Cyber Risk and Insurance in the Construction Industry

May 3rd 2023
cyber insurance keyboard

Addressing Digital Threats and Vulnerabilities

In today’s digital age, the construction industry has become increasingly reliant on technology to improve efficiency, streamline processes, and reduce costs. With the adoption of Building Information Modelling (BIM), Internet of Things (IoT) devices, and cloud-based project management systems, construction projects have become more connected than ever before.

However, this increased connectivity also exposes the industry to cyber threats and vulnerabilities. With this in mind, it’s important to adopt proper cyber risk management and understand the types of cyber risks that construction companies face, and how cyber insurance can help protect businesses from potential financial losses.

Understanding Cyber Risks in the Construction Sector

Cyber risks in the construction industry can take various forms, with some of the most common threats being:

  1. Data breaches: Unauthorised access to sensitive information, such as project plans, financial data, or personal employee information, can lead to significant financial losses, reputational damage, and legal consequences.
  2. Ransomware attacks: Cybercriminals can use ransomware to encrypt a company’s data or systems, demanding payment in exchange for unlocking them. These attacks can cause project delays, loss of productivity, and financial losses.
  3. Phishing scams: Fraudulent emails designed to trick employees into revealing sensitive information or downloading malicious software can expose construction companies to a range of cyber threats.
  4. Industrial control system (ICS) attacks: The construction industry increasingly relies on ICS for managing critical infrastructure and equipment. Cyberattacks targeting these systems can lead to equipment malfunction, safety incidents, or operational disruptions.

Addressing Cyber Risks with Cyber Insurance

construction worker using an ipad
To protect construction companies from potential financial losses due to cyber incidents, cyber insurance has emerged as an essential component of risk management strategies. Cyber insurance can provide coverage for various costs associated with cyberattacks. This includes things like covering the costs of hiring cybersecurity experts, legal counsel, and public relations professionals to manage the response to a cyber incident.

In the event of data loss or corruption, cyber insurance can help cover the costs of recovering or restoring lost or damaged data as well as providing business interruption cover, in many cases when a cyber attack takes place in can stop a business from operating as normal, disrupting business operations at least to some extent.

There is also the risk of regulatory investigations taking place, these could lead to fines or even legal action as a result from a data break or cyber breach.

In some cases, cyber insurance may also cover the costs of ransom payments made in response to ransomware attacks. However, this coverage can vary by policy, and companies should carefully review the terms and conditions as it is not included in every insurance policy.

Cyber security is something that every company has to consider, no matter the industry or size of the business, whether you are a construction firm working on large scale projects or a self employed developer. These cyber exposures apply to all and if you do not have adequate cover in place and you face a cyber attack, this could be costly to your business from a financial and reputation management point of view.

Putting in place the right protections is key, but even with the most robust systems in place you will always be at risk of a data breach. Technology and therefore hackers are moving forwards at pace and it’s impossible to reduce the risk of cyber events to zero. This is why construction firms need to have the right insurance in place to protect them, their staff, contractors, suppliers and customers alike.

Implementing Cyber Risk Management Best Practices

cyber security protection construction industryWhile cyber insurance can provide financial protection in the event of a cyber incident, construction companies should also take proactive measures to reduce their exposure to cyber risks. Some best practices for cyber risk management include:

  1. Regularly update software and systems: Ensure that all software, operating systems, and firmware are updated with the latest security patches to protect against known vulnerabilities.
  2. Implement strong access controls: Limit access to sensitive information and systems to authorised personnel only, using strong authentication methods such as multi-factor authentication.
  3. Train employees on cybersecurity: Provide ongoing cybersecurity training for employees to help them identify and respond to potential threats, such as phishing emails or suspicious activity.
  4. Develop a cyber incident response plan: Establish a clear plan outlining the steps to take in the event of a cyber incident, including roles and responsibilities, communication channels, and recovery procedures.

Examples of Data Breaches and Cyber Attacks in the Construction Sector

Turner Construction Company (2019)

In March 2019, Turner Construction, one of the largest construction companies in the United States, experienced a cyberattack. A phishing email that appeared to be from an executive in the company led to the exposure of sensitive employee information, including social security numbers and tax details. The company had to notify the affected employees and offered them identity theft protection services.

Bouygues Construction (2020)

In January 2020, French construction giant Bouygues Construction was hit by a ransomware attack that impacted its computer network. The company had to disconnect its entire IT network to prevent the ransomware from spreading further. The Maze ransomware group claimed responsibility for the attack and demanded a ransom payment in exchange for decrypting the company’s data. Bouygues Construction had to rely on manual processes and backups to resume its operations while working with cybersecurity experts to resolve the issue.

Fisher & Paykel Appliances (2020)

In June 2020, Fisher & Paykel Appliances, a New Zealand-based appliance manufacturer with construction projects worldwide, suffered a ransomware attack. The Nefilim ransomware group encrypted the company’s files and threatened to leak sensitive data if a ransom was not paid. Fisher & Paykel had to engage with cybersecurity experts and law enforcement to address the situation and restore their systems.

AST Modular (2013)

In 2013, the Spanish construction company AST Modular, which specializes in modular data centres, fell victim to a targeted cyberattack. The company’s intellectual property, including blueprints and designs for its data centres, was stolen by a Chinese hacking group known as APT1. This incident highlighted the importance of securing sensitive data and protecting intellectual property in the construction industry.

These examples underline the importance of implementing robust cybersecurity measures and investing in cyber insurance to protect construction companies from the financial and reputational damage caused by cyberattacks and data breaches.

Speak to Construction Insure today to discuss your cyber security insurance needs.