The reputational and financial damage from a successful cyber-attack can be significant and construction firms need to make sure they have sufficient cover.
The concept of risk and how to mitigate it is well appreciated in the construction industry.
Appropriate design-and-build insurance policies have been developed to provide cover for a range of risks, from professional negligence to health and safety.
Yet the growing threat from cyber-attacks has emerged as a potential blind spot, with many firms unaware that their existing insurance policies are unlikely to cover them if the worst should happen. And with the construction sector becoming increasingly digital, it’s more important than ever for contractors to make sure they are adequately protected.
Reasons for protection
It’s a learning curve that requires reflection and resources on the part of the industry.
Intellectual property and data – arguably among a contractor’s most valuable assets – are all now fully digitised, while new ways of working have also increased the industry’s risk profile.
The proliferation of BIM as a standard way of working creates enhanced risk. If one party using a collaborative BIM platform is the victim of a cyber-attack, it increases the risk of them passing it on to partner organisations. This can dramatically increase the potential liabilities faced by the firm that was initially attacked, alongside its own financial losses from business disruption or the cost of an IT rebuild.
According to a new study from the insurance market Lloyds of London, a major cyber-attack could create business losses of between £3.5bn and £40.5bn, depending on its severity. The potential damage to individual businesses is therefore huge, underlining the need to have appropriate insurance cover in place.
“Construction businesses need to work with insurers and specialist brokers to secure the right level of cover to make sure they’re protected”
Specialist cyber liability cover is readily available but it can’t be a passive purchase, and construction businesses need to work with insurers and specialist brokers to secure the right level of cover to make sure they’re protected.
Covering comprehensively against a cyber-attack is inherently complicated. Every firm’s digital assets, infrastructure and governance are different, so the more cookie-cutter policies appropriate to other forms of cover do not apply.
For a cyber liability insurance policy to provide adequate cover, it has to be composite in nature. When a home is insured properly, the value and specifics of its contents are considered separately. Insuring a firm against a cyber-attack follows exactly the same principle.
Undertaking a thorough risk and needs analysis, with the support of trusted advisers, will help construction firms work with the insurance and brokerage communities to secure a tailored policy that fits their organisation. This process will be different for every operation, but there are a couple of basic steps every management team can take as a first port of call.
Thorough digital asset audits
Insurers need to have a comprehensive view of a contractor’s digital assets to provide a sufficient level of cover. A digital asset audit will facilitate this by mapping out a firm’s IT infrastructure, while highlighting any gaps in its existing cyber-security strategy.
The audit should look at how digital assets are stored, who is managing them, what that management process looks like, and the operational and technical measures in place to protect them.
Cyber governance policies
Construction firms should have a robust cyber governance policy in place, with the full buy-in of staff at every level of the business. It should outline how digital assets are handled internally, as well as effectively communicating the importance of cyber-security.
Insurers are likely to expect this as standard when deciding to cover a business against cyber threats.
The pace of technology is prompting insurers to move away from the provision of off-the-shelf cover in general. Bespoke policies are now needed to make sure increasingly complex businesses, operating in every sector, are properly protected against a range of modern threats. Collaboration and proactivity are key in this regard.
The onus is now on both the construction and insurance communities to work together to create policies that will evolve in line with a rise in increasingly sophisticated cyber-criminals.
Ed Lewis is a partner and cyber liability insurance expert at Weightmans