The rise of cyber risk in the construction industry
Published 16 July 2020
Cyber risk is a leading concern in business as threat actors continue to attack organisations of all sizes across all industry sectors. As we increasingly depend on technology, access to data and chains, the attack surface grows larger by the day. Globally Gallagher cyber experts provide key information and insights on the growing risks and protections in the construction space.
The expanding cyberattack surface in construction
Construction-related businesses face the same fundamental cyberattacks and threats as other industries but have unique risks associated with specific tools they use for managing data, delivering services and systems control. These include
3D building information modeling (BIM) builds information models use computer-based files used to support efficient decision-making for planning, design, construction and building operations and maintenance.
5D BIM provides an enhanced visualisation and project-management platform. In the future augmented and virtual reality technology will be added to allow offices and the worksite to collaborate in real time.
Industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA) monitor and control equipment and plant operations.
Drones enables job site surveillance, surveying and access to previously inaccessible places.
Autonomous construction machinery is used for remote navigation of excavators, bulldozers, backhoes and dump trucks for efficient utilisation and lower operator costs.
Robotics deployed in bricklaying and road paving replace highly repetitive, systematic manual processes.
Biometrics are increasingly used to manage and control construction sites and projects, through access control to secure sites, on-site attendance reporting, health and safety, compliance and remote management of multiple workforce.
Cloud technology is used by vendors to store data on behalf of the business.
Mobile devices allow the highly decentralised construction industry to enhance collaboration at all stages of the construction process, including productivity tracking, report generation, document management, material logistics, inventory management and data analytics.
Internet of things (IoT) provides for remote operation of wearables and machinery, supply replenishment, tracking of tools and equipment and remote usage monitoring.
Cyberattacks in the construction industry
Several recent studies provide evidence that cyber threat actors have the construction industry in their crosshairs. According to a recent Forrester survey, more than 75% of respondents in the construction, engineering and infrastructure industries had experienced a cyber incident within the last 12 months. Moreover, it is projected that cybercrime will cost businesses approximately $6 trillion per year on average through 2021, according to Risk & Insurance.
Specifically, cyber risks expose construction businesses to
liability to third parties, such as employees, clients and regulators, arising from computer security failure and breach of private information
the costs of dealing with the failure of security or breach of privacy, including notification, ransom payment, forensics, legal services, data restoration and lost income through business interruption
breach of confidential business information, though storing and sharing bid and project data/specifications, owner’s processes and project management
unauthorised access and interference with project plant, data and specifications in scada and building information modeling (BIM)
bodily injury and property damage through the failure of IoT, robotics and remote control of processes and physical security
liability for delay and business interruption caused by unauthorized access to project data and systems.
Two specific cyberattack methods present a particularly heightened concern for construction.
Social engineering: Social engineering schemes are one of the leading cyberattacks faced by the construction industry, according to the Verizon 2020 Data Breach Investigations Report. This involves cyber attackers impersonating senior management and key vendors through business email compromise (BEC) tactics. The criminal’s goal is to convince victims to transfer funds or provide sensitive information that can be monetised.
Ransomware: Ransomware is a form of malware that targets both human and technical weaknesses in an organisation’s IT infrastructure. It is commonly deployed through phishing emails where victims are lured to click on malicious links or attachments containing this form of malware. This often results in all files in the network becoming encrypted and inaccessible, and can affect smartphones and other devices, inhibiting communication. In many cases, the victim receives a pop-up message demanding a ransom to be paid before receiving the decryption key to restore access to the hijacked data. Cybercriminals may place a time limit on the demand for payment, with threats to destroy or release sensitive data to the public. Ransomware attacks have evolved as the attack preference for hackers over the past year.
Ransomware attacks increased 33% from Q4 2019 to Q1 2020, with the average ransom payment amounting to $111,605, according to Coveware3. Perhaps even more troubling, the average downtime of ransomware victims was 15 days. That amount of lost productivity in the construction industry could easily lead to bottom line costs that dwarf the ransom paid.
Transferring the cyber risk
Gallagher has worked closely with the cyber insurance market to develop tailored risk transfer solutions for businesses across all industry sectors, including the construction sector. While there is no standard cyber insurance policy, there are some commonly offered coverages that are excellent mechanisms to save bottom line costs in the aftermath of a cyber attack. Other policies, including crime, property, liability, kidnap and ransom, and errors and omissions, may also offer some limited insurance coverage to cyber exposures.
However, a comprehensive stand-alone cyber insurance policy usually affords the most comprehensive coverage for cyber risks while traditional insurance lines are increasingly tightening policy language to exclude cyber risk related costs.
“One of the major benefits of cyber insurance is its crisis management component.”
Roger Irvine , Gallagher Construction Practice Leader – Australia & Asia
“We’ve had construction clients report a ransom of their computer systems / data to the police who advised it was outside their jurisdiction. A cyber policy would typically not only pay the ransom amount but helps construction companies manage the post-event response.”
There are four segments to the cyber insurance risk transfer solution.
Your liability to others
pays defence costs and damages/settlements that you owe to others as a result of a failure of network security or a breach of private information
pays defense costs and fines/penalties regarding regulatory actions against you arising from a breach
pays contractual assessments owed due to noncompliance with pci (credit card) standards due to a breach
pays defense costs and settlements arising from professional/media errors and omissions (optional coverage)
pays claims alleging financial loss to third parties (such as your employees or clients).
Your costs of breach response
pays your costs to engage forensic, legal and PR advisors
pays your costs of notification of the breach to affected individuals as well as credit monitoring and identity theft monitoring.
Your own operational costs after a breach
pays the ransom in the event of cyber extortion as well as for related forensics. The insurer may deploy vendors who are expert negotiators with immediate access to cryptocurrency
pays your costs to recover data that has been damaged as a result of a computer security failure
pays your loss of income as a result of business interruption caused by a failure of computer security (yours or that of certain vendors, such as a cloud vendor).
Additional services from the insurer
provide immediate 24/7 help in the event of a suspected incident
provide access to approved advisors at panel rates
include risk management advice
include post-breach forensic services (optional).
Insurers are increasingly willing to add services to help their insureds avoid and mitigate risk. It is important to understand the options and their value when choosing a cyber insurer. The market continues to evolve rapidly, with over 150 insurers offering some form of cyber insurance.
Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient’s industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers’ control.
Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312