A public/private partnership (“PPP”) is a cooperative arrangement between the public sector and the private sector for the delivery of a specific infrastructure project or service. The public and private sectors each have strengths and weaknesses relative to each other with regard to the performance of certain tasks. A PPP seeks to exploit those strengths while mitigating the weaknesses. Typically, the public sector sets out the goals and objectives for the project by defining the level, quality, and scope of the required service or project while ultimately retaining ownership and, consequently, a measure of oversight over the finished asset. The private sector brings its managerial, technical, and financial expertise to the venture and is responsible for delivering an output which satisfies the goals and objectives defined by the public sector.
Increasingly, information collected and/or created in connection with PPPs is being digitized, stored, and accessed from complex networks and information systems. This information is often targeted by cybercriminals, state-sponsored players, and “hacktivists” by way of cyber attacks that can take the form of, for example, advanced persistent threats (APTs), malware (including ransomware), denial-of-service (DoS) attacks, domain name hijacking, social engineering, and phishing campaigns. Given the involvement of a public partner, the incidence of these attacks is increasing, and thus special attention must be given to cybersecurity risks. Public partners can draw on the technology capabilities of a savvy private counterpart to effectively reduce cybersecurity risks for a PPP.
Associated Risks
Cybersecurity attacks can have a significant impact on any organization, whether it is a private proponent or the public partner. For example, the attackers can steal or destroy key data, such as the organization’s intellectual property (often referred as the “Crown Jewels”), and/or customers’ personal information, which can result in financial and reputational losses and years of litigation. Moreover, a significant cyber attack can cause operational disruption and compound financial losses. These risks are multiplied in a PPP, where data is contained on information systems of two different entities, particularly with one in the private and one in the public sector, making a PPP increasingly vulnerable to cyber attacks.
Concerns about the risks associated with a cyber attack on PPPs have intensified in recent years. This is in part because the information necessary to conduct business and undertake projects is increasingly digitized and stored on servers of both the public proponent and the private partner. Given the potential high sale value of the data, the media coverage related to such attacks, and the ability of attackers to leverage an attack for political or social messaging, PPPs are frequently targeted.
In recent years, projects involving medical care, including hospitals, have been hit with cyber attacks for the purpose of extracting payment to release or unlock the system or to prevent disclosure. The nature of public activity, especially its participation in privately backed enterprise, makes it particularly prone to cyber attacks, as the consequences can be more significant and the pockets deep. In addition, public partners are increasingly concerned about protecting confidential and politically sensitive information, which makes such information more intriguing to attackers. Therefore, public enterprise has been the area of most significant cyber attacks for a variety of purposes in the last decade, and it is unlikely that such cyber attacks will lessen over the coming years.
Safeguards
While purchasing cyber insurance coverage is becoming more common in PPP transactions, the amount and scope of the insurance maintained by the organization may not be sufficient to cover losses resulting from a cyber incident or to adequately compensate the organization for the resulting disruptions.
Increasingly, laws require organizations to implement security safeguards to protect this type of information from loss, theft, and unauthorized access, disclosure, copying, use, or modification. These safeguards can vary with the nature of the confidential information in question, with more sensitive information requiring a greater level of security. Protection mechanisms should include physical measures (including locked or restricted-access storage locations), organizational measures (including appropriate security clearances for employees and disclosure of personal information on a need-to-know basis), and technological measures (including encryption keys and passwords).
Individuals dealing with a PPP project and its proponents will want to ensure that the project fully considers (i) the adequacy of the security measures implemented in connection with the project, and (ii) the measures contemplated to mitigate the consequences of a successful cyber attack. Of course, individuals should always be cognizant of the information that they are sending over electronic media and consider if such information should be sent, particularly given the prevalence of cybersecurity attacks and the gravity of potential consequences.
Conclusion
Cybersecurity will need to be carefully addressed in PPPs where the project will involve the gathering and storing of sensitive information concerning private individuals or of a public commercial or sensitive nature. This risk should not be ignored when consummating a PPP transaction, and adequate safeguards, such as an adequate insurance product, should be considered from the beginning to help protect all parties involved.
