18 May 2023
Building Up Cybersecurity in Construction: Challenges and Solutions
The Construction sector may have been slightly slower to invest in cutting-edge technology and digitalisation, but it is making up for lost time. The global construction software market is now worth USD9.6 billion and is expected to grow by 8.5% by 2030 and has become a lucrative target for cybercriminals.
Exposure has been exacerbated by the wealth of confidential and proprietary data digitally sourced and shared across the value chain. E-tendering is now commonplace in construction, and hundreds of tendering websites and portals are dedicated to the UK market alone. The granularity of shared data is only set to intensify as construction firms move towards decarbonisation. The energy transition will require firms to have a detailed view of valuation, fuel/energy mix, materials, production processes and logistics across their value chain.
Within a project lifecycle, a network of companies will rely on email as a critical form of communication, along with cloud storage for contracts and CAD drawings and online banking for financial transactions. The sheer number of diverse stakeholders involved in major construction projects heightens supply chain vulnerability and provides increased entry points for cyber-criminals. Beyond holding personal and proprietary data to ransom, intellectual property, blueprints, building plans and security information may also be valuable to criminals intent on other forms of crime such as theft.
Any modest construction project will likely involve at least 10-15 different firms in its supply chain, from developers, architects, engineers, construction management companies, general contractors and a host of subcontractors. At the other end of the scale, construction giant Balfour Beatty has a supply chain of around 10,000 companies and spends two-thirds of its revenues in procuring goods and services from suppliers.
"There have been several high-profile construction cyber-attacks in recent years, which have drawn attention to the growing vulnerability of the sector."
In 2015, as awareness of the potential for physical damage from cyber grew, Lloyd’s of London amended its CY risk code definition to include a new risk code, CZ, focused on damage to physical property.
Wake-up call
A cyber-attack on company software could have longer-term severe knock-on effects: significant project delays, loss or theft of intellectual property such as bidding strategies, blueprints and designs as well brand and reputational damage.
There have been several high-profile construction cyber-attacks in recent years, which have drawn attention to the growing vulnerability of the sector. Canadian construction company Bird Construction reported a ransomware attack in early 2020, where the company paid CAD9million to prevent the cyber-crime group, Maze, from releasing stolen personal information.
Reportedly Maze then targeted French Bouygues Construction in quick succession. The firm took all its IT systems offline as a precautionary measure to prevent further damage after personal data relating to Bouygues employees, including names, home addresses, phone numbers, social insurance numbers, banking details and drug test results were published online.
In May the same year, UK firms Bam Construct and Interserve were both the targets of cyber-attacks Hackers entered Bam Construct’s website through a vulnerability and accessed the corporate network, allowing the cybercriminals to encrypt files, deny the company access and demand payment.
Business email compromise is also a considerable yet largely unquantified risk; reporting mandates for these attacks are reduced as they do not hold the same data protection implications. Nevertheless, court documents released in 2020 revealed that US firm Solid Bridge Construction had fallen victim to this type of fraud in 2018, resulting in the company paying Kenenty Hwan Kim USD210,000, in the belief that it was paying an invoice to its contractor Chance Contracting.
Playing catch up
Cyber in construction is challenging as the sector bucks the traditional trend – the value of assets can change daily, making it difficult to underwrite.
The cyber market has rapidly adapted in recent years as insurers and policyholders alike have grappled to understand the nature of this emerging risk. Cyber incidents can result from malicious intent or human error, and traditional policies do not necessarily cover the risks presented by the construction sector’s increased use of technology.
In 2015, as awareness of the potential for physical damage from cyber grew, Lloyd’s of London amended its CY risk code definition to include a new risk code, CZ, focused on damage to physical property. Then, to solve the issue of silent cyber, Lloyd’s issued a directive ensuring all property policies provided cyber insurance cover on an affirmative or non-affirmative basis, with no ambiguity for all first-party property damage policies incepting on or after 1 January 2020.
Consequently, cyber buyback products have evolved to fill this gap and are far cheaper than standalone cyber products, which include property damage. As with most things, there is a reason for this; buying back cyber exclusions has limitations, which have become increasingly apparent as the risk of physical damage relating to cyber in construction has increased.
Cyber has long been associated with data and privacy breaches. Standalone cover now extends to technology failure and the resulting business interruption and loss of revenue. It can also cover malware damage, forensic investigation and legal expenses.
Following the series of cyber losses in the construction sector, insurers now request adequate levels of cyber security before providing cover. Construction firms may feel cyber buyback does not provide sufficient protection, but a standalone policy that covers every potential risk is not cost-effective. Every project is different and presents unique exposures; each has its own supply chain, which entails the use of distinct technology. Clients are now opting to tailor the cyber coverage to each project, and the market is seeing an increase in project-specific cyber insurance.
After a series of high-profile cyber losses in the construction sector, insurers now request adequate levels of cyber security before providing cover.
How can we help
Gallagher takes a consultative/advisory approach to your business, assessing your own particular cyber risks and exposures. From there, we create bespoke cyber insurance products tailored to your own business. We specialise in highly complex and difficult cyber insurance placements.
Your cyber liability insurance can cover cyber security and privacy liabilities, including cyber extortion, cyber terrorism and data asset loss. We can arrange cyber security insurance cover for the cost of responding to a breach, plus regulatory investigations and defence costs, civil fines and penalties (a major concern with the General Data Protection Regulation (GDPR)).
Cyber insurance can also cover business interruption and loss of income, litigation damages and costs from individuals/class actions, and multimedia liability. Extensions are also available for reputational damage and cyber-crime.
The Walbrook Building 25 Walbrook London, EC4N 8AW
Let's talk
Joe Stubbings
Associate Director, Technology & Cyber Practice – Financial and Professional Risks
Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.