Dennis: The construction industry is vulnerable for many typical reasons, but also for some very unique, specific risks associated with the nature of construction. As with most companies, construction companies keep and control their own employees' data, as well as private customer information. Nearly every state has enacted laws that require a company to protect personal information within its control. Aside from personal information such as social-security numbers and bank accounts, commercial builders may also have highly confidential financial and proprietary information about its clients. Companies should also not forget about their own intellectual property and trade secrets—it should not be underestimated how vital protecting this information is to the success of any business.

Specific risks arise for the commercial-construction industry in several forms. For instance, a general contractor or owner who builds a commercial building replete with the latest technology needs to be aware of the risks: What happens if a hacker gains access to a building's command and control systems? Can they control the life-safety functions of a building? Will they demand a ransom to release control of the HVAC, lighting, security or elevator systems? And given the wide array of subcontractors and vendors who work together to complete a commercial project, how is their work being secured? What systems are in place to ensure that a vendor who works on a building's security system is not inadvertently providing an avenue for a later breach? These are specific examples of risks that are quite unique to the construction industry, and these risks must be appreciated, understood and planned for.

GlobeSt.com: How can the industry can protect itself from cyberattacks?

Dennis: Given the very serious and ever-changing risks associated with cyberattacks, protection from them requires a multi-layered approach to security. Cybersecurity is a “one size fits one” proposition. Each and every business must start the process by discussing and determining their specific (and unique) risk profile. Once a company understands its unique risk aversion and needs, the remainder of the security process can be developed.

Although needs may be unique, several general areas of cybersecurity are required in every situation. First, a company must have some type of technical security. Virtually all companies have firewalls or other defensive mechanisms set within their computing system. But are more protections needed? Should a company hire an information security officer or retain an outside vendor to monitor their system 24 hours a day? Second, the industry must train its people. Phishing and social engineering are the fastest growing trends in cyberattacks—and these attacks focus on exploiting a company's employees to gain access to computer systems. Every company should work to train its employees on the importance of cybersecurity and their vital role in protecting the company from attacks. Finally, the industry can also protect itself by obtaining cyber liability insurance. More insurers are developing cybersecurity risk insurance as a “safety net” should an attack happen. Many companies incorrectly believe that their CGL policy will cover a cyber loss, and that may not be the case.

These are just a few examples of methods by which the construction industry can protect itself, and is not exhaustive or complete. As always, following a robust internal dialogue, a company should sit down with its risk advisors to chart the proper path.

GlobeSt.com: How is the cybersecurity industry meshing with the CRE industry's data-security needs?

Dennis: The cyber world continues to evolve to meet the needs of all impacted industries, including the world of commercial real estate. New technical products are being introduced regularly to deal with the cyber threat, which continues to become more complex and difficult to stop. In addition, new regulations are being developed to provide guidelines to companies so that they can determine what steps they should be taking to prepare for defending themselves against inevitable cyberattacks. Examples of these are the federal government's NIST standards, the recently-enacted New York State Financial Guidelines and the soon-to-be-released standards from the California attorney general's office. Companies should utilize these standards to understand what steps should be taken to protect against cyberattacks.

Also, cyber insurance products are developing for specific threats to the commercial construction space—products specifically designed to protect against business interruption or ransomware attacks (such as the recent WannaCry attack). Given the anticipated volume of cyberattacks in the next decade, the insurance industry has kicked into high gear to provide insurance products that will protect the commercial real estate industry from both common and unique risks.

GlobeSt.com: What else should our readers know about this topic?

Dennis: All of your readers should understand that the cyber risk is real, and is growing. Many companies mistakenly believe that because they have an internal IT professional or team, they are protected from cyberattacks. This is incorrect. The vast majority of IT professionals are not cybersecurity experts and lack the specific training needed to protect your company properly from attack. Companies should consider retaining an outside cybersecurity expert or vendor to advise on protections needed. In addition, it is best practice to set a cyber policy and have a plan should a cyberattack unfold.

A cyberattack can be completely devastating to your business. Estimates are that nearly 60% of small to medium sized businesses close their doors within six months following a significant, severe cyberattack. This is a daunting estimate, but companies need to remember that you can insure against monetary loss, but you cannot insure against the reputational damage inflicted by a cyberattack.

In conclusion, it is imperative that commercial-construction businesses work closely with their technical, risk, legal and insurance teams to ensure that their company is protected and ready to deal with a cyberattack. The future of their business may depend on it.

|

IRVINE, CA—The commercial-construction industry is vulnerable to cyberattacks for many typical reasons, but also for some unique, specific risks associated with the nature of construction, Newmeyer & Dillion LLP managing partner Jeff Dennis tells GlobeSt.com.

