Five Actions Construction and Energy Risk Managers Can Take to Avoid the Catastrophic Consequences of a Cyber Attack

By LCA Fellow Eve-Lynn Gisonni

With the ever-increasing usage of technology in the construction and energy industries, risks to business operations have also increased. Property developers and construction contractors rely on electronic data and communications more than ever to streamline projects, ensure efficient and timely supply chain delivery, and facilitate immediate communications between parties. However, with this dependence upon technology comes the heightened risk of cyber criminals frustrating construction operations and driving up costs.

Similarly, as the energy sector has grown more dependent upon online networks for deliverables, vulnerabilities have become more pronounced in trades dependent upon electrical grids. When an entire electricity network must be taken offline in defense of a cyber-attack, this impacts countless industries such as hospitals and health care operations, manufacturers and suppliers, and local and interstate traffic systems.

One of the main avenues cybercriminals can breach companies is through a vulnerable network. A work force who is not educated and trained properly to spot these attempts is usually the main vulnerability. Cyber phishing is a common way for criminals to get employees to open fake emails from purported trusted sources that subjects the network to data theft. It can also lead to ransomware attacks, where criminals hold the network and its data hostage until huge sums of money are paid to release these cyber handcuffs.

The financial and reputational damage caused by these types of attacks can be astronomical, even after paying the ransom. There are often high costs to shut down a network for days or even weeks to repair the damage, let alone field the potential lawsuits from clients and customers whose data was stolen. However, the following proactive measures can minimize the financial impact of a cyberattack on the construction and energy industries.

1. Educate Your Organization

Employee education is paramount because an organization’s security is only as strong as its network gatekeeper. Firm procedures and education on password protection and phishing emails are starting points. The use of multifactor authentication is another layer of protection to ward off cyber felons. Reinforcement of good network practices by employees and maintaining a company’s backup separate from the network are less expensive ways to strengthen the defense against cyberattacks. Informing employees on what to do in the event the network has been breached and frequent reminders to employees on procedures assist in risk management.

2. Perform an Organizational Risk Assessment

Determining how vulnerable your organization is to cyber-crimes will undoubtedly lead to measures to shore up these cyber weaknesses. Require your IT staff to regularly attend cutting-edge technology seminars focused on protecting your network. Perform simulated attacks to test the vulnerability of the company’s network, including sending mock phishing emails to employees to discover weaknesses.

3. Consult with a Cyber Security Expert

Even if your organization has a solid IT Department, consultation with a cybersecurity consultant before incurring catastrophic damage is money well spent. Hiring an expert before the damage is done makes financial sense.

4. Review Your Insurance Portfolio

Often companies rely on their general liability insurance coverages to protect them when they and their customers become victims of cybercrimes. Consult with the brokers who placed the company’s general liability (“CGL”), errors and omissions, crime, and directors’ and officers’ liability insurance policies to determine if the company’s existing coverages would suffice in the event of a cyberattack.

Endorsements on renewal policies often provide cyber-crime coverage, but reliance on standard form CGL policies could lead to insurer disclaimers for cybercrime claims. If the company’s business crosses state and international borders, consult with insurance coverage counsel to perform a policy review from a state by state and international standpoint. Coverage attorneys can identify how your insurance program would serve to minimize the company’s exposure from a cyberattack.

5. Consider Purchasing Cyber Security Insurance Coverage

There are robust cyber security policy options on the market that cover a wide range of first-party and third-party liabilities such as privacy breach notification expense, business interruption expense, and regulatory defense and penalties. However, depending upon the type of business and how employees and third-parties access a network, insurance coverage for cyberattacks varies in cost.

If a company has not had a previous cyber breach and employs layers of network security, it will be perceived as a lower risk by insurers. The more measures an organization takes to enhance security, the better the chance of procuring cyber insurance at more reasonable rates. Having regular anti-fraud educational programs for employees, employing mock cyber-attacks, and having secure network tools like two-way authentication, will help in reducing the cost of cyber insurance.

Cyber-attacks are a threat to every organization with an online network. The energy and construction industries have seen increased ransomware attacks in recent years that have proven costly to organizations’ operations as well as to their customers. Therefore, taking proactive measures makes good business sense.


Eve-Lynn Gisonni is a resident of Saxe Doernberger & Vita, P.C.’s Northeast office where she maintains an active nationwide litigation practice. Eve-Lynn has dedicated her entire legal career to the representation of both individual and commercial policyholders facing diverse and interweaving coverage issues. Her extensive background in championing the rights of policyholders under insurance contracts has resulted in a number of her cases being relied on as insurance law precedent – and the successful resolution of complex insurance claims on behalf of her policyholder clients.