Skip to main content

Client alert: Is the construction industry next for hackers?

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)

September 22, 2020

As the industry has adopted technology for project planning and operations, construction is at risk for cyberattacks.

In 2019, we witnessed manufacturing and government entities fall victim to aggressive ransomware attacks. Strains of ransomware with names like REvil and Ryuk, caused major disruptions to company operations, with recovery sometimes lasting weeks and even months.  While cyberattacks have shown no signs of slowing down in the age of COVID-19, it begs the question: which industry is the next target? Could it be the construction industry?

Even though construction has undoubtedly slowed over the last several months, most major city skylines are still dotted with construction cranes, and many of our highways continue to be under construction. While we may complain about the inconvenience these construction projects have on our personal lives, construction is good in the long run and typically the result of a healthy economy, which we hope to see improve once we enter 2021. 

As the construction industry has largely turned to technology for project planning and operating heavy equipment, it is important to address the cyber exposures that come with this technology reliance. Although technology creates efficiency in building projects and procurement, it also presents significant risk to a construction organization if faced with a cyberattack. In addition to causing project delays, cyberattacks may also lead to a company losing live bids, cause reputational harm, result in bodily injury and property damage claims, or lead to downstream contractual penalties. 

If a construction company is forced to respond to a cyberattack and does not have a cyber policy in place, will they be adequately protected? It is important to recognize that in an effort to avoid silent cyber coverage, many general liability and property carriers are starting to add cyber exclusions. While construction professional liability policies may include some limited cyber coverage, it is unlikely that all first and third-party cyber losses will be addressed.

It is important for a broker to tailor a cyber policy to the insured’s specific risks and exposures. Analytic and benchmarking tools should first be utilized to determine the appropriate limits for a company’s size and exposures.  Further, adequate steps should be taken to ensure coverage for all losses stemming from a cyberattack. A traditional cyber insurance policy generally only provides coverage for third-party liability for claims arising out of a security, privacy or media event, and for certain first party loss, including breach event costs, cyber extortion loss and business income loss arising out of a business or network interruption. An enhanced cyber policy specifically geared to the exposures faced by a construction company may also include bodily injury and property liability coverage, coverage for losses arising out of the reputational harm a cyber event can inflict, expansions to business interruption coverage to include downstream contractual penalties and losses arising from missed bids due to a cyber event, and cyber-crime coverage.

In addition to having a risk transfer strategy in place, properly training employees to recognize potential cyber risks such as suspicious emails, and to think before clicking on a link, is another essential step for every organization. Employees need to understand that they play a critical role in a company’s cyber security. Further, making sure key third-party vendors carry their own cyber coverage and maintain adequate levels of cyber security, will minimize cyber risk to a company.

Finally, it is important for an organization to have an incident response plan in place and to practice it regularly. Company decision makers should know their role during a cyber event, so that panic does not ensue during what will undoubtedly be a stressful time. Part of the incident response plan will be establishing which cyber expert vendors will be utilized when the time comes and identifying the individual within the company who will determine whether or not to pay a ransomware demand.

The current climate has only exacerbated the likelihood of a cyberattack, which have become more aggressive and disruptive to all industry classes, including construction. In order to lessen the impact to operations, it is more important than ever to have tailored cyber insurance coverage in place, properly training your employees and ensuring that an incident response plan is in place and practiced.


Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast, Inc. (in the United States) and Willis of Canada, Inc.

Contact Us

Related Capabilities