Cyber Risks

 CYBER RISKS 01Construction is feeling the threat of cyberattacks.   

By Nick Cushmore and Ian Mitchell

Without question the number of cyberattacks are on the rise. Both companies and professionals in a variety of markets are experiencing growing threats, and the construction industry is no exception. 

In fact, a recent PropertyCasualty360 article cited a Forrester survey that found that 75 percent of respondents in the construction, engineering and infrastructure industries had experienced a cyber incident within the last 12 months. Despite this, professionals working in the construction industry – whether an executive at a firm, a project manager or a contractor – still have the mindset that they are not vulnerable and therefore have made little investment in cybersecurity. 

The problem is hackers typically look for the low hanging fruit. In addition, hackers are often thinking two steps ahead and are targeting companies with weak cybersecurity as “stepping stones.” Meaning, they are going after companies not for the information they hold specifically, but because they are the gateway to a bigger prize. 

There are two recent examples that can help put this into context. The first being the highly publicized Target breach which exposed credit card and personal data for over one hundred million consumers. KrebsonSecurity reported that the cyberattack was the result of an email phishing attack against employees at a HVAC firm that did business with Target and had connections to the retailer’s billing system. 

The second example occurred when the United States electric grid was hacked. In a recent article published in The Wall Street Journal, it was reported that this hack was a product of cyberattacks on hundreds of small contractors, who believed they did not need to be on guard against such threats. The Wall Street Journal reported that hackers were able to gain access to the network by targeting contractors with tainted attachments. 

These instances demonstrate two points: (1) how hackers are going after easy entry points in order to prod their way into larger organizations with more valuable information, and (2) how smaller companies can be conduits to huge cyberattacks. Both situations show how the construction industry plays a part in massive cyberattacks. 

In addition to these specific examples, another emerging threat is ransomware attacks. These attacks typically happen through an email phishing campaign, where hackers will deploy malware and encrypt all the data on the victim’s system, rendering the system useless. The hacker then asks for ransom in exchange for releasing the data. While these attacks may not seem as serious, they can impact construction operations by denying access to important electronic documents – such as plan designs, CAD drawings or bid specifications – resulting in project delays and cost overruns. In addition, an article published by AXA XL notes that ransoms have increased to an average of $30,000 to $50,000, which can be a significant, and unexpected, financial hit to the overall construction project. 

The message here is clear: Those working in the construction industry need to be aware that cybersecurity threats are on the rise and should be taking necessary precautions to address risk. The unfortunate reality today is that it’s not if you’re going to get hacked, it’s when.

So where should you start in order to mitigate potential risks? While 100 percent security is unachievable, there are measures that can be put in place to help prevent against cyber threats and to reduce the damage when a breach occurs. 

Investing in cyber liability insurance is at the top of the list for all construction firms. Should a breach occur, cyber liability insurance becomes invaluable for protecting the company from the financial pain and reputational damage associated with the attack. Policies include coverage for both first- and third-party expenses, such as the costs of: hiring a PR firm to help manage messaging to the public; engaging a forensics investigator to understand what caused the attack; the notification process of alerting those impacted by the incident; the data restoration procedures; and any filed lawsuits associated with the breach. 

The good news is that the time to invest in cyber insurance has never been better. PwC reported that the annual gross written premiums of cyber liability policies are over $5 billion, with the market expected to grow to $7.5 billion by 2020. As the number of cyberattacks continue to increase, the cyber liability insurance marketplace has followed suit. AXA XL, in the same article mentioned earlier, writes that over 170 carriers are now offering a cyber insurance product. Not only has this led to cheaper pricing as more and more carriers are trying to gain market share, the coverage terms are also broadening. Cyber policies typically cost between $8,000 to $10,000, which is well worth the investment when compared to the costs of a cyberattack.

With so many options, though, it is important to engage an insurance carrier that has been providing cyber products for a significant amount of time and can offer ancillary cyber risk management services. Such services should include employee training in cybersecurity, annual penetration tests and a consultation with a “breach coach” who will help create a cyber breach response plan or revise an existing one. Certain carriers are now offering cyber policy holders these services, valued at $25,000 or more, at no additional cost. These added services help you get the most bang for your buck and will enrich your overall cyber practices in general. 

Consulting your insurance broker as a trusted partner can also be valuable in identifying the appropriate carrier and cyber policy tailored to your company’s specific operational risks.  

Ian Mitchell is a producer at Graham Company. In his position, Mitchell is responsible for business development in the Washington, D.C., Metro Area, focusing on the construction and health & human services industries.

Nick Cushmore is an assistant vice president at Graham Company and leader of the company’s Cyber Practice Group. In his role, Cushmore acts as a technical resource for the development and training of new producers, participates in continuing education seminars and performs audits for new business quality assurance.


Contact Us

Construction Today Magazine

Cringleford Business Centre
Intwood Road
Cringleford, Norwich, UK

Click here for a full list of contacts.

Back To Top