How — and Why — to Add Cybersecurity Provisions to Construction ContractsHow — and Why — to Add Cybersecurity Provisions to Construction Contracts
Lawyers talk about the ways that contractors can guard themselves against the legal risks of attacks, and what to do if a breach occurs.
July 30, 2024
As cybersecurity attacks on U.S.-based businesses ramp up, general contractors are not immune. In fact, they’ve quickly become a target.
“It’s not a matter of if but when,” said attorney Kelly Johnson, a New York City-based partner at Goldberg Segalla, who has a focus on cybersecurity and technology errors and omissions litigation.
Construction companies might not seem like an obvious potential cash cow for cybercriminals, but they have become vulnerable in part because, as other sectors such as finance and healthcare have hardened their security stances, construction has not kept up. It’s easier for threat actors to go after less protected industries — the low-hanging fruit.
Construction companies might also be working on critical infrastructure projects,
which could make them targets of political adversaries. According to a 2023 survey from Dodge Construction Network in partnership with content security and management company Egnyte, 59% of AEC firms surveyed reported that they experienced a cybersecurity threat in a two-year period. General contractors were hit the hardest, with 70% experiencing a threat and 30% a ransomware attack in that same time span.
If contractors were locked out of their system by malware or ransomware, the effects could be devastating, especially on large commercial and infrastructure projects with budgets of hundreds of millions of dollars. According to the report, 77% of architects, engineers and contractors said they can’t go more than five days without access to their documentation before their projects experience serious schedule impacts.
A breach could also do untold reputational damage for a general contractor and their clients, Johnson said. Then there’s the legal risk if they and their subs don’t have basic cybersecurity measures in place, and don’t disclose an attack properly if it happens.
“You’re not only dealing with your own damage from the cyberbreach, but you’re dealing with your client’s damages as well,” she said.
Here’s what general contractors need to know about what they can do through legal, contract and insurance channels to protect themselves.
To read the rest of the story from our sister publication, Construction ive, click here.
About the Author
You May Also Like