In this article, Paul Lowe, a specialist Construction solicitor at Weightmans LLP, flags one of the key issues facing the UK Construction sector, and whether firms ought to be giving due consideration to the use of cyber insurance.
Build Information Model 

Most sectors are exposed to cyber risk and the construction industry is, unfortunately, no different. According to recent research, only 41% of even the most disruptive cyber security breaches are reported1. This means that most cyber attacks in the construction sector may not become public knowledge, resulting in an untrue reflection of the scale and nature of cyber crime being presented. However, a leading survey indicates that the construction industry does not prioritise cyber security highly enough and the sector ought to educate itself in this vital area as the speed and extent of digitalisation accelerates.

A government cyber security survey shows that 59% of construction businesses believe online services are not a core part of their business offer. The same study reveals that the construction sector is an industry where senior managers are more likely to see cyber security as a low priority (35%, versus 24% overall.*) This is despite the fact that the construction sector is increasingly susceptible to data security issues due to its reliance on digitised information from the design stage through to the construction of major projects.

Building Information Modelling (BIM)

One of the major trends in the construction world in recent years, particularly in the area of design, has been the introduction of building information modelling (BIM) – a way of digitally coordinating design data. Whilst there is no commonly agreed definition, in its broadest sense BIM describes the process of generating and managing digital information concerning a built asset. In other words BIM is a tool used principally in the design and construction stages of a project to allow digitised information and drawings to be incorporated into one model, typically in a 3D format.

For example, complex construction projects will, as a matter of course, incorporate numerous services, such as electrical, water and gas which will be required to be co-ordinated with the structural design elements of the building. BIM enables digitised information and drawings to be brought together into one 3D computer generated. As a result, BIM is increasingly important to the construction industry because of the versatility it allows in the design process.

Central to the use of BIM is the operation of a common data environment, which is used by the design team to collect, manage and issue documentation, the project’s graphical model and nongraphical data. One of the principal motivations behind operating a common data environment is to enable greater collaboration between project members.

Some of the most popular software drawing tools for BIM are:

  • Autodesk Revit (Architecture/Structure/MEP)
  • Graphisoft ArchiCAD
  • Autodesk AutoCAD
  • Autodesk AutoCAD LT
  • Nemetscheck Vectorworks
  • Other
  • Bentley Microstation
  • Trimble Sketchup (formerly Google Sketchup)
  • Bentley AECOsim Building Designer

However, as BIM becomes more important, threats to the security of digital data become greater. In particular, BIM platforms are vulnerable to attack, manipulation, or other malicious activity by third party actors. The integrated nature of BIM also contributes to those threats. If designers and contractors are joining together a range of different designs and information from consultants who have different data, and this information is being pooled, the potential risk arises of malicious actors attacking one designer to affect the broader project. The risk not only lies with external parties but from internal actors too, who may wish to sabotage or otherwise detrimentally influence the course of a project. As information and designs from different individuals involved with a project are collected together, the consequence is that if one point of entry is compromised then a whole project can be accessed. This can have severe cost and timescale implications for a project. For instance, if all the CAD drawings relating to a project are stolen or deleted, the costs of replacing them and business interruption costs would be huge.

There is a risk then of a domino effect, with very costly delays to projects. In the construction world projects are built to tight timescales often based on the need for investors to realise their investments in an achievable timescale. This return can be disrupted as a result of interference in the design and construction process, representing a significant financial risk to everyone in the procurement chain.

The construction industry also heavily relies on other forms of digital information and other cloud applications to organise projects, right from the design stage through to the construction stage. Most of this information is commercially sensitive and is therefore valuable to those involved with the projects. The increased activity of cyber criminals therefore poses a real risk to construction businesses.

Ramping up cyber security

Construction companies also need to consider further tightening the security of their information systems. For instance, it is important to tailor access and sharing rights to relevant parties so that opportunities to influence design are not presented to organisations who do not have responsibility or competency for an element of design or who have not approved a project’s BIM policy. There are also regulations, such as GDPR, and international standards relating to the handling of data which should be complied with, to assist the protection of digital information.

Importantly, the insurance market offers a mature cyber risk product including cover for: First Response and Incident Management, Regulatory Investigations and Third Party Claims, Business/Network Interruption and Cyber Ransom and Extortion. Insurers are, therefore, able to provide much needed expertise and advice to businesses on how to avoid cyber risk. Cyber insurance policies then offer comfort to business against the growing cyber risks of operating in a BIM environment.

In association with Weightmans

Weightmans has recently launched CyXcel - A 360° approach to information security, data protection and privacy - with an emphasis on cyber resilience, incident planning and response.

Weightmans LLP is a leading UK law firm with a nationally recognised construction practice providing a comprehensive service for both projects and dispute management across a broad range of sectors. Clients include developers, main contractors, utilities, transport authorities, education institutions, consultants and sub-contractors. The team advises on all aspects of construction risk management from procurement to completion.