Three key steps for addressing cyber risk in the construction industry

male and female construction workers wearing protective gear looking at a tablet - banner

Virtual reality and artificial intelligence are becoming integral parts of the construction industry. But with its widespread adoption comes new risks that call for a more sophisticated approach to risk management.

It’s the phone call no contractor wants to receive — the call to inform them that someone has hacked into their crane, drone or other internet-connected equipment and damaged their jobsite and everything around it. So, in addition to equipment damage, there’s a project delay, physical damage to the building next door and pending litigation.

While this may sound like a worst case scenario, it’s a real possibility, particularly as the construction industry becomes more reliant on technologies such as virtual reality, drones and artificial intelligence to help get work done.

These tools can boost productivity and safety, but they can also increase an organization’s exposure to cyber risk. And that’s a major cause for concern in the industry. In fact, according to findings from Willis Towers Watson’s Construction Risk Index, construction executives cited cyberattacks and privacy breaches resulting from the industry’s adoption of new technologies among their top 10 risks.

So what can construction organizations do to become more cyber secure? While there’s no universal industry best practice for cybersecurity in construction, there are some steps that can help reduce those risks. Here are three tips that can help.

1. Know your challenges

Effective risk mitigation starts by understanding what you’re up against, so take time to understand and evaluate the cybersecurity risks within your organization. Some questions to help you along the way include:

  1. Where is your data stored and who has access?
  2. Do you have customer and other confidential records?
  3. How long would it take your business to restore operations following a breach?
  4. Would your business be able to operate if your systems or network went down?
  5. What would be the costs of a breach and the effects of downtime?
  6.  Would you able to pay a ransom or successfully remove ransomware from your system?
  7. Would you be able to determine what caused the breach and network outage?
  8. What are your coverage needs (e.g. security and privacy liability, cyber extortion, cyberterrorism, reputational, privacy breach response costs, etc.)?

2. Check your insurance coverage

While cyber may be included in your existing professional liability, property and commercial liability policies, there may be gaps in that coverage that could leave you exposed. So, once you’ve assessed your cybersecurity risks, review the nature and provisions of those policies to see if the coverage you have meets your needs, or if you need to develop a risk transfer strategy.

Bear in mind:

  • Professional liability doesn’t usually cover hacking intrusions or viruses/malware that can affect design, design-build or engineering platforms, or other technology services such as hosting platforms or cloud services.
  • Property insurance will generally cover loss of business income, but only if there’s direct physical damage caused by the loss of the insured’s own property. And it’s often unclear whether a policy will cover damage to a company’s website or computer system caused by a hacker or rogue employee.
  • Commercial liability often contains exclusions to intangible property, data and technology. Coverage may be limited to physical damage only.

3. Train and educate your workforce

Your workforce should be your first and best line of defense when it comes to fending off cyberattacks. This means providing comprehensive and ongoing cyber training to all employees within your organization to identify, report and mitigate an attack. While this can be challenging, given the often decentralized nature of the construction workforce, it’s worthwhile, especially when you consider our recent claims data, which shows that two-thirds of cyber incidents are the direct result of employee behavior.

The potential impacts of a cyber incident are wide and varied for construction organizations. So when it comes to combating cyber risk, it’s critical to take a holistic approach across people, capital and technology on the journey to becoming more cyber resilient. No matter what speeds this progress, the eventual solution needs to be carefully tailored to the specific demands of an industry that’s rapidly embracing technology, where the most successful will be those who combine pragmatism and innovation.

About Paul Becker

Paul Becker is Willis Towers Watson’s Global Practice Leader, Construction, with 30 years of insurance experience…
Categories: Claim & Risk Control, Construction, Cyber Risk, Risk Culture | Tags: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *