Cyber risk management and insurance in Construction
The construction industry becomes more connected through electronic solutions and remotely accessible systems. Until now, labour productivity in the construction sector has not seen the same increase like in general manufacturing but it is expected that this will change in the foreseeable future. Despite an improved procurement and supply-chain management it is particularly digital technology, new materials and advanced automation that promise the largest gains.
A specific trait of companies in the construction sector is the fact that each building is, to a varying extent, different to any other. As a consequence, builders and joint venture partners, vendors, subcontractors, suppliers and financial institutions are mixed together in changing constellations every time. They co-operate on a contractual framework specifically drafted for this definite project and tasked with creating something which has not been done in this exact configuration before. At the same time trying to perform as efficiently as possible to produce works fit for the purpose and free of defect, while securing the sometime slim operating margin the industry offers. This is contrary to any stationary industry, where locations and stakeholders are a lot easier to oversee processes more standardized and accessible for optimization and immunization to threats.
The main attack vectors in the construction industry in cyber are:
Some of these assets are at risk by a cyber-incident:
To illustrate cyber claims examples in the construction industry, we consider the following units of a construction company and claims we have observed:
Recent media coverage of incidents only support our illustration. In October 2018 for instance, Ingérop was victim of a cyber attack where perpetrators were able to get documents relating to nuclear plants, jails/correctional facilities and railway lines. The breach comprised 65 Gigabytes, including the exact locations of video surveillance intended for use in a French high-security prison as well as plans to an ultimate disposal site for nuclear waste and sensitive details on more than 1.200 employees of Ingérop.
Two of the largest construction companies in Austria were affected recently as well. In one instance in 2020, the company’s communication system was affected internationally, including encryption of files on network drives, ultimately rendering the company unable to act for several days, while the actual impairment of operations (and correspondingly, increased IT costs) went on for several months thereafter. The second well known incident in Austria was a Phishing email disguised in an email titled “Information on the Corona Virus”. In this case, the actors gained access to the data of the project owner, a municipality, and consequently tried to extort them.
Also in 2020, a ransomware attack on Bouygues led to internal applications, intranet and the email-system had to be taken offline, with even phone services failed intermittently. The hacker group Maze consequently demanded 10 million EUR in ransom based on the attack, which presumably originally affected only part of the system in Toronto and Montréal, and consequently affected systems worldwide.
Do you need insurance?
It is and entrepreneurial decision which risks to take and which ones to transfer. The cyber arena provides exposures which simply did not exist 5-10 years ago. And just like the business environment changes, so does the response of the companies adapt to those changes.
As of today, insurance premiums are still low and wide coverages available. In the wake of the numerous cyber incidents registered in recent times the premiums are however bound to go up and covers to get more restrictive. Costs following a cyber-breach can easily reach millions of Euros, composed of – depending on the loss scenario:
As even the most advanced IT security cannot guarantee full safety (think of the recent Solarwinds hack which even affected the source code of widely used Microsoft products, though the full extent is yet to be assessed), it seems prudent to install a safety net which will step in should security measures fail and covers the worst case scenario of company closure.
The mere question of when a cyber-insurance policy is triggered is simple:
The way ahead and how we can help
The evolvement of technology will continue to coin and form the value creation in construction. A conscious analysis will help to contribute to the resilience of the organisation and minimize negative effects cyber incidents may have. GrECo Risk Engineering offers specialized services supporting in the assessment of cyber exposures and choosing adequate insurance levels. With CyberSolid, GrECo exclusively offers an insurance solution with extensive cover and easy and simple application.
Insurance claims management is our core business, especially when it comes to complex or major claims. In doing so, we strive to achieve successful results.
Group Practice Leader Construction & Real Estate
T +43 5 04 04 119
Group Practice Leader Financial Lines
T +43 664 962 40 60