Cyber risk tops the agenda of organizational management conversations across all industries, and the construction industry is no exception. This can be surprising to many because the industry isn’t generally considered to be driven by data production. However, recent studies show that cyberattackers are attacking the construction industry more aggressively than ever.

A 2020 U.S. survey from Forrester reports that more than 75% of respondents in the construction, engineering and infrastructure industries had experienced a cyber-incident within the last 12 months. Moreover, it is projected that cybercrime will cost businesses approximately $6 trillion per year on average in 2021.

What’s Driving the Increase in Cyber Threats?

As the industry quickly adopts new technology, demands more immediate access to data and relies on a cyber-secure third-party supply chain, the cyberattack surface will continue to grow. Specifically, this includes a long list of technology trends like the increased use of 3D and 5D building information modeling, augmented- and virtual-reality technology, industrial control systems and supervisory control and data acquisition systems (SCADA), drones and Autonomous Construction Machinery, Cloud technology for data storage, biometrics, mobile devices and "Internet of Things."

Two common cyberattack methods pose a predominantly heightened concern for construction. The first is social engineering schemes that involve cyber attackers impersonating upper management to manipulate their victims to share private, sensitive information or wire funds to a private account. The second is traditional ransomware that has become more complex as hackers evolve their malware technology to seek out and target human and technical weaknesses in an IT network. Phishing emails are most often used to lure employees to click on malicious links or attachments. The malware triggers a series of actions that encrypt files in a network, rendering them inaccessible. The malware can also infiltrate smartphones and other devices, effectively shutting down communication and in many cases halting or slowing business operations. Cyber attackers may place a deadline on their demand for a ransom payment, threatening to destroy or release sensitive data publicly if it’s not met.

But the cyber incident may just be the beginning for many. In addition to the operational implications of a cyberattack outlined above, contractors and construction managers could be exposed to critical liabilities and costs, including:

• Third-party liability from employees, clients, key business partners and regulators that arises from computer security failure and breach of private information (this could also include liability for delay and business interruption caused by unauthorized access to project data and systems);
• Cost of managing a security failure or privacy breach including the notification, ransom payment, forensics, legal services, data restoration and lost income through business interruption;
• Breach of confidential business information, through storing and sharing bid and project data/specifications, owner’s processes and project management;
• Unauthorized access and interference with project plant, data and specifications in SCADA and BIM;
• Property damage or bodily harm triggered by the failure of Internet of Things, robotics and remote control of processes and physical security following an attack; and
• Contractual liability for inability to produce goods or services for clients and business partners.

Key to managing these liabilities is the development of a custom risk transfer solution that will allow the construction business to protect its people, property and profits. Risk transfer enables a company to shift risk from their business onto another party, commonly through an insurance policy. Cyber insurance policies serve as an optimal solution to do this as they are designed to protect the company and its bottom-line costs in the case of a cyberattack.

It is imperative that construction managers work with an insurance brokerage, legal and risk management team specializing in construction and cyber risk management and insurance to develop a tailored policy to fit their unique needs. Cyber insurance risk transfer solutions can address four key segments to help return to operations-as-usual and protect the bottom line of the company.

These risk transfer solutions include coverage for:

• Liability to others;
• Costs of a cyber-breach response;
• Management of operational costs after a breach; and
• Additional services from an insurer including 24/7 help, access to approved advisors, risk management advice and post-event forensics.

Seasoned insurance brokerages also assist clients with risk analysis of their systems; in fact this is the number one request from clients. Whether the analysis is conducted directly by a broker team, a carrier or a third party, a comprehensive system analysis can uncover and help identify where their vulnerabilities may be.

Insurers are also increasingly willing to include cyber risk services to help their insureds avoid and mitigate cyber risk before the attack happens. Many offer either free or discounted employee training, scanning tools, compliance help and incident response planning. It is important to understand the options and their value when choosing a cyber insurer, especially as the market changes and expands.