Criminals prefer easy targets. Therefore, it stands to reason that industries slow to implement proper cybersecurity measures are among the easiest targets for cybercriminals to infiltrate. Construction has lagged behind other industries in its adaptation of technology solutions and as a result, is a favorite cyberattack target.

Taylor Oswald’s construction practice understands construction vulnerabilities to cybercrime and finds solutions to protect against losses that can derail construction projects.

Real Risk and Real Loss

From large construction companies to small contractors, the impact of cyberattacks can be devastating. With the average cost of a data breach being $4.88 million in 2024, according to an IBM study, it is easy to see that a cyberattack can have a significant impact on an organization’s bottom line.

While stolen personal information can be devastating to individuals and employers alike, cybercriminals who target construction companies hope to gain intellectual property, competitor information, financial information and more. If any of these data points are compromised, it could result in lost revenue and reputational harm for the construction firm.

Ideal Prey

The construction industry is especially attractive for a variety of unique reasons. One breach can steal or damage intellectual property, architectural drawings, job specifications and financial data from clients and vendors, sensitive company information, and employees’ personal data such as social security and account numbers.

As the technology evolution grows at faster rates in construction, cybercriminals know:

• Many contractors lack the resources, knowledge or time to fully implement the strong security measures and to keep up to date with the evolving world of cybersecurity. Many assume it won’t happen to them.
• Construction companies collect and access a lot of data from many sources. This robust information base provides one-stop shopping for cybercriminals.
• Many contractors believe that their businesses are too small or too large to be hacked.In reality, small businesses are just as susceptible to cybercrime as any other organization.

Large contractors are also at risk. Turner, AECOM and Whiting-Turner have been all been victims of cybercrime.

Being the victim of a cybercrime can cause the business to be disrupted or even close its doors for good, regardless of its size.

Types of Attacks

Whether a cyberattack occurs as a result of hackers infiltrating a company’s network or due to human error internally within an organization, contractors face exposures associated with the following categories:

Data breaches

An intentional or unintentional release of secure or private/confidential information to an untrusted environment.

Malfunction of, or injury to, computers

Unauthorized access, destruction, disclosure, modification of information, and/or denial of service brought about by an event that can negatively impact organizational operations, organizational assets, or individuals through an information system.

Failure of electronic or communication system

The shutdown or partial shutdown of a system caused by an event or sequence of events.

Data breaches for contractors are most often the result of lost laptops or other mobile devices, hacked systems, malicious code from an external source, loss or improper disposal of paper records, and failure to maintain electronic backup(s).

Complex Coverage to Mitigate Damage

The cyber landscape changes every day and it is becoming more and more impractical to think that these risks can be avoided at all times. In addition to implementing internal steps to lessen risk and improve cybersecurity, contractors need to mitigate risk if and when a cyberattack occurs.

Cyber insurance continues to evolve with cybercrime. These policies allow the cost of damages to be transferred from the contractor or construction company to the insurance carrier. Cyber liability policies are not standardized from one carrier to the next and can have wide variations in coverage and cost.

In general, cyber coverages can offer protection when certain types of cybercrime cause:

• Loss of Personally Identifiable Information
• Damage to an external system or failure to protect third-party intellectual property
• Business interruption if a cyberattack causes a quantifiable loss in revenue
• Systems failure or any unplanned and unintentional outage of your system
• Extortion demands from hackers who infiltrate and render systems useless until they have received a ransom payment. Payment is most frequently requested in the form of a cryptocurrency.

These policies are complex and underwritten specifically to the exposures associated with cybercrime. Because cybercrime and legislative protections continue to change at an accelerated pace, these policies continue to evolve almost weekly as well.

A professional risk manager can help determine the best policy for specific needs. In addition to knowing the market and the key carriers, as well as remaining up to date with market standard coverages, your risk manager should also review and tailor a policy to your organization’s appropriate limits, retentions, outsourced vendor protections, and other specific policy provisions.

It’s Not Too Late

If your construction firm already has cyber protection in place, it is time for a review as exposures and coverages change rapidly. If your firm has not considered cyber protection, it is time to get coverage in place. Either way, Oswald can help. We partner with contractors and their business at any stage of development and across the spectrum of size and sophistication.

Here at Taylor Oswald, we know that contractors and construction companies face increasing cybercrime exposures every day. Mitigating damages and protecting contractors is our business and our goal.

Contact Austin Bennett, abennett@tayloroswald.com to start a conversation on how to best protect your business.