Why cyber insurance is critical for construction businesses
Construction companies use technology to improve efficiency and productivity. But many fail to recognize that weak or outdated security controls can make them vulnerable to cyber attacks. In fact, construction is one of the most frequently targeted industries. Attackers often exploit everyday technology, like email and passwords, as well as unsuspecting employees to gain unauthorized access and pursue malicious activities.
A cyber attack can be costly, disruptive, and cause irreparable damage to a business’ reputation, which is why cybersecurity should be a priority for construction companies that depend on technology to operate. While fraudulent payments and data theft are among the most common cyber threats, many of the technologies used in construction can create additional risk for bodily injury and property damage, underscoring the importance of strong security controls and cyber insurance.
How bad could one small security incident be?
$110,000
Average cost of a cyber claim for construction businesses
80%
Percentage of cyber attacks originating from email inbox
$264,000
Average ransomware loss for construction businesses
Unique exposures for construction companies
How essential technologies can create cyber risk
Building information modeling (BIM) software
BIM software is used to create 3D models and help with planning, coordinating, and managing project costs. While BIM software can improve efficiency and reduce errors, the data it relies on exposes organizations to cyber risk in the event of a breach.
Email & mobile devices
Mobile devices are essential for communication among construction workers, particularly email. However, business email compromise (BEC) is a frequent cause of cyber insurance claims for construction companies, which can trigger data breaches, business interruption and even reputational damage.
End-of-life software & hardware
Some organizations may use outdated technologies with the belief that upgrading would be expensive, time-consuming, and disruptive. However, technologies no longer supported by the manufacturer often have known security vulnerabilities and may lack important security features to protect against modern threats.
Field operations platforms
This technology is used to keep track of workers’ progress, help coordinate delivery of supplies, and manage devices used on-site. The platform typically holds crucial data that can be vulnerable to cyber attacks, especially when connected to insecure networks in the field.
Safety management software
Used to manage safety and compliance on construction sites, this software supports employee health and safer working conditions by helping with inspections, incident reporting, and training.
Supervisory control and data acquisition (SCADA) systems
Used to gather and analyze equipment data, SCADA systems can be vulnerable to cyber attacks through outdated software, a lack of encryption, weak passwords, and unsecured wireless networks, which can lead to unauthorized access and data compromise.
How sensitive data can increase business liability
Corporate confidential data
To perform work and access job sites, construction firms and contractors often need access to sensitive corporate data, such as blueprints, architectural/electrical drawings, and change orders. Governance of this data may be addressed in contracts, and breach implications can be significant.
Legal and contractual data
Construction companies may have access to contracts, legal agreements, and disputes, including settlements, judgments, and court orders. Mishandling confidential data can cause significant damage to the data owner.
Personally identifiable information (PII)
PII is any data that can potentially identify a specific person. PII can be used to launch cyber attacks or gain access to networks to initiate attacks. Organizations that mishandle PII or fail to respond to a data breach appropriately can be subject to fines, penalties, and other financial damages.
Protected health information (PHI)
Some construction firms may have access to health-related information, such as disabilities or injuries, for the purposes of accommodation and compliance. All PHI must be protected to ensure medical privacy and comply with Health Insurance Portability & Accountability Act (HIPAA) regulations.
For more insights, download our complete guide:
Business impacts for construction companies
What to expect after a cyber incident
Direct costs to respond
Responding to a cyber event typically requires numerous direct costs, most commonly first-party expenses. If a construction business experiences BEC and sensitive data is involved, it can trigger a need for additional legal counsel, forensic investigation, victim remediation, and notification. Simple investigations can cost tens of thousands of dollars, while more complex matters can increase costs exponentially.
Liability to others
Many construction companies face new and unexpected exposures after a cyber event. Though most do not collect large amounts of sensitive personal information, they may have access to corporate confidential data and systems; some must also comply with industry standards or government requirements for protecting data. This type of information and access is typically addressed in contracts and often carries strict information security and disclosure requirements in the event of a breach, exposing firms to cyber liability they may not anticipate.
Business interruption and reputation damage
A cyber event that impacts essential technology can have a significant impact on a construction business' ability to operate and can be highly visible to clients, customers, and other stakeholders. Even short periods of disruption can lead to direct loss of revenue and inhibit the ability to support clients, negatively impacting client retention and acquisition.
Cybercrime
Beyond ransomware and data breaches, cyber events can result in financial theft for a construction company or its clients — often without an actual breach. If an attacker dupes someone in the billing department to alter payment instructions, a business can lose tens or hundreds of thousands of dollars almost instantly. Attackers can also gain access to email accounts and send fraudulent invoices or payment instructions to clients, customers, and other third parties.
Recovery and restoration
After a cyber event, resuming operation is no easy task. If an attacker damages or destroys essential technology, data, or physical equipment, a construction business may need to bring in external support or purchase new equipment to re-secure systems. Full remediation, restoration, and recovery can take a significant amount of time, when possible, and may require purchasing new software, systems, and consultants to rebuild the network.
CYBER INSURANCE BUYER’S GUIDE
Choosing the right cyber coverage for your business
Cyber insurance is an essential aspect of modern risk management, offering coverage for the losses associated with data breaches, cyber extortion, business interruption, and other cyber-related incidents.
Coalition created a Cyber Insurance Buyer's Guide to help businesses navigate the complex cyber insurance market and confidently select the right coverage for their business.
Coalition’s products are underwritten by certain underwriters at Lloyd’s of London (A.M. Best A rating) and Arch Insurance Canada Ltd. (A.M. Best A+ rating).
