Industry-wide, very little discussion and negotiation occur relative to cybersecurity provisions in contracts between project owners and their construction professionals. Even less discussion appears to occur downstream with subcontractors and suppliers. For example, the American Institute of Architects (AIA) generally issues new contract documents on a 10-year cycle. The AIA did not address cybersecurity until 2017 and, even then, only “advised” parties to discuss whether first-party cybersecurity coverage was appropriate on a project. What little discussion does occur appears to relate to contractors’ access to the owner’s systems, such as building controls and networks, or general discussions regarding whether the owner will require the contractor to carry cybersecurity insurance and, if so, the levels of coverage.
Owners can, of course, acquire their own cybersecurity insurance policies on projects or supplement their builders’ risk coverage with cybersecurity endorsements. Owners should never assume that their general liability, fraud, or crime coverage will provide cybersecurity protection. To avoid what the insurance industry terms “silent coverage,” insurance carriers are writing specific policy exclusions for cybersecurity into their general liability policies.
Cybersecurity policy insurers will typically pay for data or network damage or destruction as a result of a “covered cause of loss,” which typically includes viruses, malware, cyber extortion, or invoice manipulation, which involves the release of funds to a third party as a result of a fraudulent invoice. Insurers typically will not cover damage caused by an insured’s employees or by third parties that an insured retains. These third parties might be cloud-based platform operators, consultants, or subconsultants who perform work on projects from remote access points.
Because all construction data are an asset that the owner must protect, cybersecurity awareness goes far beyond merely insuring against data breaches and making an effort to protect the owner’s computer networks. The practical reality is that recovery of available insurance funds related to a data breach will likely not cover all of the losses. Most importantly, insurance, no matter how robust, is unlikely to cover the impacts of the loss of time on a project when project data are compromised. Oftentimes in larger contracts, there is some combination of waivers of consequential damages, liquidated damages that may be less than the actual loss suffered, and limitations on liability. Insurance payments are unlikely to replace millions of dollars in delay, consequential losses, or even liquidated damages while a project team works to either recover or re-create compromised, stolen, or maliciously encrypted data or project files.
Owners must be proactive about their own data security and that of every project. During contract negotiations, owners should insist on the right to approve any cloud-based project management platforms and file-sharing platforms. Owners should insist on a uniform and secure method of data transmission and file sharing and should include in contracts or project manuals strict prohibitions on the use of unsecured file-sharing platforms. Owners should also consider requiring mandatory and routine data security training for anyone on their projects who will ever have access to project data. Finally, owners should bridge the gap in project cybersecurity insurance coverage by insisting that all project contracts include robust indemnification provisions that indemnify and hold the owner harmless from all losses and damages arising from data security incidents of any kind, from breaches to accidental losses. Though these efforts may seem onerous at the outset of a project, they may prevent, or at least mitigate, disaster later.