6 Reasons Construction Companies Need Cyber Insurance

Cybersecurity is one of the most challenging issues facing companies today, and construction companies are not immune. Big business is no longer the big target. Cybercriminals aren’t just attacking technology companies, large credit card firms or healthcare systems that store personally identifiable information. Instead, bad actors are targeting any organization they feel they can breach.

It’s logical to think that introducing technology into the construction arena would only benefit the industry. Unfortunately, this is not always the case. Due to its heavier reliance on technology, the construction industry is becoming an increasingly valuable target for cyberattacks.

Stand-Alone Cyber Policy Protections

A properly structured stand-alone cyber policy provides coverage against financial losses associated with addressing a cyberattack—losses not typically covered by other policies. Here are six protections to consider:

1. Ransomware: In a ransomware attack, bad actors encrypt files and lock your company’s network. They demand ransom, typically paid in cryptocurrency, in return for unlocking the network and not leaking data on the dark web. A cyber policy can provide money for the ransom and the hiring of a skilled negotiator.
2. Social Engineering: Social engineering protection provides coverage for money loss caused by a person impersonating another and fraudulently providing instructions to transfer funds. While all companies are exposed to social engineering fraud, construction companies are especially susceptible due to the sheer number of third parties they work with (vendors, suppliers, subcontractors, etc.).
3. Invoice Manipulation: Invoice manipulation occurs when a threat actor gains unauthorized access to an email account and uses it to trick customers and vendors into routing payment to an alternative banking institution. These scams are tricky because the insured’s client ultimately feels they already paid the invoice, even though it went to a fraudulent account. Luckily, a robust cyber insurance policy covers these types of losses.
4. Missed Bid Coverage: As construction companies rely on software applications and online services to manage bidding, a cyberattack could prevent them from bidding on a project. Typically, these coverage offerings include forensic accounting services to determine the amount of profit that could have been earned if the bid had been submitted.
5. Contingent Business Interruption: As many in the construction industry leverage artificial intelligence and robotics, they become reliant on these technologies to run their operations. If one of these providers were to fall victim to a cyberattack and their technology became inoperable, a properly structured cyber insurance policy would help replace any lost revenue.
6. Incident Response: Where do you turn if your business suffers a cyberattack? With whom do you partner? How long do you have before you must notify individuals? Incident response coverage gives you access to data breach attorneys, forensic experts, public relations consultants and other services.

Cybersecurity Trends

Be aware of the following trends being seen in the construction industry:

Double Extortion: Organizations have become better at protecting and backing up their cyber networks. For a bad actor, this means that a simple ransomware attack may not be successful; the target company may be able to continue functioning without paying the ransom. So, criminals have evolved and are launching "double extortion ransomware attacks” where, in addition to locking the network, they steal and threaten to release sensitive data unless the ransom is paid.

Supply Chain Attacks: A data supply chain attack, sometimes called a value chain attack or third-party attack, occurs when a bad actor infiltrates a company’s information technology system through a third party. Today, you must manage not only your internal network but also understand who has access to it and what you can do to minimize and potentially prevent a cyber event.

Contingent Business Interruption Claims: With the CDK Global attack that impacted vehicle dealerships and the CrowdStrike update outage, we are seeing what the impact of one company going down from a cyber event can have on an entire industry. Given the complex supply chains that construction companies can have, it is imperative to have this coverage in place to protect against a dependent business becoming inoperable due to a cyberattack.

Operational Technology: Since 2022, attacks targeting operational technology have increased considerably. Historically, only nation-state-backed threat actors were known to target operational technology, but recently, there has been a spike in attacks from hacktivist groups. This makes sense, given the advancements in generative AI, because it makes conducting sophisticated cyberattacks on operational technology easier.

Construction Industry Claim Examples

What do cyber risks look like in the construction industry? Here are two examples.

Turner Construction: Fake IT Workers Infiltrate Systems

Turner Construction fell victim to a cyberattack in which attackers posed as IT support to access company systems and steal sensitive project and client data. The attack, involving Ryuk ransomware, forced the company to take systems offline, leading to significant financial losses from legal fees, regulatory penalties and business interruption. Recovery from the attack also incurred substantial operational costs.

Bouygues Construction: Cyberattack Delays Projects

French construction company Bouygues was the victim of a cyberattack in which 200GB of data was held for ransom. This event delayed various projects, as Bouygues had to shut down various operational systems to stop the attack from spreading.

Helping You Understand Your Risks

Hylant’s cyber experts assist manufacturers in identifying risk from an insurance perspective. We help you understand the probability of something happening, quantify the impact, and create a plan for protecting your people, assets and company finances. Learn more here.

Related Reading: Surety Bonds for Contractors

The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.