Industry Spotlight: Construction
Historically, construction has not been as high profile a target for cyber criminals as other sectors. That is changing. With increasing adoption of technology, fragmented industry structure, and expanding attack surfaces, construction companies must elevate their cyber defenses to match the growing threat.
This Industry Spotlight from AXIS Global Cyber & Technology focuses on cyber exposures impacting construction companies throughout the supply chain drawing lessons from real-world incidents and offering practical steps to build resilience.
Cyber Incidents Impacting the Construction Industry
Ransomware Attacks
Construction firms are vulnerable to ransomware attacks that encrypt systems and halt operations, often accompanied by large ransom demands.
Examples
- A contractor was forced to take its systems offline after a ransomware infection to prevent further spread
- A construction materials supplier suffered damages due to a widespread ransomware worm
- Multiple firms were targeted by ransomware groups demanding millions, resulting in week-long outages and operational disruption
- A building materials supplier had to shut down systems for an undisclosed period following a ransomware incident
Threat Methods
- Phishing emails with malicious attachments or links
- Exploited vulnerabilities in remote desktop protocols
- Malware propagation via network worms
- Lack of segmentation between IT and OT systems
Intellectual Property Theft
Cyber espionage targeting proprietary design data can result in significant competitive and financial losses.
Example
- A construction division reported theft of intellectual property related to cement plant designs, originating from a cyber-attack
Threat Methods
- Unauthorized access to design repositories
- Targeted malware
- Weak perimeter defenses
- Insider threats
Business Email Compromise (BEC) and Financial Fraud
Construction companies are frequent targets of email fraud schemes, leading to unauthorized fund transfers.
Examples
- A construction group unknowingly transferred money to a hacker posing as a legitimate contact
- A developer paid a fraudulent “sub-contractor” via a spoofed email
Threat Methods
- Spoofed email addresses
- Social engineering tactics
- Lack of Multi-Factor Authentication
- Poor verification protocols for financial transactions
Data Breaches and Regulatory Penalties
Exposure of personal data can lead to legal consequences and substantial fines under data protection regulations.
Example
- A construction firm received a substantial fine for a breach involving personally identifiable information
Threat Methods
- Inadequate data protection measures
- Unpatched systems
- Poor access controls
- Lack of encryption
Cyber Exposure Characteristics in Construction
Financial gain is a prime motivator in the construction sector with 85% of attacks criminally motivated according to a PWC report1. However, theft of intellectual property is clearly also a major factor
Fragmented industry: The sectors’ ability to defend itself is a challenge beginning at the top illustrated by a UK Government study from 20232 reporting that only 21% of construction companies had board representation for cyber security roles. It’s an industry dominated by a small number of very large organizations supported by thousands of small firms with vastly differing approaches to cyber security.
Technological penetration: The increasingly rapid shift to technology presents risks throughout the sector. From a burgeoning market for cloud-based project management software to the elevated malware risks presented by accessing data remotely via mobile devices.
Expanding technology landscape: Smart devices being used daily by tradespeople, survey drones, biometric time clocks, and sensors all introduce new vulnerabilities. A feature of the sector is that often temporary workers are deployed and paid on an hourly basis. This brings with it new monitoring devices and data transmission including IoT sensors on equipment and resulting rich data.
Payment structures: Complex supply chains within large projects, demanding deadlines and staged payments make BEC attacks on accounting functions a highly effective target without robust security measures in place.
Steps to Build Resilience and Manage Risk
The construction sector will continue to become a more significant target for cyber threat actors as technological advancements increase at pace. Consequently, it has never been more vital to shore up defenses:
- Address historic complacency with appropriate representation of cyber security roles at board level
- Recognize the critical requirement for improved patch management cadence
- Deploy strategies for security of mobile and IoT devices throughout the supply chain
- Train staff on phishing and BEC threats
- Implement strong access controls and network segmentation
- Maintain secure backups and incident response plans
Broker Considerations for Construction Cyber Risk Submissions
Cyber risk in the construction sector is evolving fast, and brokers play a critical role in helping customers present strong submissions to underwriters. Construction firms face unique challenges: fragmented operations, mobile workforces, and increasing reliance on digital tools, all of which introduce cyber vulnerabilities that insurers scrutinize closely.
Key areas brokers should highlight in submissions:
- Operational Complexity and Cyber Hygiene Underwriters want to understand how the firm operates across sites and how it manages cybersecurity across permanent and temporary staff. Emphasize any mobile device management, secure remote access, and segmentation between IT and OT systems.
- Technology Use and Risk Controls Construction firms increasingly use cloud-based project tools, biometric time clocks, and drones. These innovations are great, but only if supported by strong patching practices and access controls. Make sure customers can demonstrate how they secure these technologies.
- Governance and Training For larger firms, underwriters look for board-level oversight and regular staff training, especially around phishing and business email compromise. Highlight any formal governance structures and awareness programs.
- Financial Controls and Supply Chain Risk Staged payments and subcontractor networks are prime targets for fraud. Underwriters will expect robust verification protocols, multi-factor authentication, and clear financial workflows. Help customers articulate these controls clearly.
- Data Protection and Incident Response Legacy systems and poor data governance can be red flags. Ensure customers have documented incident response plans and can demonstrate how they protect sensitive design or engineering IP.
Final Tip for Brokers
Encourage customers to treat cyber risks like any other operational risks, proactively and strategically. A well-prepared submission that shows how the firm balances innovation with security not only improves insurability but can also lead to more competitive terms.
Conclusions
Construction is undergoing a digital transformation, but cyber defenses have not kept pace. As ransomware and BEC attacks rise, the sector must prioritize cyber hygiene and resilience. Cyber insurance and risk management strategies must reflect the unique exposures of construction, where fragmented operations and high-value payments create fertile ground for cyber threats.
Sources
Disclaimer
This material is provided for informational purposes only and is not an offer to sell, or a solicitation to buy, any particular insurance product or service for a particular insured. It is intended for licensed insurance professionals. Cyber incident examples may be based on actual cases, composites of actual cases or hypothetical claim scenarios and are provided for illustrative purposes only. Facts may have been changed to protect the confidentiality of the parties. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued, and applicable law.
The practices, services or service provider(s) discussed herein are suggested as risk mitigation or incident response resources only. Use of any practice, service or service provider does not guarantee the performance or quality of the services provided, including the avoidance of loss, the fulfilment of any obligations under any contract, or compliance with any law, rule, or regulation. AXIS is not responsible for the effectiveness of a cyber risk management program and encourages each policyholder, together with advice from their professional insurance advisor, to perform its own independent evaluation of any practice, service or service provider as part of its overall risk management strategy.
For information about our products and underwriting companies, please see https://www.axiscapital.com/product-information