Getting your Trinity Audio player ready...

Construction companies are facing a high risk of cyber attack — gain insight into how, why and what to do, to mitigate, be prepared and protected as cyber risks continue to grow.

As Australian construction companies adopt new technologies that enable greater efficiencies and project oversight, these same digital tools also expand their potential cyber attack surface, enabling criminal hackers to target their businesses. Our Gallagher cyber insurance experts examine how construction businesses can navigate the risks and challenges for the sector.

The use of technologies enabling accessing information, such as the internet of things (IoT), electronic blueprints, client databases and communication systems, also makes sensitive business information vulnerable to security breaches.

The Australian Construction Industry Forum has recognised and warned the industry it is a growing target for cyber criminals, threatening businesses' ability to keep construction projects on time and on budget1.

In its annual cyber threat report the Australian Signals Directorate (ASD) indicated that in the 2022‒23 financial year cyber incidents reported by critical infrastructure projects increased by 50% from the previous year2. The ASD reported that most incidents were characterised as low-level malicious attacks or isolated compromises.

About 57% involved compromised accounts or credentials; compromised assets, networks or infrastructure; and denial of service attacks, with an average cost of $46,000 for a small business, $97,200 for a medium-sized business and $71,600 for a large business3.

Core cyber threats — how they occur

  • Ransomware: use of malicious software to disrupt computer operations, gather sensitive information or gain access to private computer systems.
  • Social engineering/funds transfer: the psychological manipulation of people into performing harmful actions or divulging confidential information.
  • System failure: unplanned network outage caused by an introduced system error.
  • Human error: while these incidents may lack malicious intent, the human element represents an inherent risk.
  • Insider threats: employees entrusted to access and process sensitive data may resort to criminal activity.

How construction businesses are vulnerable to cyber attack

Construction industry data is extremely valuable and remains a high priority target for hackers. Data privacy and security is a key area of vulnerability as construction projects involve holding sensitive information, such as architectural plans, financial information and personal details of workers.

Data breaches can result in:

  • unauthorised access to confidential client information (account numbers, credit/debit cards/loan information)
  • hacking, misconfiguration or failure of technology, including mobile devices, mobile platforms, cloud services and ATMs
  • ransomware demands
  • disruption to critical first and third-party information processing systems
  • damage to information assets
  • unauthorised access to employees' personally identifiable/health information
  • business email compromise (BEC)
  • theft of funds as a result of social engineering.

Case study 1: critical project management files rendered inaccessible

A construction company's network is hacked, enabling cyber criminals to encrypt critical project management files and demand a ransom for the decryption key.

The business's cyber security cover provides for engaging the services of a cyber incident response team to negotiate with the hackers to release the files, and also covers associated costs such as forensic investigation into system vulnerabilities, legal expenses (where third parties are involved) and potential business interruption losses.

Case study 2: social engineering sends false invoice demand

A construction company's accounts payable clerk receives an invoice that appears to be from a regular vendor requesting a change in payment details for an upcoming project. Recognising the trusted business partner, the clerk actions the request which is in fact from a criminal hacker who has spoofed the sender's identity.

With cyber insurance the business can make a claim for stolen funds and access help with investigating the incident and implementing stronger security measures.

How cyber insurance can protect construction businesses

Cyber attacks can involve significant costs and down time for construction businesses, with the potential to derail projects. Cyber insurance can help cover expenses involved and provide access to expert help, from ransom negotiation to damage control.

Is your business protected against from these cyber breach exposures?

  • Breach response costs
  • Privacy liability/network security liability
  • Privacy regulatory liability, and fines and penalties
  • Payment card industry data security standard (PCI DSS) compliance
  • PR/ Media liability
  • Business interruption/extra expense
  • Data recovery
  • Theft of funds (social engineering crime)
  • Reputational harm

Cyber risk mitigation advice and cyber insurance cover can help businesses address vulnerabilities and cover the costs involved with these exposures.

Our comprehensive approach to cyber insurance

The Gallagher cyber risk management approach to due diligence specifically helps our clients identify and prioritise key cyber risk concerns.

Our process is designed to understand current exposures and threats through an assessment of your cyber risk, which includes:

  1. identifying critical assets, vulnerabilities, gaps, and cyber preparedness
  2. increasing security governance, incident detection and protocols
  3. modelling of the financial impact of a cyber incident
  4. exploring risk transfer solutions via insurance to minimise balance sheet risk.

In addition to cyber insurance protection, Gallagher offers expertise, advice and resources for building business resilience to withstand cyber security incidents.

connect with us


Disclaimer

Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312