Features - Business

Why construction firms must insure against cyber attacks

Construction businesses of all sizes understand the nature of risk and the necessity of mitigating against it by investing in comprehensive insurance policies. But while many proactively insure and protect their physical assets, few construction businesses consider cyber security as part of their insurance portfolio.

This might be because the sector still does not consider itself part of the digital landscape; a UK Government cyber security survey published earlier this year reveals that construction firms are more likely than others to think that online services are not a core part of their business offer (56%). The same survey shows that only 43% of construction businesses have sought information, advice or guidance in the last 12 months on the cyber security threats faced by their organisation, compared to 58% of businesses overall.

The reality is that the construction sector is as vulnerable as any other to cyber attacks and online crime.

According to UK Government statistics, in 2015 some 15% of construction business premises were affected by online crime – one in six. A study from The Home Office, also from 2015, shows there were 77,000 incidents of online crime against construction firms, 71% of which were computer viruses and 10 per cent of which were hacking attacks. An estimated 2,000 firms had their online accounts raided by thieves.

Of course, financial crime is not the only cyber risk that construction firms need to protect against. Data loss incidents, whether deliberate or accidental, could be devastating. Consider the amount and variety of data even a small construction firm might hold digitally, on past, current and future projects, on clients, customers and members of staff. This could include sensitive personal information, confidential commercial data, intellectual property and financial details.

Moreover, a cyber attack or data breach could come from many different sources – from suppliers, contractors, even employees.

When you realise the potential damage a cyber attack or a data loss incident could do to a construction business, both financial and reputational, the need for dedicated cyber insurance becomes clear. The construction sector needs to wake up to its responsibilities, and quickly, as the law around data protection is set to change significantly next year with the introduction of the European Union’s General Data Protection Regulation (GDPR). The regulation was drawn up to give citizens back control of their personal data, and will come into force in the UK in May 2018 irrespective of the nature of our future relationship with the EU. In fact, the UK Government recently announced that the regulation would be transferred into UK law in the new Data Protection Bill. The bill will require firms to gain explicit consent when processing and storing sensitive personal data, as well as making it easier for individuals to withdraw their consent, to access the information held on them and to ask for their personal data to be deleted.

There is also a new requirement for data breach notifications. Currently there is no obligation to report a data breach to the Information Commissioner’s Office (ICO), or anyone else for that matter, but the GDPR will introduce mandatory breach reporting. Businesses will be obliged to report security breaches to the relevant authority “without undue delay, and where feasible, not later than 72 hours” after they first become aware of them. Existing data protection practices are likely to fall far short of the requirements of the GDPR, and compliance could mean significant administrative burdens for businesses that are unprepared. The severe fines for non-compliance – up to £17M (€20M) or four per cent of global turnover – mean businesses can’t afford to ignore the GDPR.

There are steps businesses can take to protect their IT systems against the threat of cyber attack, for example by investing in the latest, most secure hardware, by ensuring anti-virus software is kept up to date and by implementing a strict internal data policy for all staff.

But even with these precautions, cyber security breaches can still take place – and what happens to your business then?

We have already seen a steady growth in demand for dedicated cyber liability and crime insurance policies as a direct result of the GDPR, and we expect this to continue until the regulation is introduced. Subject to underwriting, a cyber insurance policy can protect against many potential incidents, including loss of data, cyber extortion, cyber business interruption, identity fraud, malicious data damage, telecoms fraud and commercial disruption. A good policy will also cover things like defence costs, court compensation costs and even the cost of public relations advice, which is especially useful considering the reputational damage and loss of trust a data breach can cause.

The threat of a cyber attack or data loss incident is not a theoretical risk in a digital world; it is a very real risk with real consequences for your construction business. Can you afford not to protect against it?


Chris Davies is a director at Prescott Jones Property and Construction Risks. Chris has more than 30 years experience in the insurance industry and is a respected expert in the construction sector.

If you would like to read more articles like this then please click here.