In a recent newsletter from the firm, Dennis and Nathan Owens said, “Commercial contractors have long faced their own unique business risks—labor and material shortages, delay claims, bonding issues and defects in workmanship. But, in today's ever-evolving cyber world, it is imperative that contractors understand they are vulnerable to risks beyond finishing a project on time and on budget. As we are seeing more and more each day, cyber threats impact all businesses, including the construction industry, and the failure to protect against these threats will cost your company millions in damages and reputational harm.”

We spoke with Dennis about why this industry is especially vulnerable to cyberattacks and how it can protect itself from them.

GlobeSt.com: Why is the commercial-construction industry especially vulnerable to hacking?

Dennis: The construction industry is vulnerable for many typical reasons, but also for some very unique, specific risks associated with the nature of construction. As with most companies, construction companies keep and control their own employees' data, as well as private customer information. Nearly every state has enacted laws that require a company to protect personal information within its control. Aside from personal information such as social-security numbers and bank accounts, commercial builders may also have highly confidential financial and proprietary information about its clients. Companies should also not forget about their own intellectual property and trade secrets—it should not be underestimated how vital protecting this information is to the success of any business.

Specific risks arise for the commercial-construction industry in several forms. For instance, a general contractor or owner who builds a commercial building replete with the latest technology needs to be aware of the risks: What happens if a hacker gains access to a building's command and control systems? Can they control the life-safety functions of a building? Will they demand a ransom to release control of the HVAC, lighting, security or elevator systems? And given the wide array of subcontractors and vendors who work together to complete a commercial project, how is their work being secured? What systems are in place to ensure that a vendor who works on a building's security system is not inadvertently providing an avenue for a later breach? These are specific examples of risks that are quite unique to the construction industry, and these risks must be appreciated, understood and planned for.

GlobeSt.com: How can the industry can protect itself from cyberattacks?

Dennis: Given the very serious and ever-changing risks associated with cyberattacks, protection from them requires a multi-layered approach to security. Cybersecurity is a “one size fits one” proposition. Each and every business must start the process by discussing and determining their specific (and unique) risk profile. Once a company understands its unique risk aversion and needs, the remainder of the security process can be developed.

Although needs may be unique, several general areas of cybersecurity are required in every situation. First, a company must have some type of technical security. Virtually all companies have firewalls or other defensive mechanisms set within their computing system. But are more protections needed? Should a company hire an information security officer or retain an outside vendor to monitor their system 24 hours a day? Second, the industry must train its people. Phishing and social engineering are the fastest growing trends in cyberattacks—and these attacks focus on exploiting a company's employees to gain access to computer systems. Every company should work to train its employees on the importance of cybersecurity and their vital role in protecting the company from attacks. Finally, the industry can also protect itself by obtaining cyber liability insurance. More insurers are developing cybersecurity risk insurance as a “safety net” should an attack happen. Many companies incorrectly believe that their CGL policy will cover a cyber loss, and that may not be the case.

These are just a few examples of methods by which the construction industry can protect itself, and is not exhaustive or complete. As always, following a robust internal dialogue, a company should sit down with its risk advisors to chart the proper path.

GlobeSt.com: How is the cybersecurity industry meshing with the CRE industry's data-security needs?

Dennis: The cyber world continues to evolve to meet the needs of all impacted industries, including the world of commercial real estate. New technical products are being introduced regularly to deal with the cyber threat, which continues to become more complex and difficult to stop. In addition, new regulations are being developed to provide guidelines to companies so that they can determine what steps they should be taking to prepare for defending themselves against inevitable cyberattacks. Examples of these are the federal government's NIST standards, the recently-enacted New York State Financial Guidelines and the soon-to-be-released standards from the California attorney general's office. Companies should utilize these standards to understand what steps should be taken to protect against cyberattacks.

Also, cyber insurance products are developing for specific threats to the commercial construction space—products specifically designed to protect against business interruption or ransomware attacks (such as the recent WannaCry attack). Given the anticipated volume of cyberattacks in the next decade, the insurance industry has kicked into high gear to provide insurance products that will protect the commercial real estate industry from both common and unique risks.

GlobeSt.com: What else should our readers know about this topic?

Dennis: All of your readers should understand that the cyber risk is real, and is growing. Many companies mistakenly believe that because they have an internal IT professional or team, they are protected from cyberattacks. This is incorrect. The vast majority of IT professionals are not cybersecurity experts and lack the specific training needed to protect your company properly from attack. Companies should consider retaining an outside cybersecurity expert or vendor to advise on protections needed. In addition, it is best practice to set a cyber policy and have a plan should a cyberattack unfold.

A cyberattack can be completely devastating to your business. Estimates are that nearly 60% of small to medium sized businesses close their doors within six months following a significant, severe cyberattack. This is a daunting estimate, but companies need to remember that you can insure against monetary loss, but you cannot insure against the reputational damage inflicted by a cyberattack.

In conclusion, it is imperative that commercial-construction businesses work closely with their technical, risk, legal and insurance teams to ensure that their company is protected and ready to deal with a cyberattack. The future of their business may depend on it.