Product Family


Claims Specialist,Cyber Professional

From modeling to drone use to 3D printing of buildings and components, construction has come of age. Today’s construction operations are deeply reliant on technology. Project managers track productivity and project timelines from tablet computers. Drones inspect job sites and return results to cloud-based databases. Wearable technology alerts workers to jobsite hazards. Technology solutions such as virtual reality, augmented reality, connected job sites and advanced tracking help site managers better manage project outcomes and safety, and predict and mitigate risks.

Yet all of the technology comes with one overarching hazard – the possibility of a cyber breach. According to a 2018 study, companies in all industries share a 27.9-percent probability of experiencing a material data breach involving 10,000+ records in any given 24-month period.  While the number of reported data breaches in construction is relatively low, the cost of a data breach is not. In fact, the average cost per each record compromised in a data breach is $148. If a construction firm has a breach of 10,000 records, the costs add up quickly.

Technology Dependencies

Much like any other industry, the construction industry is vulnerable to cyber threats thanks to an increasing dependence on technology. As more electronics appear on jobsites and in daily operations, the risk of hackers exploiting security loopholes increases.

One threat faced by construction companies is the possibility of a ransomware attack.  Ransomware is malware, deployed through the internet,  that encrypts the files on a business’s computer systems.  The business must pay a ransom, often in Bitcoin, in order to obtain a decryption key to regain access to the computer systems. In fact, ransomware attacks are increasing in frequency thanks, in part, to an increase in Bitcoin valuation over the past few years.

Another disturbing cyber threat that has emerged in recent years is an email scam that uses actual email accounts from the targeted business. This scam is similar to traditional email phishing scams in that hackers send fraudulent emails in an attempt to trick employees into sending wire transfers. However, instead of using spoofed email accounts, cyber thieves are now infiltrating email systems and sending fraudulent requests from actual user accounts.

Such emails are tougher to detect as fake. Whereas a spoofed email contains a different email address than the user’s regular email, the hacked emails are identical in every way to a request from a company employee or executive. Few employees would question a monetary transfer request coming from a real email address for the company’s accounting department.

These are incidents that construction firms can ill afford. Because construction project success is dependent on projects meeting timeline and contractual obligations, any delay in business operations could result in serious financial loss.  Those losses include:

Delay damages: Depending on contract language, construction firms could be penalized for delayed project completion. Such delays can cost contractors twice – once for the damages paid to the client and once more for the business costs associated with the delay.

Business interruption: A downed computer system could mean that contractors are unable to start other scheduled projects on time or keep current employees on the job and productive.

Cash flow issues: Delays could mean material storage costs, extensions to insurance policy periods, additional wages and workers’ compensation exposures and expenses, extension to site facilities rentals, and lack of expected money from the delayed project.

Subcontractor delays: Subcontractor obligations elsewhere could further delay a successful project completion.

Cost of remediation: Depending on how many client and vendor files are compromised and how long it takes the construction company to identify the breach, the costs could mount quickly. And rarely do most companies notice breaches immediately – the average time between breach and identification is 197 days. Plus, remediation takes time – an average 69 days from discovery to containment.

The first line of defense against cyber threats for construction companies is an educated employee population.

Reducing Data Breach Risk

The first line of defense against cyber threats for construction companies is an educated employee population. Teach employees what methods hackers will try to use to infiltrate the company systems, including phishing and email mirroring scams, and encourage employees to scrutinize any messaging that contains suspicious links or requests changes to payments or bank accounts. Construction firms can employ the following safeguards:

Payment Change Verification Process: Have a procedure in place for changing payment information, such as how many people must sign off verbally, who those people are, and what steps to take when such requests come in.

Train Employees on Social Engineering Methods: Employees should know the protocol for links contained in emails, and for requests for sensitive information on employees, vendors, or company files. Most breaches occur through employees inadvertently granting access to cyber thieves.

Require Regular Password Changes: All users should be required to change passwords at regular intervals and set up complicated passwords containing a combination of numbers, letters, and characters. Employees should be warned not to keep passwords written or stored on devices or work spaces. Also, consider using two-factor authentication for anyone logging in to company systems.

Update Anti-virus Software: Install regular updates to newer anti-virus programs, and consider upgrading if your software is outdated or no longer supported.

Review Insurance Policies: Understand what is covered and what is excluded. Is cyber liability covered on your current policies and, if so, to what extent? Do you have a policy that provides first-party data breach response and crisis management coverage? What additional products may be needed to better mitigate against cyber loss?

Review Risks: The construction industry has been slower to adopt digital tools than some other industries, and construction companies may think that their cyber vulnerabilities are not as great as those in other business areas. However, cyber thieves are looking to attack any companies whose systems offer the easiest entry points, and the construction industry is an ideal target precisely because the industry has only recently become more digitized.

As hackers continue to search for vulnerabilities in construction company systems, employers should assess their security gaps and create processes that help all employees identify and thwart attempted cyber breaches. By doing so, construction companies potentially can avoid the costs and headaches associated with data breaches, and instead focus their attention on completing their projects on time and in budget.


About the Author

Conor Mulcahy is a cyber claims specialist with AXA XL, a division of AXA.    He can be reached at


Photo by Ricardo Gomez Angel on Unsplash

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

More Articles

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.