Construction-related businesses face the same fundamental cyberattacks and threats as other industries but have unique risks associated with specific tools they use for managing data, delivering services and systems control.
- 3D building information modelling (BIM) builds information models use computer-based files used to support efficient decision-making for planning, design, construction and building operations and maintenance.
- 5D BIM provides an enhanced visualisation and project-management platform. In the future augmented and virtual reality technology will be added to allow offices and the worksite to collaborate in real time.
- Industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA) monitor and control equipment and plant operations.
- Drones enables job site surveillance, surveying and access to previously inaccessible places.
- Autonomous construction machinery is used for remote navigation of excavators, bulldozers, backhoes and dump trucks for efficient utilisation and lower operator costs.
- Robotics deployed in bricklaying and road paving replace highly repetitive, systematic manual processes.
- Biometrics are increasingly used to manage and control construction sites and projects, through access control to secure sites, on-site attendance reporting, health and safety, compliance and remote management of multiple workforce.
- Cloud technology is used by vendors to store data on behalf of the business.
- Mobile devices allow the highly decentralised construction industry to enhance collaboration at all stages of the construction process, including productivity tracking, report generation, document management, material logistics, inventory management and data analytics.
- Internet of things (IoT) provides for remote operation of wearables and machinery, supply replenishment, tracking of tools and equipment and remote usage monitoring.
Cyberattacks in the construction industry
Several recent studies provide evidence that cyber threat actors have the construction industry in their crosshairs. According to a recent Forrester survey, more than 75% of respondents in the construction, engineering and infrastructure industries had experienced a cyber-incident within the last 12 months. Moreover, it is projected that cybercrime will cost businesses approximately $6 trillion per year on average through 2021, according to Risk & Insurance.
Specifically, cyber risks expose construction businesses to
- liability to third parties, such as employees, clients and regulators, arising from computer security failure and breach of private information
- the costs of dealing with the failure of security or breach of privacy, including notification, ransom payment, forensics, legal services, data restoration and lost income through business interruption
- breach of confidential business information, though storing and sharing bid and project data/specifications, owner’s processes and project management
- unauthorised access and interference with project plant, data and specifications in scada and building information modelling (BIM)
- bodily injury and property damage through the failure of IoT, robotics and remote control of processes and physical security
- liability for delay and business interruption caused by unauthorised access to project data and systems.
Two specific cyberattack methods present a particularly heightened concern for construction.
- Social engineering: Social engineering schemes are one of the leading cyberattacks faced by the construction industry, according to the Verizon 2020 Data Breach Investigations Report. This involves cyber attackers impersonating senior management and key vendors through business email compromise (BEC) tactics. The criminal’s goal is to convince victims to transfer funds or provide sensitive information that can be monetised.
- Ransomware: Ransomware is a form of malware that targets both human and technical weaknesses in an organisation’s IT infrastructure. It is commonly deployed through phishing emails where victims are lured to click on malicious links or attachments containing this form of malware. This often results in all files in the network becoming encrypted and inaccessible, and can affect smartphones and other devices, inhibiting communication. In many cases, the victim receives a pop-up message demanding a ransom to be paid before receiving the decryption key to restore access to the hijacked data. Cybercriminals may place a time limit on the demand for payment, with threats to destroy or release sensitive data to the public. Ransomware attacks have evolved as the attack preference for hackers over the past year.
Ransomware attacks increased 33% from Q4 2019 to Q1 2020, with the average ransom payment amounting to $111,605, according to Coveware3. Perhaps even more troubling, the average downtime of ransomware victims was 15 days. That amount of lost productivity in the construction industry could easily lead to bottom line costs that dwarf the ransom paid.
Transferring the cyber risk
Gallagher has worked closely with the cyber insurance market to develop tailored risk transfer solutions for businesses across all industry sectors, including the construction sector. While there is no standard cyber insurance policy, there are some commonly offered coverages that are excellent mechanisms to save bottom line costs in the aftermath of a cyber attack. Other policies, including crime, property, liability, kidnap and ransom, and errors and omissions, may also offer some limited insurance coverage to cyber exposures.
However, a comprehensive stand-alone cyber insurance policy usually affords the most comprehensive coverage for cyber risks while traditional insurance lines are increasingly tightening policy language to exclude cyber risk related costs.
There are four segments to the cyber insurance risk transfer solution.
1. Your liability to others
pays defence costs and damages/settlements that you owe to others as a result of a failure of network security or a breach of private information
pays defence costs and fines/penalties regarding regulatory actions against you arising from a breach
pays contractual assessments owed due to noncompliance with pci (credit card) standards due to a breach
pays defence costs and settlements arising from professional/media errors and omissions (optional coverage)
pays claims alleging financial loss to third parties (such as your employees or clients).
2. Your costs of breach response
pays your costs to engage forensic, legal and PR advisors
pays your costs of notification of the breach to affected individuals as well as credit monitoring and identity theft monitoring.
3. Your own operational costs after a breach
pays the ransom in the event of cyber extortion as well as for related forensics. The insurer may deploy vendors who are expert negotiators with immediate access to cryptocurrency
pays your costs to recover data that has been damaged as a result of a computer security failure
pays your loss of income as a result of business interruption caused by a failure of computer security (yours or that of certain vendors, such as a cloud vendor).
4. Additional services from the insurer
provide immediate 24/7 help in the event of a suspected incident
provide access to approved advisors at panel rates
include risk management advice
include post-breach forensic services (optional).
Insurers are increasingly willing to add services to help their insureds avoid and mitigate risk. It is important to understand the options and their value when choosing a cyber insurer. The market continues to evolve rapidly, with over 150 insurers offering some form of cyber insurance.
Join Michael Herron and Robyn Adcock from our Parent Company Gallagher at 1:00pm AEDST on the 21st October 2021 as they examine how the cyber insurance market is responding to the escalating number of cyberattacks escalate and associated cyber claims.
Click here to register
If you would like to speak to a broker about Cyber Insurance solutions for your construction business. Call us on 13 IMAR 1300 054 956 today or complete the form here
To the extent that any material on this page may be considered advice, it does not take into account your objectives, needs or financial situation. You should consider whether the advice is appropriate for you and review any relevant Product Disclosure Statement and policy wording before taking out an insurance policy.