Builders urged to prepare for cyber risksPosted On: Nov. 12, 2019 9:23 AM CST
SEATTLE — High-level steps are needed to deal with cybercrime in the construction sector, beginning with obtaining cyber insurance, according to an industry expert.
“Let’s not be negligent” about planning for how to handle a cyber event, said Scott Takaoka, vice president of Aon PLC’s cyber solutions group.
He was among the speakers on contractor and developer cyber liability at the International Risk Management Institute Inc.’s 39th annual Construction Risk Conference in Seattle on Monday.
Mr. Takaoka advocated a high-level approach to the planning process.
“Get cyber insurance in place” first, said Mr. Takaoka. Next, have a team in place should a problem emerge. “You don’t pick your team on the day of the Super Bowl. Plan ahead,” including assigning someone to be in charge of cyber security, obtaining outside counsel, and hiring a forensics expert.
The third piece, he said, is to “you really need to understand what your assets are” and have a plan in place to protect them.
Mr. Takaoka showed a slide showing increasing levels of information security program maturity. Developing a strategy is a journey, he said. “It’s not a point in time,” he said. “You have to build it up like spring training” and work at it.
One of the first things construction firms should understand is a firm’s vulnerable systems are in field offices as well as its main offices, said Richard R. Volack, a New York partner with Peckar & Abramson P.C., which specializes in construction law.
“Cyber security has focused a lot” on the internet. “Sometimes people forget about physical security, too,” he said, referring to field offices’ vulnerability to theft.
The biggest thing you have to invest in is personnel, said Mr. Volack, referring to the saying that a chain is only as strong as its weakest link. The same is true for personnel, he said.
Firms must be encouraged to introduce personnel training, not just once, but multiple times, and to have their workers understand how to recognize a phishing email, to not click on emails they do not recognize, and to watch out for attachments and emails from imposters.
Mr. Volack also warned about the threats presented by the “internet of things.” “Malicious actors can come in and wreak havoc,” he said. He also warned that drones can be subject to hacking.
He pointed as well to the example set by Minneapolis-based Target Corp., which had “the most comprehensive cyber security system possible” at the time it was hacked through a subcontractor.
“When you’re hiring a subcontractor, make sure they have the same controls and the same protocols you would have as a general contractor,” he said.
“The construction industry isn’t just pouring concrete,” said Joseph Salazar, Dallas-based assistant vice president with Aon’s cyber solutions group. It is involved with a lot of technology, which increases its cyber risk exposure.
He said cyber insurance has expanded to include coverage for systems failure that are caused by unintentional or administrative errors. There is also coverage available if a problem at a vendor creates a domino effect and affects other companies. The coverage has come a long way in eight years, he said.
Mr. Salazar said there is now up to $1 billion in capacity available from a single placement. He said rates are rising from zero to 5%, while coverage is being enhanced. Retentions are fairly stable, he said.
The session was moderated by Sam Weaver, Chicago-based managing director of business development with Aon’s construction services group.