Cyber attacks in the construction industry

Cyber attacks in the construction industry
Within the construction industry, businesses collaborate in a digital environment. Many project stakeholders, from contractors and sub-contractors to architects, engineers and surveyors, have access to shared IT platforms in a way that is unique to the construction industry.

This reliance on networks, software applications and shared data provides the industry with fully automated connectivity, allowing communication and access to shared data in ways not imagined a decade ago.

With this increased efficiency comes an upsurge in risk, particularly against a background of features inherent within the construction industry. For one, the sheer volume of shared confidential data (including budgets, bid information, technical drawings and product design, commercial or trading details, trade secrets) comes with added security risks.  Other characteristics of the industry include the widespread use of tablets, smart phones or laptops (increasing system vulnerability entry points) and the heavy reliance on sub-contractors and transient labour forces, with ensuing pressure points around training.

Construction is a high cash-flow business. The success of a company is based upon its ability to meet project deadlines and contract specifications and to fund its contractors. Certain cyber incidents have the potential to impact a company’s ability to meet these goals, causing hefty financial implications, (including business interruption losses, inabilities to tender due to a system outage, cash flow issues etc).

Are we really at risk?

Exposure of  Corporate Information
The exposure of confidential information could lead to the following direct costs and third party damages:

  • Forensic investigation of the breach and legal advice and PR costs on how to respond;
  • Claims by clients and others for the cost to redesign or reconstruct secure facilities or systems;
  • Damages associated with unfair competition due to release of trade secrets;
  • Defence costs associated with third party claims;
  • Regulatory (e.g. GDPR) requirements. Whilst fines will only be covered under an insurance policy if insurable by law, costs of responding to a regulatory request for information are generally covered under a “standard” cyber policy.


Breach of Network Security
Security breaches such as malicious software, denial of service attacks, etc. could cause the following direct damages and third party liability claims:

  • Lost income related to the inability to conduct business and provide services; 
  • Damages suffered by third parties that interact with a construction firm’s system; 
  • Loss of confidence by clients and potential reputational harm.


Building Information Modelling
Building information modelling (BIM) is a central repository which allows input from various parties, either working independently for later consolidation (level 2), or working on the same integrated model at the same time (level 3). Due to the shared nature of BIM and the numerous connected parties, the risks of a data security breach are much greater, particularly within BIM level 3. Threats include commercial gain by criminal means by exploiting IP, sabotaging the project or holding commercially sensitive information to ransom.


Professional Indemnity Coverage
How does a cyber insurance policy interact with and supplement a construction company’s professional indemnity (PI) insurance?

  • A cyber loss, if covered by the PI policy, would be subject to the self-insured retention which is often very high for construction firms and would be a large out-of-pocket expense;
  • A cyber loss, if covered, would erode the PI limits available for construction PI claims, and subsequently impact the professional indemnity loss ratio and potentially, the premium;
  • Cyber insurance is relatively inexpensive compared to the cost of PI insurance and usually contemplates much lower deductibles;
  • To trigger coverage under the PI policy, there must be an alleged wrongful act in the conduct of professional services. However, a construction company could be liable for data or network security breaches even in the absence of a wrongful act and the incident will not always be in connection with the provision of professional services. Cyber policies will often cover a breach regardless of wrongful conduct or a connection to professional services;
  • Direct costs (e.g. IT forensics, legal advice, PR costs) incurred by a construction company in responding to a breach are generally not covered by the PI policy where they are under a “standard” cyber policy.


Cyber Specific Insurance
At Lockton, we specialise in large, complex insurance programmes for global construction and civil engineering companies. Our controlled insurance programmes is tailored to your complex needs ensuring adequate coverage for all parties across all lines of cover. This experience in the industry gives us an excellent exposure to the cyber purchasing habits and exposures faced by the construction sector.

We cannot overstate the importance of implementing a comprehensive cyber-security strategy for your construction organisation. It is vital to protect a business’s systems to allow it to protect its activities, customers, reputation and revenue and recognising the particular vulnerabilities across the construction sector is critical. 

It is worth mentioning that many traditional policies will not respond to a cyber breach. A cyber policy is designed to respond to the following events, which would not necessarily be met by more traditional policies:

  • Data breach from an external cyber attack;
  • Reputational and financial loss from a computer system’s failure due to a malicious attack;
  • Regulatory defence and civil awards, fines and penalties as a result of a security breach;
  • Breach response costs;
  • Ransom request following a computer systems attack.

A cyber-attack can have far-reaching ramifications for the construction sector. Understanding these risks and proactively mitigating against them is key. Our team of cyber risk experts will work with you to create a customised solution that protects and insures your business exactly where you need it, and ensures that cyber risks are integrated into your risk management process. Rebuilding confidence is vital.

Similar articles

Pandemic Bonds

COVID-19 lessons for pandemic bonds

Pandemic bonds as issued by the World Bank were hailed as a great innovation when first launched in 2017. They were supposed to offer relief funding to some of the poorest countries in the world to fight large-scale, cross-border pandemics. The COVID-19 outbreak has exposed the weaknesses of the instrument.

City of London

Bringing buildings back to life after the COVID-19 lockdown

While the current COVID-19 pandemic has emptied city centres, life will eventually get back to normal.

Clean Energy

Covid-19 accelerates the clean energy transition

The insurance industry is aware of the risks that climate change represents to its business in form of floods, storms and wildfires and is reducing its exposure to fossil fuels both in underwriting as well as investments. The pressure on oil and gas companies to transition to a more sustainable and climate friendly energy sector has increased substantially in recent years.The Covid-19 pandemic might provide the final push. 

Construction Site

5 things to think about as building sites close due to COVID-19

Thousands of building sites in the UK are closing due to health risks from the COVID-19 outbreak, a task that involves taking a series of measures to keep the site safe during an unknown period. For construction firms this adds to a list of insurance-related issues that the pandemic is bringing up.