Cyber incidents risking UK construction project delivery, QBE warns

The increasing digitisation of the UK construction and infrastructure sector has introduced a critical systemic risk, with ransomware now identified as the most significant cyber threat to project delivery.

According to a new report from global business insurer QBE, a single ransomware incident results in an average of 24 days of operational downtime, creating severe financial and scheduling repercussions across the entire supply chain. As main contractors and subcontractors increasingly adopt Building Information Modelling (BIM), connected operational technology (OT), and AI-driven systems, the industry’s “attack surface” has expanded. This technological integration, while streamlining operations and oversight, has simultaneously created new pathways for cyber-attacks by connecting previously isolated data environments with systems that control physical equipment on site.

The scale of this threat is evidenced by a 410% year-on-year increase in Internet of Things (IoT) malware activity targeting the construction sector in 2025. Furthermore, data indicates that 81% of OT incidents in 2025 were facilitated by inadequate segmentation between IT and OT systems. For companies operating within the UK, the risk is compounded by geopolitical tensions; the UK recorded 15 state-aligned cyber-attacks between 2022 and 2026, the highest frequency among major European economies. While construction firms may not always be the primary targets, their involvement in designing and building critical national infrastructure (CNI) creates significant exposure, making them high-value links within wider attack chains.

For main contractors and suppliers, these risks necessitate a fundamental shift in project management, where cyber resilience is treated as a core operational priority rather than a peripheral IT concern. The regulatory environment is also tightening; the UK’s Cyber Security and Resilience Bill, introduced in November 2025, alongside the European Union’s NIS2 directive, mandates stricter risk management and mandatory incident reporting. These requirements are expected to cascade through supply chains, meaning that cyber-resilient firms will likely hold a competitive advantage during procurement processes for major infrastructure projects.

There is a substantial business opportunity for firms that proactively integrate cyber governance and tested incident response plans into their project risk frameworks. Suppliers and subcontractors who can demonstrate robust cyber security credentials will be better positioned to secure contracts, particularly as insurers and clients increasingly demand visibility into the digital security of the entire project ecosystem. By addressing these exposures early, construction companies can mitigate the risk of halted site operations and unforeseen costs, ensuring the stable delivery of the UK’s infrastructure pipeline.