A robust construction economy leads to necessary public and private improvements. It generates jobs and opportunities in design, construction, materials suppliers, and specialty services in a challenging employment environment. It also, however, creates a target. With billions of dollars aimed for public improvements under the Infrastructure Investment and Jobs Act of 2021, and probably an equal—if not greater—investment in private projects, threat actors in cybercrime have a new, ripe target.
Lessons learned in other industries from banking to retail are a reminder that, in a world that relies on electronics, the risk exponentially grows when the target is rich, soft, and relatively unprepared. In France and Canada, large construction companies have already been hit, with debilitating results and ransom demands. In the U.S., the construction industry—encompassing designers, owners, general contractors, specialty contractors, vendors, and suppliers—creates new portals for threat actors around the world.
The Issue of Force Majeure
As cyber risk has grown and become known, it is unlikely to be a force majeure event unless it is specifically called out in a contract, which more frequently refers to events of the unknown. Thus, the contractual liability to pay under a contract is not likely to be excused. California courts have recognized that economic hardship does not equate to either force majeure or legal impracticability by law. [See West Pueblo Partners, LLC v. Stone Brewing LLC, (2023) 90 Cal. App. 5th 1179, 1190-1191].
A recent California case is more persuasive. In SVAP III Poway Crossings, LLC v. Fitness International, LLC (2023) 87 Cal.App.5th 882, 303 Cal.Rptr.3d 863, a fitness center was unable to operate intermittently due to COVID-19 closure orders. In opposition to summary judgment in the landlord’s breach-of-contract action, the fitness center argued that the force majeure provision in the lease temporarily excused its obligation to pay rent. The Fourth District Court of Appeal affirmed the trial court’s grant of summary judgment to the landlord.
Although the force majeure provision in that case included an exclusion for any “failures to perform...which can be cured by the payment of money,” the Fourth District independently held that there was also no evidence “that the pandemic and resulting government orders hindered Fitness’ ability to pay rent.” With respect to impossibility and impracticability, the court similarly held, “Nothing about the pandemic or resulting closure orders has made Fitness’ performance of its obligations to SVAP—paying rent—impossible.” Indeed, “Governmental acts that merely make performance unprofitable or more difficult or expensive do not suffice to excuse a contractual obligation. We agree.”
The Weakest Link: A Lack of Cyber Security in Construction
The 2023 “Verizon Data Breach Investigations Report” examined over 16,000 events, and the results are foreboding:
- The cost of ransomware events doubled in the last two years.
- Business email attacks increased by over 50%.
- Human error accounts for approximately 75% of all events.
- Over 80% of the attacks are with financial motivation.
Designers, owners and their representatives, general contractors, specialty contractors, materials suppliers, and vendors may meet at job sites to discuss safety and sequencing, but do they ever talk about protecting the digital assets of a project? From designs on AutoCAD (computer assisted design) to digital tracking of construction through BIM (building information modeling) to payment requests and disbursements through electronic transfer payments via ACH (automated clearing house), there are multiple portals for threat actors to access.
Further, the cross-pollination of multiple devices, wearables, and commingling of personal and business-related devices creates numerous opportunities for threat actors. As any chain is no stronger than its weakest link, in the fast-paced world of construction there is little invested and marshaled against cyber risk. Change will either come from proactive management from other fields, or by painful trial, error, and economic loss.
So, what does happen when the seller and buyer become the targets of threat actors who successfully attack a business enterprise? Who pays? In the frequent absence of available cyber insurance, litigation at the state court level is evolving.
A Case Study from Texas
In Texas, there is a reported decision that provides guidance, and a warning to those who fall victim to cyber events. It is based on a review of the Uniform Commercial Code (UCC), however, it delves into an analysis of fault-based principles.
In Prosper Florida, Inc. v. Spicy World of USA, Inc., 649 S.W.3rd 661, the Court of Appeals of Texas, First District in Houston, addressed a wire transfer case between a buyer and seller on a wire that was redirected to an unauthorized third party. The case arose from a bulk shipment of black pepper. Spicy World made its payment, but it went to someone who defrauded the parties. As a result, the risk of the loss, not otherwise indemnified by insurance, had to be allocated under the law of Texas.There were two shipments: The first appeared to be a payment by check that was received by the seller, Prosper Florida; the second was made by wire at what appeared to be the seller’s request. It appeared from the evidence that a threat actor accessed the seller’s email account, and the buyer thought emails sent by the seller were genuine and ultimately made payment as instructed to a Barclays account, believing it was directed by Prosper Florida.
The trial court did not find expert testimony of the seller persuasive on the issue of whether the buyer could reasonably rely on the emails received. Thus, the court found that, even if the emails were fraudulent, the risk of loss fell on the seller whose system was compromised and not the buyer who relied on the emails received. A fault-based rule emerged, which is a factual determination, case by case, under Texas law.
Threat Actor Tactics and How To Address Them
Threat actors in position to defraud can harvest billions of dollars due to portals opened through a variety of means: phishing (fake emails), vishing (fake phone calls), and smishing (false texts). With multiple devices, the speed of construction projects, and the use of business devices for personal matters and vice-versa, it is inevitable that this profile will lead to substantial financial losses. Even worse is the compromise of the construction itself: delays by debilitating digital-based systems, compromise of designs at key areas of structural support, interruption of job funds to pay contractors and material suppliers, and the diversion of transport of project supplies through the transportation industry.
Those engaged in construction—whether they be designers, owners, general contractors, specialty contractors, materials suppliers, or vendors—have a choice to make: Do they agree that this is an acceptable out-of-pocket risk of doing business, or do they proactively address it? Some ideas for a proactive approach include:
- Purchasing cyber insurance and business interruption insurance.
- Developing a team within your company with digital and managerial skills.
- Knowing that the risk of cyberattack affects all of us—including you.
- Learning the language of the digital world with its risks and rewards.
- Focusing on maintaining a robust and vigilant cyber policy for all employees.
- Training and refreshing training with updated issues and techniques regularly.
- Consulting with experts in the field, including IT, brokers, and response counsel.
- Knowing what you will do, who to call, and how to mobilize for an event.
- Practicing through table-top exercises and varying scenarios regularly.
- Reviewing and reinforcing contractual relationships to ensure adequate safeguards for all participants, remembering that the weakest link exists.
- Meeting in-person with contractors, specialty contractors, vendors, suppliers, and communication platforms to ensure that everyone addresses risk.
- Holding safety meetings onsite, focusing on construction issues. Add cyber risk to these meeting issues and stay current on developments in this area.
There are many applicable axioms. Some anonymous ones: “Check yourself before you wreck yourself,” “If you spend more on coffee than IT security, you will be attacked.”
But perhaps the best one is from Brian Krebs in a Sept. 26, 2018 post on Twitter (now X): “I’ve come to the conclusion that if you give a data point to a company, they will eventually sell it, leak it, lose it, or get hacked and relieved of it. There really don’t seem to be any exceptions….”