This feature is a part of “The Dotted Line” series, which takes an in-depth look at the complex legal landscape of the construction industry. To view the entire series, click here.
As cybersecurity attacks on U.S.-based businesses ramp up, general contractors are not immune. In fact, they’ve quickly become a target.
“It’s not a matter of if but when,” said attorney Kelly Johnson, a New York City-based partner at Goldberg Segalla, who has a focus on cybersecurity and technology errors and omissions litigation.
Construction companies might not seem like an obvious potential cash cow for cybercriminals, but they have become vulnerable in part because, as other sectors such as finance and healthcare have hardened their security stances, construction has not kept up. It’s easier for threat actors to go after less protected industries — the low-hanging fruit.
Construction companies might also be working on critical infrastructure projects, which could make them targets of political adversaries.
According to a 2023 survey from Dodge Construction Network in partnership with content security and management company Egnyte, 59% of AEC firms surveyed reported that they experienced a cybersecurity threat in a two-year period. General contractors were hit the hardest, with 70% experiencing a threat and 30% a ransomware attack in that same time span.
If contractors were locked out of their system by malware or ransomware, the effects could be devastating, especially on large commercial and infrastructure projects with budgets of hundreds of millions of dollars. According to the report, 77% of architects, engineers and contractors said they can’t go more than five days without access to their documentation before their projects experience serious schedule impacts.
A breach could also do untold reputational damage for a general contractor and their clients, Johnson said. Then there’s the legal risk if they and their subs don’t have basic cybersecurity measures in place, and don’t disclose an attack properly if it happens.
“You’re not only dealing with your own damage from the cyberbreach, but you’re dealing with your client’s damages as well,” she said.
Here’s what general contractors need to know about what they can do through legal, contract and insurance channels to protect themselves.
GC’s vulnerable to attacks on subs
General contractors’ liability for being hit by a cyberattack may not end with their own digital footprint. For example, if a subcontractor gets hacked, what happens next is largely dependent on the contract, said Philadelphia-based Mark McCreary, chair of Fox Rothschild’s artificial intelligence practice and co-chair of its privacy and data security practice.
“Typically the customer doesn’t want to deal with seven different companies. They want to deal with one,” he said. “If there’s a compromise and data’s lost … in most scenarios it’s the liability and responsibility of the general contractor.”
To help protect themselves from attacks on subs, general contractors should do due diligence on subcontractors to make sure they “take cybersecurity seriously and it’s not an afterthought,” he said. In subcontractor agreements, a general contractor should include “requirements regarding good data security practices, deletion of data upon completion of a project, confidentiality, indemnification from third party claims arising from a breach that is subject to no liability cap or a much higher limitation of liability and cyber insurance requirements.”
That may be difficult with smaller subcontractors who often don’t have the resources to do a full-scale cybersecurity review. But general contractors can also protect their data — and their client’s data — by not passing it on, and limiting the information that subcontractors receive.
That way if there is a breach, what hackers get can at least be contained. “If you don’t need to give them a litany of data, give them only what they need. There’s less to lose,” he said.
Contractors can do that by not sharing sensitive information outside the scope of what the subcontractor needs. For example, if the subcontractor doesn’t need pricing information from another subcontractor, or contact information of the owner’s employees, then the general contractor should make sure the part of their network that has such sensitive data is not shared with subs.
Insurance against attacks
There’s also cybersecurity insurance to protect general contractors, insurance that can extend to subcontractors. “It’s generally covered but you want to make sure you’re dealing with a[n insurance] vendor who knows what they’re talking about,” McCreary said.
Johnson said that contractors that lack the experience or knowledge on how to put basic security measures in place can also turn to potential cybersecurity insurance providers, who often partner with security professionals to help get clients into security shape.
“Some will even include it in the price of the policy,” she said. “There are creative options for companies who feel lost at sea in terms of dealing with cybersecurity.”
General contractors can also have a policy underwritten that also covers subcontractors if the sub also has the same level of cybersecurity protections as the prime.
On the other hand, whether or not to require this as part of a risk assessment when choosing subcontractors for a job can also be overkill, she added. The reason has to do with the amount of data subs have online in the first place.
Smaller subcontractors may not even have their own enterprise software system. In an industry that’s known for using hammers and power tools instead of PCs, they often don’t even do much work on the computer, which means that they don’t maintain a lot of information online. “You probably have a lot of circumstances where a subcontractor breach would probably have zero effect on the project or general contractor,” Johnson said.
When attacks happen
Despite contractors’ best efforts, attacks do happen. In that case, Johnson said the first person a general contractor should turn to is its cybersecurity insurance provider.
Most likely, the provider will supply the company with an attorney who can guide them through what they are legally required to disclose per the Securities and Exchange Commission, which released new public disclosure rules in 2023.
Following those requirements will help shield a general contractor from third-party litigation if any personal information is involved in a hack, she said.
Construction companies also won’t be going out into the wild looking for help, she added, as cybersecurity insurance has become more common since the 2010s for the industry. This means that it’s easier today for contractors to get insurance before a hack that will truly cover them. In the past, there were only a handful of cybersecurity insurers covering construction companies, to the point they didn’t even know what questions to ask contractors on an application.
If your company is overwhelmed, don't be, Johnson added. No general contractor is forging a new path with this kind of protection anymore.
"Let your insurer help you,” Johnson said. “That not only gets you an expert on board but it also will reduce your rates because your insurer will be more confident that you’re protected."
Correction: This story as originally published misspelled Fox Rothschild.
____________________________________________________________
The Dotted Line series is brought to you by AIA Contract Documents®, a recognized leader in design and construction contracts. To learn more about their 250+ contracts, and to access free resources, visit their website here. AIA Contract Documents has no influence over Construction Dive’s coverage within the articles, and content does not reflect the views or opinions of The American Institute of Architects, AIA Contract Documents or its employees.
