberattack.[5] A computer technician for the company clicked a malicious link received via spam e-mail. Malware then wiped data, stole passwords, and hijacked the company’s systems, leaving employees without access or a means of communicating corporate matters.

After an attack, victims may not only pay ransom monies to the hackers, but they may be subject to state fines and penalties for data breaches. Responsive and remediating costs can add up too, such as notifying affected customers, increased insurance premiums, as well as added and updated cyber security measure costs.

How can the construction sector manage cybercrime risks? Thankfully, there are variety of ways to better secure networks, increase defenses, and mitigate damages. Here are a few recommendations to implement now, so that your firm can be better protected against a cyberattack.

1.     Implement Internal Cyber Security Protocols.

Construction and design firms should implement, periodically review, and completely understand their company-wide cyber security protocols. To begin, firms can look to the National Institute for Standards and Technology (NIST) Cyber Security Framework, which is a voluntary guidance based on existing standards, guidelines, and practices for organizations to better manage and reduce cyber security risks.[6] As part of a cyber security policy, NIST recommends developing and implementing safeguards and activities to identify, protect against, detect, respond to, and recover from cyberattacks.[7] In safeguarding against an attack, companies may implement password policies requiring employees to create, and regularly reset, effective passwords. For guidance, NIST 800-63 Digital Identity Guidelines is a published series of documents for implementation by the federal government, which contains recommendations and standards for creating and maintaining password security.

Equally as important as instating a cyber security policy is ensuring that employees, contractors, and vendors with access to the company’s systems are properly trained on their duties and responsibilities, as outlined in the company policy, to maintain secure networks. This can start with cyber security training as part of the new employee onboarding, cyber security awareness programs, or other professional development. For further checks and balances, a risk report published by the AIA Trust recommends running an annual tabletop exercise to test the firm’s plan and uncover gaps between policy and real-life action. Additionally, the risk report recommends firms to ensure that their antivirus software is up-to-date on all systems having access to the company’s networks.

2.     Implement Data Sharing Protocols on Projects.

Construction and design industries require routine access and sharing of sensitive data by a large number of entities throughout all phases of construction. Contracting parties may consider adding risk shifting language in connection with confidential information and PII. Where relevant, contracts should clearly define (i) what constitutes confidential information, (ii) who is responsible for protecting it, (iii) expectations for data security and encryption, and (iv) a plan if the data is accessed by an unauthorized user. It is recommended to understand all legal and contractual obligations that your firm may have in the event of unauthorized access to sensitive data.

When developing data sharing protocols, it should be considered that cybercrime is rapidly developing and adapting to new security measures. In light of this, parties may further agree to contract terms that implement data security audits performed by third-party IT consultants. Routine audits may ensure that the network remains intact, and the sensitive data is continually protected.

3.     Procure a Cyber Security Insurance Policy.

Costs and fines resulting from a data breach can run a small firm out of business. There are not only first party losses, but third-party financial losses too. AIA Owner-Contractor agreements allow for parties to identify the limits for liability insurance. Since CGL and professional liability policies typically exclude coverage for cyber incidents, the 2017 AIA Insurance and Bonds Exhibit provides the option of requiring cyber security insurance. For firms entering into AIA Owner-Architect agreements, the AIA Trust published the 2021 Architect’s Guide to Buying Cyber Liability Coverage detailing necessary topics to know about cyber liability coverage. Cyber security insurance generally covers business liabilities for a data breach involving PII. It may also cover the costs in complying with privacy regulations, protecting personal identities of affected customers, recovering comprised data, repairing damaged computer systems, and assisting with cyber extortion.

Cybercrime is an unfortunate reality in today’s world. Cyberattack risks remain great where companies rely on remote work and offsite access to networks. Damages from cybercrime can be severe and unexpected, leaving firms without a clear pathway to recovery. Though it is impossible to predict if and when you will be a victim of these elusive crimes, construction and design firms can implement procedures now to manage risks and better protect themselves from an attack.

[1] Federal Bureau of Investigation. FBI Cyber Crimes Division Career Information Accessed: January 16, 2022. [2] Turton, William and Mehrotra, Kartikay. “Hackers Breached Colonial Pipeline Using Compromised Password.” Bloomberg, June 4, 2021, Accessed: January 15, 2022. [3] D’Souza, Vijay. “SolarWinds Cyberattack Demands Significant Federal and Private-Sector Response (infographic).” U.S. Government Accountability Office, April 22, 2021, Accessed: January 15, 2022. [4] Sawyer, Tom and Rubenstone, Jeff. “Construction Cybercrime is on the Rise.” Engineering News-Record, May 8, 2019, Accessed: January 16, 2022. [5] Pagliery, Jose. “The Inside Story of the Biggest Hack in History.” CNN Business, August 5, 2015, Accessed: January 16, 2022. [6] National Institute for Standards and Technology. (2021, December 1). Questions and Answers Accessed: January 16, 2022. [7] National Institute for Standards and Technology (2014) Framework for Improving Critical Infrastructure Cybersecurity. (Department of Commerce, Washington, D.C.), Version 1.1, Updated April 16, 2018.

AIA Contract Documents has provided this article for general informational purposes only. The information provided is not legal opinion or legal advice and does not create an attorney-client relationship of any kind. This article is also not intended to provide guidance as to how project parties should interpret their specific contracts or resolve contract disputes, as those decisions will need to be made in consultation with legal counsel, insurance counsel, and other professionals, and based upon a multitude of factors.