Cyber risk has risen to the top concerns across almost every business, as threat actors continue to attack organizations of all sizes and across industry sectors. As businesses increasingly depend on technology, require immediate access to data, and rely on a cyber-secure vendor supply chain, the attack surface, and the threat grow larger by the day. The construction industry epitomizes this reality.
The Expanding Cyberattack Surface in Construction
Construction-related businesses face the same fundamental cyberattacks and threats as other industries but have unique risks that are associated with specific tools they use for managing data, delivering services and systems control. These include:
- 3D Building Information Modeling (“BIM”) — Builds information models use computer-based files used to support efficient decision-making for planning, design, construction, and building operations and maintenance.
- 5D BIM — Provides an enhanced visualization and project-management platform. In the future, augmented- and virtual-reality technology will be added to allow offices and the worksite to collaborate in real-time.
- Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition Systems (SCADA) — Monitors and controls equipment and plant operations.
- Drones — Enables job site surveillance, surveying and access to previously inaccessible places.
- Autonomous Construction Machinery — Used for the remote navigation of excavators, bulldozers, backhoes and dump trucks for higher utilization rates and lower operator costs.
- Robotics — The deployment of robotics in bricklaying and road paving, to replace highly repetitive, systematic manual processes.
- Biometrics — Increasingly used to manage and control construction sites and projects, through access control to secure sites, on-site attendance reporting, health and safety, compliance, and remote management of multiple workforce.
- Cloud technology — The use of vendors to store data on behalf of the business.
- Mobile devices — Allows the highly decentralized construction industry to enhance collaboration at all stages of the construction process, including productivity tracking, report generation, document management, material logistics, inventory management and data analytics.
- Internet of Things (IoT) — Provides for remote operation of wearables and machinery, supply replenishment, tracking of tools and equipment and remote usage monitoring.
Cyberattacks in the Construction Industry
Several recent studies provide evidence that cyber threat actors have the construction industry in their crosshairs. According to a recent Forrester survey, more than 75% of respondents in the construction, engineering and infrastructure industries had experienced a cyber-incident within the last 12 months. Moreover, it is projected that cybercrime will cost businesses approximately $6 trillion per year on average through 2021.1
Specifically, cyber risks expose construction businesses to:
- Liability to third parties, such as employees, clients and regulators, arising from computer security failure and breach of private information.
- The costs of dealing with the failure of security or breach of privacy, including notification, ransom payment, forensics, legal services, data restoration and lost income through business interruption.
- Breach of confidential business information, though storing and sharing bid and project data/specifications, owner’s processes and project management.
- Unauthorized access and interference with project plant, data and specifications in SCADA and Building Information Modeling (BIM).
- Bodily injury and property damage through the failure of IoT, robotics and remote control of processes and physical security.
- Liability for delay and business interruption caused by unauthorized access to project data and systems
Two specific cyberattack methods present a particularly heightened concern for construction:
Social Engineering: According to the Verizon 2020 Data Breach Investigations Report, one of the leading cyberattacks faced by the construction industry is social engineering schemes2. This involves cyberattackers impersonating senior management and key vendors through Business Email Compromise (BEC) tactics. The criminal’s goal is to convince victims to wire funds or provide sensitive information that can be monetized.
Ransomware: Ransomware is a form of malware that targets both human and technical weaknesses in an organization’s IT infrastructure. It is commonly deployed through phishing emails where victims are lured to click on malicious links or attachments containing this form of malware. This often results in all files in the network becoming encrypted and inaccessible and can affect smartphones and other devices, inhibiting communication. In many cases, the victim receives a pop-up message demanding a ransom to be paid before receiving the decryption key to restore access to the hijacked data. Cybercriminals may place a time limit on the demand for payment, with threats to destroy or release sensitive data to the public. Ransomware attacks have evolved as the attack preference for hackers over the past year.
According to Coveware3, ransomware attacks increased 33% from Q4 2019 to Q1 2020, with the average ransom payment amounting to $111,605. Perhaps even more troubling in the Coveware report: the average downtime of ransomware victims was 15 days. That amount of lost productivity in the construction industry could easily lead to bottom line costs that dwarf the ransom paid.
Transferring the Cyber Risk
Gallagher has worked closely with the cyber insurance market to develop tailored risk transfer solutions for businesses across all industry sectors, including the construction sector. While there is no standard cyber insurance policy, there are some commonly offered coverages that are excellent mechanisms to save bottom line costs in the aftermath of a cyberattack. Other policies, including crime, property, liability, kidnap & ransom and error & omissions, may also offer some limited insurance coverage to cyber exposures. However, a comprehensive stand-alone cyber insurance policy usually affords the most comprehensive coverage for cyber risks while traditional insurance lines are increasingly tightening policy language to exclude cyber risk related costs.
There are four segments to the cyber insurance risk transfer solution:
1. Your liability to others.
- Pays defense costs and damages/settlements that you owe to others as a result of a failure of network security or a breach of private information.
- Pays defense costs and fines/penalties regarding regulatory actions against you arising from a breach.
- Pays contractual assessments owed due to noncompliance with PCI (credit card) standards due to a breach.
- Pays defense costs and settlements arising from professional/media errors and omissions (optional coverage).
- Pays claims alleging financial loss to third parties (such as your employees or clients).
2. Your costs of breach response.
- Pays your costs to engage forensic, legal and PR advisors.
- Pays your costs of notification of the breach to affected individuals as well as credit monitoring and identity theft monitoring.
3. Your own operational costs after a breach.
- Pays the ransom in the event of cyber extortion as well as for related forensics. The insurer may deploy vendors whom are expert negotiators with immediate access to cryptocurrency.
- Pays your costs to recover data that has been damaged as a result of a computer security failure.
- Pays your loss of income as a result of business interruption caused by a failure of computer security (yours or that of certain vendors, such as a cloud vendor).
4. Additional services from the insurer.
- Provides immediate 24/7 help in the event of a suspected incident
- Provides access to approved advisors at panel rates
- Includes risk management advice
- Includes post-breach forensic services (optional)
1. Risk and Insurance Cyber Coverage in the Construction Industry
2. 2020 Data Breach Investigations Report
3. Coveware Ransomware Payments in Q1 2020