Media Center


Construction Attracting Cybercrime: Protecting Your Risk and Mitigating Damage

Zachary Zenger June 12, 2018

Criminals prefer easy targets. Therefore, it stands to reason that industries slow to implement proper cyber security measures are among the easiest targets for cyber criminals to infiltrate. Construction has lagged behind other industries in its adaptation of technology solutions and as a result, is a favorite cyberattack target.

Two of the specialties of Oswald’s construction practice are understanding construction vulnerabilities to cybercrime and finding solutions to protect against losses that can derail construction projects. Our professional risk managers know the coverages that best transfer risk from the construction company to the insurer. We understand the balancing act between getting a complex job done on time and on budget, while also protecting valuable company assets.

Real Risk and Real Loss
From large construction companies to small contractors, the impact of cyberattacks can be devastating. With the average cost for each lost or stolen record containing sensitive and confidential information reaching $141 per record in 2017, according to an IBM study, it is easy to see that a cyberattack can have a significant impact on an organization’s bottom line. Consider the effect when the names and Social Security numbers of 566 current and past Turner Construction Co. employees were inadvertently sent to a fraudulent email address.

Construction Attracting Cybercrime

While stolen personal information can be devastating to individuals and employers alike, cyber criminals who target construction companies hope to gain intellectual property, competitor information, financial information and more. If any of these data points are compromised, it could result in lost revenue and reputational harm for the construction firm.

Ideal Prey
The construction industry is especially attractive for a variety of reasons that are not as applicable to other industries. One breach can steal or damage intellectual property, architectural drawings, job specifications and financial data from clients and vendors, sensitive company information, employees’ personal data such as social security and account numbers.

As the technology evolution grows at faster rates in Construction, cyber criminals know:

  • Many contractors lack the resources, knowledge or time to fully implement the strong security measures and to keep up-to-date with the evolving world of cybersecurity. Many assume it “won’t happen to them.”
  • Construction companies collect and access a lot of data from many sources. This robust information base provides “one-stop shopping” for cyber criminals.
  • Many contractors believe that their businesses are too small or too large to be hacked.

a. In reality, more than 50 percent of cybercrimes hit small businesses and 60 percent of small businesses that are hacked go out of business in six months.

b. Large contractors are also at risk. Turner, AECOM and Whiting-Turner have been all been victims of cybercrime.

Construction Attracting CybercrimeTypes of Attacks
Whether a cyberattack occurs as a result of hackers infiltrating a company’s network or due to human error internally within an organization, contractors face exposures associated with the following categories:

Data breaches
An intentional or unintentional release of secure or private/confidential information to an untrusted environment.

Malfunction of, or injury to, computers
Unauthorized access, destruction, disclosure, modification of information, and/or denial of service brought about by an event that can negatively impact organizational operations, organizational assets, or individuals through an information system.

Construction Attracting CybercrimeFailure of electronic or communication system
The shutdown or partial shutdown of a system caused by an event or sequence of events.

Data breaches for contractors are most often the result of lost laptops or other mobile devices, hacked systems, malicious code from an external source, loss or improper disposal of paper records, and failure to maintain electronic backup(s).

Complex Coverage to Mitigate Damage
The cyber landscape changes every day and it is becoming more and more impractical to think that these risks can be avoided at all times. In addition to implementing internal steps to lessen risk and improve cybersecurity, contractors need to mitigate risk if and when a cyber attack occurs.

Over the past few years, various types of cyber insurance have multiplied and evolved. These policies allow the cost of damages to be transferred from the contractor or construction company to the insurance carrier. Cyber liability policies are not standardized from one carrier to the next and can have wide variations in coverage and cost.

In general, cyber coverages can offer protection when certain types of cybercrime cause:

  •  Loss of Personally Identifiable Information
  • Damage to an external system or failure to protect third party intellectual property
  • Business Interruption if a cyberattack causes a quantifiable loss in revenue
  • Systems Failure or any unplanned and unintentional outage of your system
  • Extortion demands from hackers who infiltrate and render systems useless until they have received a ransom payment. Payment is most frequently requested in the form of a cryptocurrency.

These policies are complex and underwritten specifically to the exposures associated with cybercrime. Because cybercrime and legislative protections continue to change at an accelerated pace, these policies continue to evolve almost weekly as well.

A professional risk manager can help determine the best policy for specific needs. In addition to knowing the market, the key carriers, and remaining up to date with market standard coverages, your risk manager should also review and tailor a policy to your organization’s appropriate limits, retentions, outsourced vendor protections, and other specific policy provisions.

It’s Not Too Late

If your construction firm already has cyber protection in place, it is time for a review as exposures and coverages change rapidly. If your firm has not considered cyber protection, it is time to get coverage in place. Either way, Oswald can help. We partner with contractors and their business at any stage of development and across the spectrum of size and sophistication.

Here at Oswald, we know that contractors and construction companies face increasing cybercrime exposures every day. Mitigating damages and protecting contractors is our business and our goal.

If you’d like to learn more, get expert advice and creative coverage solutions to protect your construction business, contact:

Zachary ZengerZachary Zenger
Client Manager
Property & Casualty, Executive Risk


Kim FerenchakKim Ferenchak
Vice President
Director, Executive Risk

Note: This communication is for informational purposes only. Although every reasonable effort is made to present current and accurate information, Oswald makes no guarantees of any kind and cannot be held liable for any outdated or incorrect information. View our communications policy.