Why You Should Add Cybersecurity Provisions To Your Construction Contracts

In 2023, the construction industry was attacked more than any other industry by cyber criminals. That’s largely because many construction companies are still stuck in old ways of doing things and are reluctant to harness the latest information technology. As cyber security attacks on Canadian-based businesses ramp up, general contractors have become a prime target.

Construction companies may not seem like prime targets for cybercriminals, but they have become increasingly vulnerable. As sectors like finance and healthcare bolster their security, cyber attackers turn to industries perceived as easier targets. Construction, often lagging in cybersecurity measures, presents an attractive opportunity for these threat actors.

Malware or ransomware attacks can be catastrophic for contractors, particularly on large commercial and infrastructure projects worth hundreds of millions of dollars. These breaches can cause severe schedule impacts, leading to delays and increased costs.

A cyber breach can also inflict severe reputational damage and legal risks for general contractors and their clients, especially if basic cybersecurity measures aren't in place. Here's what general contractors need to know about leveraging legal, contract, and insurance channels to protect themselves effectively.

General Contractors are Vulnerable to Attacks on Subcontractors

General contractors' liability for cyberattacks extends beyond their own digital footprint. If a subcontractor is hacked, the outcome largely depends on the contractual agreements in place.

To mitigate risks, general contractors should ensure subcontractors prioritize cybersecurity. Subcontractor agreements should include provisions for robust data security practices, data deletion upon project completion, confidentiality, indemnification, and cyber insurance requirements.

For smaller subcontractors, who may lack extensive cybersecurity resources, general contractors can limit data sharing to essential information only, reducing the potential impact of any breaches. Ensuring sensitive information is not unnecessarily shared helps contain any potential damage.

Insurance against cyber attacks

Cybersecurity insurance can offer protection for general contractors and extend to subcontractors. It's important to work with knowledgeable insurance vendors. Contractors lacking in-house expertise can also rely on insurance providers who partner with security professionals to enhance their cybersecurity posture, sometimes including this service in the policy cost.

General contractors can secure policies that cover subcontractors if they maintain similar cybersecurity standards. However, requiring this level of security from all subcontractors may be unnecessary, especially for smaller subs who may not maintain significant data online, thereby minimizing potential impact from breaches.

When Attacks Occur

Despite the best efforts, cyberattacks can still happen. When they do, a general contractor’s first call should be to their IT provider, who should then immediately involve the cybersecurity insurance provider.

Typically, the insurance provider will guide you through the process and connect the company with an attorney to outline legal disclosure requirements, helping protect against third-party litigation if personal information is compromised.

Following expert guidance not only ensures compliance but can also lower insurance rates by instilling confidence in your insurer about your protective measures.