Cybersecurity Risks for the Construction Sector

Tysers Insurance Brokers |


Construction companies have become an increasing target for cyber criminals in recent years, with several high profile cyber-attacks including UK based Bam Construct and Interserve who were contracted to build several NHS Covid Hospitals at the height of the pandemic.

A government study revealed that construction companies are one of the most likely to fall victim to Cyber-Facilitated fraud. Despite this statistic the report also revealed the construction sector is also one of the least likely to have a range of cybersecurity controls in place, including board members or trustees that have responsibility for cyber security.

There are many serious operational, reputational and legal risks that need to be considered and mitigated against where possible. A cyber-attack can cause severe disruption across the supply chain and may even impact suppliers or clients if malware is spread outside of the company or confidential data is leaked.

Operational Risks

Ransomware attacks have become increasingly common, with many cyber criminals targeting key systems used by businesses in their day-to-day operations and to deliver services. The financial impact of an attack of this nature can’t be underestimated and can cause large scale business disruption, particularly when users are locked out of crucial systems necessary for the progression or completion of a project.

Reputational Risks

If a cyber attack leads to a significant delay in project delivery or compromises your supply this could cause considerable reputational damage, particularly if highly sensitive data is leaked which causes distress and/or financial losses for other businesses or individuals associated with your business.

Legal Risks

GDPR places the responsibility of data security and confidentiality on the business which holds and processes this data, including sensitive data about other businesses, employees and clients. If a data breach occurs you may be liable to fines and penalties for breaching GDPR, even if the leak was a result of a cyber-attack.

If a data breach occurs you may also be legally required to notify individuals whose data has been compromised, which in the case of large scale breaches can be costly and time consuming.



How do I protect my business against cyber-attacks?

Cybersecurity Measures

Robust cybersecurity is essential to protect your business, and it’s important to invest in cybersecurity measures regardless of business size or industry.

Implementing secure password policies which require strong passwords that are frequently changed can help deter ‘brute force’ password hackers, as can multi-factor authentication which is one of the easiest steps that can be taken to protect data making it more difficult for cyber criminals to access systems. You can find out more about multi-factor authentication in our online guide.

It is also equally as important for your employees to have up to date training to stay ahead of the increasingly sophisticated methods used by cyber criminals. Some cyber insurance policies even offer cybersecurity training, to help reduce the risk of claims caused by human error.


Incident Response & Business Continuity Planning

It is crucial that in addition to having robust cybersecurity measures in place, you also have a cyber business continuity plan (sometimes known as an incident response plan) in place for cyber-related incidents which seeks to minimise damage and disruption to the company and your supply chain. This incident response plan should include a wide variety of scenarios including ransomware attacks, data breaches and other cyber-incidents and how your business can continue operating even during or after a cyber incident has occurred. You can learn more about cyber business continuity planning here.

Cyber & Crime Insurance

One way of mitigating the financial impact of a cyber attack or data breach is to ensure you have robust Cyber Insurance and Crime Insurance policies in place. Although some business insurance policies may offer limited cover for Cyber Incidents, this is unlikely to be sufficient to cover the true cost of a cyber incident.

Many comprehensive cyber policies also offer cyber breach response support, an invaluable resource offering expert guidance in crisis containment and the best course of action to limit damage to your business and reduce recovery time and costs. Typically, this will include data recovery specialists and expert negotiators to help recover your data and assets from cyber criminals.

It’s also important to consider that although a comprehensive cyber policy protects you against many costs associated with a cyber-attack, policies do not cover monies taken from your account or fraudulent transfers – this can however be covered by a Crime Insurance policy which includes computer crime.



Our expert construction brokers are here to help. Whether you require risk management expertise in one particular area, or a programme of bespoke covers designed to protect all current and emerging risks, get in touch today or visit our construction page for more information.


Latest News & Insights