Why cyber insurance is critical for construction businesses
Construction companies use technology to improve efficiency and productivity. But many fail to recognize that weak or outdated security controls can make them vulnerable to cyber attacks. Attackers often exploit everyday technology, like email and passwords, as well as unsuspecting employees to gain unauthorised access and pursue malicious activities.
A cyber attack can be costly, disruptive, and can cause irreparable damage to a business’ reputation, which is why cybersecurity should be considered as a priority for construction companies that depend on technology to operate. While fraudulent payments and data theft are among the most common cyber threats1, many of the technologies used in construction can create additional risk for bodily injury and property damage, underscoring the importance of strong security controls and cyber insurance.
How bad could one small security incident be?
£83,300²
Average cost of a cyber claim for construction businesses
80%³
Percentage of cyber attacks originating from email inbox
£197,000³
Average ransomware loss for construction businesses
Unique exposures for construction companies
How essential technologies can create cyber risk
Building information modeling (BIM) software
BIM software is used to create 3D models and help with planning, coordinating, and managing project costs. While BIM software can improve efficiency and reduce errors, the data it relies on can expose organisations to cyber risk in the event of a breach.
Email & mobile devices
Mobile devices are essential for communication among construction workers, particularly email. However, business email compromise (BEC) is a frequent cause of cyber insurance claims for construction companies4, which can trigger data breaches, business interruption and even reputational damage.
End-of-life software & hardware
Some organisations may use outdated technologies with the belief that upgrading would be expensive, time-consuming, and disruptive. However, technologies no longer supported by the manufacturer often have known security vulnerabilities and may lack important security features to protect against modern threats.
Field operations platforms
This technology is used to keep track of workers’ progress, help coordinate delivery of supplies, and manage devices used on-site. The platform typically holds crucial data that can be vulnerable to cyber attacks, especially when connected to unsecure networks in the field.
Safety management software
Used to manage safety and compliance on construction sites, this software supports employee health and safer working conditions by helping with inspections, incident reporting, and training.
Supervisory control and data acquisition (SCADA) systems
Used to gather and analyse equipment data, SCADA systems can be vulnerable to cyber attacks through outdated software, a lack of encryption, weak passwords, and unsecured wireless networks, which can lead to unauthorised access and data compromise.
How sensitive data can increase business liability
Corporate confidential data
To perform work and access job sites, construction firms and contractors often need access to sensitive corporate data, such as blueprints, architectural/electrical drawings, and change orders. Governance of this data may be addressed in contracts, and breach implications can be significant.
Legal and contractual data
Construction companies may have access to contracts, legal agreements, and disputes, including settlements, judgments, and court orders. Mishandling confidential data can cause significant damage to the data owner.
Financial data
Collecting and processing financial information requires adherence to industry standards. Mishandling or unauthorised disclosure of financial data can cause direct harm to clients and even trigger industry and regulatory investigations.
Personally identifiable information (PII)
PII is any data that can potentially identify a specific person. PII can be used to launch cyber attacks or gain access to networks to initiate attacks. Organisations that mishandle PII or fail to respond to a data breach appropriately can be subject to fines, penalties, and other financial damages.
Sensitive employee information
Every organisation collects and stores information about its employees. Unauthorised access or disclosure of this data — whether PII, PHI, financial, or otherwise — can cause direct harm to employees.
For more insights, download our complete guide:
Business impacts for construction companies
What to expect after a cyber incident
Direct costs to respond
Responding to a cyber event typically requires numerous direct costs, also known as first-party expenses. If a legal organisation experiences a BEC and sensitive data is involved, it can trigger a need for additional legal counsel, forensic investigation, victim remediation, and notification. Simple investigations can cost tens of thousands of pounds, while more complex matters can increase costs exponentially.
Liability to others
Many construction companies face new and unexpected exposures after a cyber event. Though most do not collect large amounts of sensitive personal information, they may have access to corporate confidential data and systems; some must also comply with industry standards or government requirements for protecting data. This type of information and access is typically addressed in contracts and often carries strict information security and disclosure requirements in the event of a breach, exposing firms to cyber liability they may not anticipate.
Business interruption and reputation damage
A cyber event that impacts essential technology can have a significant impact on a construction business' ability to operate and can be highly visible to clients, customers, and other stakeholders. Even short periods of disruption can lead to direct loss of revenue and inhibit the ability to support clients, negatively impacting client retention and acquisition.
Cybercrime
Beyond ransomware and data breaches, cyber events can result in financial theft for a construction company or its clients — often without an actual breach. If an attacker dupes someone in the billing department to alter payment instructions, a business can lose tens or hundreds of thousands of pounds almost instantly. Attackers can also gain access to email accounts and send fraudulent invoices or payment instructions to clients, customers, and other third parties.
Recovery and restoration
After a cyber event, resuming operations can be no easy task. If an attacker damages or destroys essential technology, data, or physical equipment, a construction business may need to bring in external support or purchase new equipment to re-secure systems. Full remediation, restoration, and recovery can take a significant amount of time, when possible, and may require purchasing new software, systems, and consultants to rebuild the network.
CYBER INSURANCE BUYER’S GUIDE
Choosing the right cyber coverage for your business
Cyber insurance is an essential aspect of modern risk management, offering coverage for the losses associated with data breaches, cyber extortion, business interruption, and other cyber-related incidents.
Coalition created a Cyber Insurance Buyer's Guide to help businesses navigate the complex cyber insurance market and confidently select the right coverage for their business.
Already a policyholder?
Log in or activate your Coalition Control account, Coalition's policyholder risk management platform1, to manage your business’s risk profile.
1 gca.isa.org report
2 Dollar figures adjusted to British Pounds
3 Coalition Inc 2023 Cyber Claims Report
4 Global data from 2024 Coalition Inc Cyber Claims Report
Coalition’s products are underwritten by Allianz Global Corporate & Specialty SE (A.M. Best A+ rating), Navigators Insurance Company UK Branch, trading as ‘The Hartford’ (A.M. Best A+ rating), and Lloyd’s of London (A.M. Best A+ rating).
