Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. Cyberattacks on construction companies: Why construction companies are vulnerable targets and how they may protect themselves

      Articles

    Article

    Cyberattacks on construction companies: Why construction companies are vulnerable targets and how they may protect themselves

    July 24, 2019

    LinkedInX (Twitter)EmailCopy URL

    By Jenny Holmes

    While construction companies do not seem to be the best targets for hackers, they are the perfect combination of numerous moving parts, people, and complex projects. Add to this their lax cybersecurity measures, and hackers have found an opportune target.

    Special thanks to Courtney Way (Summer Associate) for her contributions to this post.

    When we imagine cyberattacks, we often picture hackers breaking into websites and stealing credit card or social security information.  We think of companies full of financial or personal information falling victim to these attacks.  What we don’t often think of is a construction company’s information being held hostage, its checks for services being redirected to unknown accounts, or construction equipment being hijacked.  Unfortunately, because we aren’t expecting these attacks is exactly why construction companies are exposed.

    Hackers are learning that the construction industry is a vulnerable target.  These companies constantly manage complex projects while handling data exchanges among many parties including partners, subcontractors, regulators, and suppliers.  Daily communications between these parties occur over e-mail, providing hackers a perfect opportunity to strike.

    Typically, hackers will use a fake e-mail account or even mirror a familiar account in order to ask the company to send funds to a “new” or “different” bank account.  Since the communication appears to come from a person that the company deals with on a routine basis, the company assumes that the new bank account is legitimate.  Yet, theft of funds is not the only type of cyberattack construction companies may face; hackers also use information to lock data or destroy or control hardware and equipment.

    Given the sophistication of today’s cybercriminals, construction companies must recognize their risk as targets and begin implementing protective measures.  The most important steps for companies to take include: (1) conducting security assessments or routine vulnerability scanning; (2) updating software, including advanced e-mail filtering; (3) enforcing password policies; (4) restricting approval rights and administration privileges; and (5) obtaining cyber liability insurance policies.

    However, general liability policies typically do not cover harm suffered by a cyberattack.  About a decade ago, companies were unsuccessfully fighting with policyholders about general liability policies covering losses resulting from a data breach.  Today, commercial general liability policies generally explicitly exclude electronic data from its definition of “property damage.”

    Given the need for a policy that would cover the loss of data resulting from a cyberattack, insurance companies began offering separate cyber liability insurance policies.  First-party cyber liability insurance typically covers the cost of network business interruptions, forensic investigation and restoration, legal fees, credit monitoring, and cyber threat extortion expenses. Third-party cyber liability insurance typically covers wrongful disclosure, content liability risks, and security or privacy breach regulatory proceedings.

    Companies must be well educated and represented when obtaining cyber liability insurance. Unfortunately, many companies that offer these policies seek to limit their liability and in turn, except many incidences.  For example, one policy in 2017 attempted to except costs associated with a fraudulent funds transfer that occurred when employees initiated the transfer after receiving a forged e-mail from a hacker.  In 2018, another policy attempted to limit its coverage by arguing that the losses incurred by a company were not directly caused by computer fraud, but rather were incidental.  Now, policies are attempting to invoke an “act of war” exception where companies argue that large attacks from foreign hackers are in fact “acts of war” and therefore not covered by the policy.

    Although it is recommended that companies obtain cyber liability insurance policies in an effort to combat the enormous expense that follows a cybersecurity breach, cyber liability insurance policies are not a simple catch all and are certainly not an alternative route for staying current on training employees, frequently updating software, and conducting regular security assessments.

    While construction companies may not appear to be the most profitable targets for hackers, they are the perfect combination of numerous moving parts, people, and complex projects. Add to this their lax cybersecurity measures, and hackers have found an opportune target.

    In order to combat the recent uptick in hackers attacking construction companies, we recommend that companies (1) train employees about cybersecurity; (2) frequently update software; (3) conduct regular security assessments; and (4) look into obtaining cyber liability insurance.  A cyberattack could cost millions of dollars and your reputation.  In a world where three out of four construction companies have reported a breach in the last year, cybersecurity is not to be taken lightly.

    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved