Cyber risk management and insurance in Construction

The construction industry becomes more connected through electronic solutions and remotely accessible systems. Until now, labour productivity in the construction sector has not seen the same increase like in general manufacturing but it is expected that this will change in the foreseeable future. Despite an improved procurement and supply-chain management it is particularly digital technology, new materials and advanced automation that promise the largest gains.

A specific trait of companies in the construction sector is the fact that each building is, to a varying extent, different to any other. As a consequence, builders and joint venture partners, vendors, subcontractors, suppliers and financial institutions are mixed together in changing constellations every time. They co-operate on a contractual framework specifically drafted for this definite project and tasked with creating something which has not been done in this exact configuration before. At the same time trying to perform as efficiently as possible to produce works fit for the purpose and free of defect, while securing the sometime slim operating margin the industry offers. This is contrary to any stationary industry, where locations and stakeholders are a lot easier to oversee processes more standardized and accessible for optimization and immunization to threats.

The main attack vectors in the construction industry in cyber are:

  • Social engineering: psychological manipulation of people into performing actions or divulging confidential information. People and companies change from project to project and also within projects fluctuation of personnel happens.
  • Access points: construction trailers, site offices and decentralized IT are often more vulnerable and easier to access physically than on-site premises or offices in buildings
  • Increasing digitisation of the value creation change, from project management software over electronic flow of designs and BIM to Internet of things (IOT) and automatized machinery
  • Ransomware: a piece of malicious software that blocks access to a system, encrypts it or threatens to publish the victim’s data unless a ransom is paid (extortion)
  • Dependency on subcontractors and suppliers: if a subcontractor or supplier is affected by a cyber attack it may negatively influence the timely completion of a project
  • Hacktivists identifying companies as targets because of their involvement in certain areas/projects (fossil fuels, nuclear power plants, some sort of industrial plant)
  • Human error / malicious (ex-)employees

Some of these assets are at risk by a cyber-incident:

  • Intellectual property, proprietary assets, information protected by non-disclosure agreements including contractual fines if information gets disclosed
  • Architectural drawings / specifications, building schematics and blueprints
  • Compromised core systems (finance and accounting, logistics, communications) and as a consequence theft of funds, loss of contracts and contractual penalties
  • Business interruption events, literally paralyzing a company partly or in whole
  • Loss or theft of confidential information
  • Third party liability arising from any of the above
  • Loss, theft or extortion of funds
  • Reputational risk

To illustrate cyber claims examples in the construction industry, we consider the following units of a construction company and claims we have observed:

Recent media coverage of incidents only support our illustration. In October 2018 for instance, Ingérop was victim of a cyber attack where perpetrators were able to get documents relating to nuclear plants, jails/correctional facilities and railway lines. The breach comprised 65 Gigabytes, including the exact locations of video surveillance intended for use in a French high-security prison as well as plans to an ultimate disposal site for nuclear waste and sensitive details on more than 1.200 employees of Ingérop.

Two of the largest construction companies in Austria were affected recently as well. In one instance in 2020, the company’s communication system was affected internationally, including encryption of files on network drives, ultimately rendering the company unable to act for several days, while the actual impairment of operations (and correspondingly, increased IT costs) went on for several months thereafter. The second well known incident in Austria was a Phishing email disguised in an email titled “Information on the Corona Virus”. In this case, the actors gained access to the data of the project owner, a municipality, and consequently tried to extort them.

Also in 2020, a ransomware attack on Bouygues led to internal applications, intranet and the email-system had to be taken offline, with even phone services failed intermittently. The hacker group Maze consequently demanded 10 million EUR in ransom based on the attack, which presumably originally affected only part of the system in Toronto and Montréal, and consequently affected systems worldwide.

The main attack vectors in the construction industry in cyber are:

Social engineering: psychological manipulation of people into performing actions or divulging confidential information. People and companies change from project to project and also within projects fluctuation of personnel happens.
Access points: construction trailers, site offices and decentralized IT are often more vulnerable and easier to access physically than on-site premises or offices in buildings
Increasing digitisation of the value creation change, from project management software over electronic flow of designs and BIM to Internet of things (IOT) and automatized machinery
Ransomware: a piece of malicious software that blocks access to a system, encrypts it or threatens to publish the victim’s data unless a ransom is paid (extortion)
Dependency on subcontractors and suppliers: if a subcontractor or supplier is affected by a cyber attack it may negatively influence the timely completion of a project
Hacktivists identifying companies as targets because of their involvement in certain areas/projects (fossil fuels, nuclear power plants, some sort of industrial plant)
Human error / malicious (ex-)employees

Some of these assets are at risk by a cyber-incident:

Intellectual property, proprietary assets, information protected by non-disclosure agreements including contractual fines if information gets disclosed
Architectural drawings / specifications, building schematics and blueprints
Compromised core systems (finance and accounting, logistics, communications) and as a consequence theft of funds, loss of contracts and contractual penalties
Business interruption events, literally paralyzing a company partly or in whole
Loss or theft of confidential information
Third party liability arising from any of the above
Loss, theft or extortion of funds
Reputational risk

Do you need insurance?

It is and entrepreneurial decision which risks to take and which ones to transfer. The cyber arena provides exposures which simply did not exist 5-10 years ago. And just like the business environment changes, so does the response of the companies adapt to those changes.

As of today, insurance premiums are still low and wide coverages available. In the wake of the numerous cyber incidents registered in recent times the premiums are however bound to go up and covers to get more restrictive. Costs following a cyber-breach can easily reach millions of Euros, composed of – depending on the loss scenario:

  • First party losses such as business interruption and immediate costs of crisis management and first response, including technical experts and forensic experts
  • Third party losses stemming from legal liabilities such as the GDPR, including financial loss due to contractual penalties, and crisis communication requirements

As even the most advanced IT security cannot guarantee full safety (think of the recent Solarwinds hack which even affected the source code of widely used Microsoft products, though the full extent is yet to be assessed), it seems prudent to install a safety net which will step in should security measures fail and covers the worst case scenario of company closure.

The mere question of when a cyber-insurance policy is triggered is simple:

  • Data breach (violation of data protection laws (e.g. GDPR)
  • Network security breach: targeted or non-targeted cyber-attack (e.g. computer virus)
  • Operator Error: error or omission that results in a damage of data (e.g. programming error)
  • Technical failure: computer system malfunction (e.g. overheating)

The way ahead and how we can help

The evolvement of technology will continue to coin and form the value creation in construction. A conscious analysis will help to contribute to the resilience of the organisation and minimize negative effects cyber incidents may have. GrECo Risk Engineering offers specialized services supporting in the assessment of cyber exposures and choosing adequate insurance levels. With CyberSolid, GrECo exclusively offers an insurance solution with extensive cover and easy and simple application.

Related Insights

Richard Krammer

Group Practice Leader Construction & Real Estate

T +43 664 810 29 63

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60