In a survey of 117 data-breach insurance claims filed in 2013 (an estimated 5% to 10% of all cyberclaims handled by all markets that year), cyberrisk-management service NetDiligence found 85 claims with reported payouts. The typical payout ranged from $30,000 to $400,000. Of the total value, almost half was spent on crisis services such as computer forensics, notification to customers and legal assistance.

Hackers were the cause of loss in 29% of the claims, followed by staff mistakes in 13% and malware and rogue employees (both 11%).


Industrial espionage often motivates cyber- criminals, particularly ones looking for trade secrets, says Mark Greisiger, NetDiligence president. But, sometimes, firms are just targeted when automated systems spot vulnerability in their networks, he says.

One of the few well-documented sources of claims from cyberattacks is personal data. Recent hacks at retailers such as Target and the health insurer Anthem have brought public attention to the risks of storing personal data. And while construction and engineering firms might believe themselves immune from similar attacks since they are not involved in retail trade or customer record retention, experts caution that they should remember that employee and dependent medical records are far more valuable to hackers than payment-card data. The highest mean costs associated with claims in the NetDiligence study corresponded with the breach of private health information.

Greisiger says the records of a company's current and former employees, retirees and their average of four dependents each can add up to a lot of valuable personal data.


Defending Against the Unknown

Even if a firm's network lacks data of value to hackers, the network still can provide a vector to access the networks of the owners, contractors and other firms on a project.

In traditional contracting, owners rely on contractors to maintain their networks' integrity, and contractors rely on their subcontractors to do the same. That's the logic behind current federal requirements for contractors' cybersecurity compliance. But experts say those standards were introduced piecemeal, leaving requirements that vary between agencies. "It's the way the federal government does everything," says Voeller, who has worked periodically with the White House regarding cybersecurity, engineering and contracting since 2003.

Voeller says different agencies established their own cybercommands before cybersecurity became a priority for the government as a whole. So, contractors working with the Dept. of Defense must adhere to stricter cybersecurity standards than contractors working with the General Services Administration. While it might make sense, given the relatively more sensitive national security data the DOD must protect, in practice, an attacker can access GSA networks and use that as a vector to reach other agencies' data.

War Games: Parsons Corp. will open a Cyber Solutions Center on March 13 as part of its Cyber Critical Infrastructure Protection Initiative. The facility emulates clients' control systems and designs, security vulnerabilities and risk posture to enable tailoring and testing.

The federal government is about to change this landscape. The National Institutes of Science and Technology is developing for all federal contractors a new risk-management framework for a consistent standard for all verticals. Extra security regulations for working with especially sensitive data would be overlaid on the NIST framework as needed, says Phil Lacombe, vice president and manager of information systems and security at Parsons Corp.

The White House took a step toward implementing the NIST framework at its Cybersecurity and Consumer Protection Summit at Stanford University on Feb. 13. There, President Barack Obama signed an executive order "promoting private-sector cyber- security information sharing" to encourage the formation of organizations coordinated with the National Cybersecurity and Communications Integration Center for voluntary information sharing about cyberrisks, incidents and response.

"That NIST framework will become very important for the construction business to understand," says Bill Britton, vice president for cyberstrategy at Parsons and visiting director at Cal Poly's Cybersecurity Center. "It is not a mandatory element yet ... but what they will ask are questions like, 'If you had a problem, were you implementing the NIST framework? Did you know about the NIST framework?' He predicts the moves will lead to legislation—"some have rumored at the end of 2015," he says.