Tech adoption has always come with its share of risks, but none of them have
caught my attention quite like the cyber risks of techs in common usage—and of those the
industry may adopt in the near future. Everything in this space evolves incredibly
quickly, including the risks.
In today's rapidly evolving digital landscape, the construction industry is
increasingly vulnerable to cyber risks. As companies adopt more digital capabilities and
interconnected systems, the potential for a significant cyber incident grows. The AXA XL
Innovators' Circle—a collaborative peer network of innovation leaders from our insured
partners who collectively solve construction's stickiest tech and innovation
challenges—recently put their heads together with the AXA XL Cyber Center of Excellence,
and the following is what we focused on.
Introduction to Cyber Risks in Construction
The construction industry is experiencing a significant shift toward
digitalization, with the adoption of project management software, computer-aided
design (CAD), building information modeling (BIM), and industrial control systems.
While these technologies enhance work quality and reduce project timelines, they
also introduce new cyber risks. The interconnected nature of these systems makes
them especially susceptible to malware and cyber attacks, posing a substantial
threat to the construction industry.
Key Cyber Risks
Older operating systems. Many construction companies still rely on older operating systems that are no longer supported. These systems have known vulnerabilities and lack necessary patches, increasing the risk of cyber incidents.
Ransomware and data breaches. The construction industry has seen a significant rise in ransomware attacks over the past 5 years. These attacks can halt projects by making machinery or software inaccessible, leading to delays and financial losses. Additionally, hackers often steal and hold data hostage, threatening to release it on the dark web unless a ransom is paid. The evolution of ransomware has led to increased demands, sometimes reaching eight-figure sums.
Biometric data risks. The use of biometric
data, such as fingerprints for time clocks, introduces privacy concerns.
Proper consent is required to avoid fines and penalties under biometric
laws. Compliance with these laws is crucial, as illustrated by Cothron v. White Castle
Sys., 2023 IL 128004, 466 Ill. Dec. 85, 216 N.E.3d
918, where violations of the Biometric Information Protection Act in
Illinois resulted in an initial judgment close to a billion dollars, though
this has since been reduced.
Wire transfer fraud. The increasing sophistication of cyber criminals has led to a rise in wire transfer fraud. If you have seen some of these phishing attempts lately, you know they are getting much better at putting together a convincing email. It is essential that every employee in any company knows how to independently verify payment change information and to be cautious of potential phishing attempts to prevent fraud; construction companies are no exception.
Business interruption and dependent business
interruption. Cyber attacks can cause significant disruptions,
leading to business interruption. This includes loss of business income or
additional expenses incurred to keep the business running after a cyber
breach. Dependent business interruption occurs when a vendor's cyber attack
impacts the insured's ability to perform their job. The construction supply
chain is complex, and the last few years have shown us a lot about how
vulnerable it is to impacts. Cyber attacks at any point in a supply chain
can have massive impacts.
Strategies To Mitigate Cyber Risks
Adopt security standards. Implementing
security standards such as multifactor authentication, endpoint detection,
and incident response planning can help companies avoid or better recover
from cyber attacks.
Evaluate vendor security. It is crucial to
evaluate the information technology (IT) security posture of suppliers and
ensure they have cyber insurance. This can be done through questionnaires,
third-party reviews, and security scorecards. Several tools exist that can
be used for vendor vulnerability testing.
Compliance with biometric laws. Companies must comply with biometric laws by providing full disclosure to employees about the information collected, its use, and retention policies. This helps avoid significant fines and penalties.
Cyber insurance. Construction-specific cyber endorsements, such as coverage for missed bids, downstream contractual penalties, and drone-related privacy violations, are essential for mitigating risks. These endorsements ensure coverage for various applications used in the industry.
Vetting third-party providers. It is important to vet third-party providers to ensure they have robust IT support and security measures in place. Examples of significant cyber events, such as the CrowdStrike system failure and the Change Healthcare breach, highlight the need for thorough vetting.
Conclusion
The construction industry must remain vigilant and proactive in addressing cyber risks. By adopting security standards, evaluating vendor security, complying with biometric laws, obtaining cyber insurance, and vetting third-party providers, companies can reduce or mitigate the potential impact of cyber incidents. As the industry continues to embrace digitalization, these strategies will be crucial in safeguarding against evolving cyber threats.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Tech adoption has always come with its share of risks, but none of them have caught my attention quite like the cyber risks of techs in common usage—and of those the industry may adopt in the near future. Everything in this space evolves incredibly quickly, including the risks.
In today's rapidly evolving digital landscape, the construction industry is increasingly vulnerable to cyber risks. As companies adopt more digital capabilities and interconnected systems, the potential for a significant cyber incident grows. The AXA XL Innovators' Circle—a collaborative peer network of innovation leaders from our insured partners who collectively solve construction's stickiest tech and innovation challenges—recently put their heads together with the AXA XL Cyber Center of Excellence, and the following is what we focused on.
Introduction to Cyber Risks in Construction
The construction industry is experiencing a significant shift toward digitalization, with the adoption of project management software, computer-aided design (CAD), building information modeling (BIM), and industrial control systems. While these technologies enhance work quality and reduce project timelines, they also introduce new cyber risks. The interconnected nature of these systems makes them especially susceptible to malware and cyber attacks, posing a substantial threat to the construction industry.
Key Cyber Risks
Strategies To Mitigate Cyber Risks
Conclusion
The construction industry must remain vigilant and proactive in addressing cyber risks. By adopting security standards, evaluating vendor security, complying with biometric laws, obtaining cyber insurance, and vetting third-party providers, companies can reduce or mitigate the potential impact of cyber incidents. As the industry continues to embrace digitalization, these strategies will be crucial in safeguarding against evolving cyber threats.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.