Not too long ago, the construction industry was stuck at decades-old productivity levels. This has changed dramatically in recent years as the use of technology to improve productivity and communication on construction projects has proliferated.
Reliance on BIM has continued to grow and project personnel are more universally equipped with devices to aid in project observations and communication. Drones now provide an imaginative way to access hard-to-reach areas, 3-D printing technology enables the production of building components, and other new technology platforms are in development for many aspects of design and construction.
Against this backdrop, the need has never been greater for technology and cyber risk management in the construction industry. A year ago, insurance carriers were just beginning to offer insurance coverage products tailored to construction sector needs. But this is changing rapidly in today’s digital world.
Construction projects are overwhelmed with data. The sheer volume of information prompts critical questions regarding reliability, responsibility and maintenance of electronic information and documentation. Examples include:
- Is data properly secured?
- Are projects and participants prepared for software and application malfunctions?
- What happens to project schedules and cost if data is lost, stolen or corrupted?
- Are projects properly protected from cyber attack, hackers and data theft?
- Who is responsible for coordinating software updates?
- Who is hosting platforms and in what format?
- Have project managers thought through the potential for conflicts between digital data and hard copy documentation?
- Has site connectivity been assured?
- Who bears the risk of losses caused by failure to anticipate or manage these risks?
Insurance carriers have moved to offer more coverage products specifically tailored to construction project risks and not just the more publicly known risks related to the privacy consequences of data breaches experienced by the banking and retail industries. Insurers are tracking construction industry losses and brokers are more adept at educating construction sector customers regarding coverage gaps that exist in traditional professional liability and commercial general liability policies.
While some limited endorsements are now available on professional liability and commercial general liability policies, brokers advise that standalone cyber and technology policies offer the broadest and most efficient coverage. However, they caution that carriers have developed very different products to address what they think design and construction entities need. One broker, Gregg Bundschuh of Greyling Insurance Brokerage, a division of Epic, who specializes in construction sector coverage, explains that “Cyber claims are more complex than traditional risks. They are more international in scope and can have multiple consequences, leading to not only first-party losses, but third-party liability and government actions and fines.”
The various policies available warrant careful consideration by construction and design project participants of various delivery system and contract requirements options. For example, project owners may want to consider designating an appropriate individual on each project who is best able to manage cyber and technology risks. Certain owners may be able to assess those options themselves; others may choose to engage independent security consultants, while still others may add such responsibilities to the scopes of their construction managers, contractors, design professionals or design builders. In turn, these parties may choose to delegate those responsibilities to specialty security consultants or subcontractors.
Upstream parties also should consider working with a broker to tailor or add new contract provisions allocating responsibility for cyber and technology risks. Attorneys may need to work with such brokers to add language that properly identifies standalone policies or endorsements, as well as appropriate limits and deductibles. Other provisions that might be added or customized include:
- scheduling and force majeure provisions to address who on the project bears the risk of delays and disruptions caused by hacking, theft or corrupted data; and
- equitable adjustment, change order or cost of work provisions.
Not all projects will warrant these steps. Project owners and managers, together with their advisors, must determine the degree to which technology and confidentiality are required on projects, the degree to which certain adverse technology-related events could cause delays or extra costs, the identity of the parties best equipped to manage the risks and the costs of the risk management techniques themselves.