Cyber security in the construction industry: What to do if you have suffered an attack?

Written on 22 Jul 2015

It seems that barely a week goes by without another high profile cyber breach (Ebay, JP Morgan Chase, Home Depot and Sony, twice, spring to mind). However, for every high-profile cyber attack, there will be tens or hundreds of unreported phishing scams, malware intrusions and data loss stemming from employees (whether inadvertent of malicious).

If those in the construction industry are not as concerned about cyber security as some other sectors, they certainly should be. Organisations may hold plans and schematics for current and past projects which need to be protected against access by terrorist or other malevolent organisations. Similarly, unwanted access to FM systems such as security or BMS could cause serious operational difficulties or present health, safety and security risks. 

On a more prosaic level, the leaking of market-sensitive information, intellectual property or other confidential information could have serious financial consequences. And especially where multiple sets of employees, consultants and contractors are involved on a site, the risks of phishing or malware are significant. 

So, what should you do if you discover a cyber breach?

Act quickly

Your best chance for positively affecting the outcome is in the first 24 hours following a breach. During this period, your priorities should be establishing a core team to: 

  • Shore up your defences through software / hardware fixes and isolating the point of attack (mobile, email, web) and protecting your most valuable assets (trade secrets and other high-value IP); 
  • Minimise the damage through technical means (whether that means getting your systems up and running again or taking them down temporarily to prevent further harm) and practical steps (if passwords have been taken, alerting those affected); and
  • Initiate your crisis management protocol, including gathering information to understand what has happened, preserving evidence and controlling the messaging to stakeholders. 

Establish your core team 

Cyber breaches can be complex and highly damaging. Your incident response team should include senior representatives from management, IT, HR and PR teams. The internal investigation should be led by in-house or external lawyers who are experienced in managing investigations and able to advise you on your potential exposure and routes for recovery. 

Your team may also need to include other outside experts, such as: specialist cyber security firms, forensic IT experts or forensic accountants.

Consider your reporting obligations 

Once you have a handle on the nature of the cyber breach, you will need to consider whether you have any reporting obligations to:

  • Regulators: The Information Commissioner’s Office (ICO) has made it clear that data controllers should report serious data breaches to it. The proposed new EU Cyber Security Directive and Data Protection Regulations will bring in additional reporting obligations, particularly for those who operate ‘critical infrastructure’.
  • Customers and contractors: Commercial contracts increasingly include provisions for how parties should deal with a cyber breach. There may be other legal or commercial reasons to inform your client of a cyber breach, particularly if data that you hold for them may have been compromised – you do not want the first they hear of a breach to be through the press.
  • The market: Listed companies will need to consider carefully their obligations under the Listing Rules and the Disclosure and Transparency Rules, which may require a breach to be disclosed, as soon as possible, if it would be considered “inside information” (which will depend, in part, on the seriousness and likely consequences of the breach).
  • Insurers: You should check whether the breach may be covered by your insurance policy and whether you therefore need to notify your insurer. The extent of coverage for cyber risks is not always well understood and generally overestimated by businesses. 
  • Law enforcement authorities: Law enforcement authorities have a broad range of powers available to pursue suspects. However, criminal investigations and prosecutions tend to be lengthy and once a matter is in the hands of authorities, conduct and publicity of those criminal proceedings will be out of your control. 

There may be other third parties who for commercial reasons you should consider notifying voluntarily at the appropriate time. You may need to consider contractors or suppliers who may be affected. If part of your system is outsourced or cloud-based, might others be at risk? 

Understand your regulatory and civil risk

As well as damage arising directly from the breach, a cyber breach can also result in regulatory or civil actions being taken against you. 

The ICO and other regulators have wide-ranging powers, including imposing: notices to provide information, requirements to take remedial actions or monetary penalties.

Where a breach has affected your customers, whether by data loss, unavailability of services or otherwise, you could also face civil claims. Your contracts with customers may contain express clauses covering data security. Customers might also look to rely on general or implied contractual or tort duties to use reasonable care and skill. 

The adequacy of your compliance program and your response to an incident may be central to demonstrating that you have fulfilled your regulatory, contractual and common law duties.

Take action to recover the damage 

If the breach has been as a result of a deliberate attack, it may be possible to take action against the perpetrator. However, recovering damages can be extremely challenging for a number of reasons:

  • It can be very difficult to identify the perpetrator – or at least to pin this to an individual or legal entity; 
  • If the perpetrator is overseas, there may be difficult issues of jurisdiction and applicable law; and
  • If you are able to obtain judgment in your favour, this can be challenging to enforce and will only be worthwhile if the perpetrator has assets to enforce against.

If the perpetrator is a rogue employee, you are likely to have more options. You may, for example, be able to get injunctive relief to obtain and/or prevent any confidential information from being disclosed or used.

Looking beyond the perpetrator, if the breach has been caused or contributed to by a weakness in a third-party hosted system, you may have claims against your IT suppliers or contractors. As with claims by clients, such claims could turn on express or implied terms, or common law (negligence) duties. 

Start preparing now 

When you discover a cyber breach, the actions that you take in the immediate aftermath can have dramatic and far-reaching effects. Getting the response right from the start can minimise the damage, but missing key issues early on can give rise to collateral problems down the line. By planning in advance, you stand the best chance of being able to act swiftly, decisively and effectively.

Your planning should include: 

  • Developing a crisis management protocol, including a core incident-response team; 
  • Putting in place an effective compliance program, including training and policies; and 
  • Engaging with outside advisers in advance, to supplement your own in-house resources and ensure coordination is as efficient as possible when the time comes.