Industry Spotlight: Construction

Historically, construction has not been as high profile a target for cyber criminals as other sectors. That is changing. With increasing adoption of technology, fragmented industry structure, and expanding attack surfaces, construction companies must elevate their cyber defenses to match the growing threat.

This Industry Spotlight from AXIS Global Cyber & Technology focuses on cyber exposures impacting construction companies throughout the supply chain drawing lessons from real-world incidents and offering practical steps to build resilience.

Cyber Exposure Characteristics in Construction

Financial gain is a prime motivator in the construction sector with 85% of attacks criminally motivated according to a PWC report¹. However, theft of intellectual property is clearly also a major factor

Fragmented industry: The sectors’ ability to defend itself is a challenge beginning at the top illustrated by a UK Government study from 2023² reporting that only 21% of construction companies had board representation for cyber security roles. It’s an industry dominated by a small number of very large organizations supported by thousands of small firms with vastly differing approaches to cyber security.

Technological penetration: The increasingly rapid shift to technology presents risks throughout the sector. From a burgeoning market for cloud-based project management software to the elevated malware risks presented by accessing data remotely via mobile devices.

Expanding technology landscape: Smart devices being used daily by tradespeople, survey drones, biometric time clocks, and sensors all introduce new vulnerabilities. A feature of the sector is that often temporary workers are deployed and paid on an hourly basis. This brings with it new monitoring devices and data transmission including IoT sensors on equipment and resulting rich data.

Payment structures: Complex supply chains within large projects, demanding deadlines and staged payments make BEC attacks on accounting functions a highly effective target without robust security measures in place.

Steps to Build Resilience and Manage Risk

The construction sector will continue to become a more significant target for cyber threat actors as technological advancements increase at pace. Consequently, it has never been more vital to shore up defenses:

1. Address historic complacency with appropriate representation of cyber security roles at board level
2. Recognize the critical requirement for improved patch management cadence
3. Deploy strategies for security of mobile and IoT devices throughout the supply chain
4. Train staff on phishing and BEC threats
5. Implement strong access controls and network segmentation
6. Maintain secure backups and incident response plans

Broker Considerations for Construction Cyber Risk Submissions

Cyber risk in the construction sector is evolving fast, and brokers play a critical role in helping customers present strong submissions to underwriters. Construction firms face unique challenges: fragmented operations, mobile workforces, and increasing reliance on digital tools, all of which introduce cyber vulnerabilities that insurers scrutinize closely.

Key areas brokers should highlight in submissions:

• Operational Complexity and Cyber Hygiene Underwriters want to understand how the firm operates across sites and how it manages cybersecurity across permanent and temporary staff. Emphasize any mobile device management, secure remote access, and segmentation between IT and OT systems.
• Technology Use and Risk Controls Construction firms increasingly use cloud-based project tools, biometric time clocks, and drones. These innovations are great, but only if supported by strong patching practices and access controls. Make sure customers can demonstrate how they secure these technologies.
• Governance and Training For larger firms, underwriters look for board-level oversight and regular staff training, especially around phishing and business email compromise. Highlight any formal governance structures and awareness programs.
• Financial Controls and Supply Chain Risk Staged payments and subcontractor networks are prime targets for fraud. Underwriters will expect robust verification protocols, multi-factor authentication, and clear financial workflows. Help customers articulate these controls clearly.
• Data Protection and Incident Response Legacy systems and poor data governance can be red flags. Ensure customers have documented incident response plans and can demonstrate how they protect sensitive design or engineering IP.

Final Tip for Brokers

Encourage customers to treat cyber risks like any other operational risks, proactively and strategically. A well-prepared submission that shows how the firm balances innovation with security not only improves insurability but can also lead to more competitive terms.

Conclusions

Construction is undergoing a digital transformation, but cyber defenses have not kept pace. As ransomware and BEC attacks rise, the sector must prioritize cyber hygiene and resilience. Cyber insurance and risk management strategies must reflect the unique exposures of construction, where fragmented operations and high-value payments create fertile ground for cyber threats.

---

Sources

• ¹https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect.html
• ²https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023

Disclaimer

This material is provided for informational purposes only and is not an offer to sell, or a solicitation to buy, any particular insurance product or service for a particular insured. It is intended for licensed insurance professionals. Cyber incident examples may be based on actual cases, composites of actual cases or hypothetical claim scenarios and are provided for illustrative purposes only. Facts may have been changed to protect the confidentiality of the parties. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued, and applicable law.

The practices, services or service provider(s) discussed herein are suggested as risk mitigation or incident response resources only. Use of any practice, service or service provider does not guarantee the performance or quality of the services provided, including the avoidance of loss, the fulfilment of any obligations under any contract, or compliance with any law, rule, or regulation. AXIS is not responsible for the effectiveness of a cyber risk management program and encourages each policyholder, together with advice from their professional insurance advisor, to perform its own independent evaluation of any practice, service or service provider as part of its overall risk management strategy.

For information about our products and underwriting companies, please see https://www.axiscapital.com/product-information