Cyber Exposure in the Construction Industry – Important Things to Keep in Mind

Rarely a week goes by without a cybersecurity incident with a large company making headlines. Despite this, 60% of all cyber-attacks are on small to midsize companies. Connected devices are expected to grow from 31B in 2021 to 75B in 2025, which is 44 billion more devices for hackers to attack. Cybercrime is one of the great transfers of wealth in history, having a larger impact than the damage caused by natural disasters. Relating to ransomware attacks, the average ransom payment in 2020 was $170,000 and is increasing daily (this is not including significant downtime and other ancillary costs for the company). Even this may be understated because so many ransomware payments go unreported due to the majority of payments being made in bitcoin (which is largely untraceable.)

So, you can see why cyber liability should be high on your radar.

Why Cyber should be Higher on the Construction Industry’s Risk Agenda

The construction industry is embarking on a period of rapid digitization, with technology increasingly being embraced both for project modeling and day-to-day operations. The construction industry’s workforce is fluid; many construction industry employees work in the field, using laptops, smartphones, and tablets rather than traditional office environments. Virtually all companies in the construction industry rely on IT networks, software applications, payroll information, and sharing of bids, blueprints, employee records, and financial information.

Types of Cyber Attacks

Social Engineering: This is one of the leading cyber attacks in the construction industry. This involves cyber attackers impersonating senior management and key vendors.

  • Business Email Compromise (BEC tactics): The criminal’s goal is to convince victims to wire funds or provide sensitive information that can be monetized.
  • Phishing is the most common social engineering attack. Hackers are adopting more sophisticated methods in distributing convincing fake messages.

Ransomware: This is a form of malware that targets humans and the technical weaknesses in an organization’s IT infrastructure. Victims are lured into malicious links or attachments containing this form of malware. This often results in all files becoming encrypted and inaccessible and can affect smartphones and other devices.  The victim receives a pop-up message demanding a ransom to be paid before receiving the decryption key. Ransomware attacks have evolved as the attack preference for hackers over the past year.

Albeit, there are several other types of cyber-attacks, these two are the most common.

Cyber Liability Insurance (Cyber Risk Transfer)

One way to transfer cyber liability exposure is through insurance (cyber liability insurance policy). This a tailored-made policy that addresses specific types of cybercrimes. There may be limited cyber insurance coverage in other policies, such as the general liability, property, commercial crime, and professional liability policies, but coverages are often very restricted with small sub-limits. There are currently over 200 different cyber insurance policies in the market and premiums and coverages are all over the place because without having the historical claim data used in pricing other risks, pricing cyber insurance is difficult. Every cyber policy is different in coverage and at an average of 90 pages, can be complex to read, understand, and interpret the intent of a coverage trigger. Cyber insurance underwriters are requiring more internal security controls and backup and recovery policies in place before quoting to companies. Pricing cyber policies is a moving target. Premiums and deductibles were low at the onset of cyber insurance but that is rapidly changing with the increased claims activity and higher ransom payments.

Cyber insurance coverage should at least  provide the following :

  1. Your liability to others (also known as third party claims, includes defense costs, damages/settlements, and any regulatory actions filed against you)
  2. Data breach response (pays your cost to engage forensic, legal, and notification costs to affected individuals)
  3. Ransomware (pays the ransom and expert negotiators with immediate access to bitcoin, pays your loss as a result of business interruption)
  4. Loss of funds (from wire fraud, social engineering losses/phishing)
  5. Regulatory fines and penalties (where insurable, different states have different laws on insuring fines and penalties)

In summary, as it relates to cyber liability insurance, if you have not had discussions with your insurance professional about this, or if you have cyber insurance (review the coverages and limits of liability),  the time to do so is now. It’s not a matter of if, but when a cyber attack occurs.  According to one cybersecurity expert, cyber-attacks are so common now that its no longer an anomaly, but the norm. Be prepared.

Written by: Ron Thompson, Executive Vice President, Commercial Lines Producer