Data governance and cyber security is only the sixth-most commonly cited risk in our Contractor Risk Review 2020. Should it be higher?
Every year, cyber crime punches a multi-billion pound hole in UK company finances. The cost of retrieving stolen data, fixing corrupted systems, and maintaining operations during outages has skyrocketed from tens of thousands of pounds a few years ago, to seven- and eight-figure sums today.
The construction industry has been slow to digitise, but innovations such as building information modelling (BIM), wearable technology, and augmented reality (AR) are revolutionising the construction process. Increased use of technology amplifies construction’s reliance on IT systems and the data they carry, as does digital collaboration and engagement with customers, staff, and supply chain partners.
The increasing use of technology has escalated the industry’s vulnerability to malicious activity, with a number of large UK contractors having fallen victim to cyber-attacks just in 2020. Digital threats are seen as so great that some construction companies stipulate that the firms they partner with must have cyber insurance in place, sometimes before they tender for contracts.
Cyber and Digital Risks
Cyber and data protection risks are notoriously multi-faceted and subject to rapid change, making them difficult to quantify and mitigate. Elements include, but are not restricted to: the safety of customers’ confidential data; malware; ransomware attacks, and the breakdown of security software or management systems. IT security breaches could also result in reputational damage, and compromise companies’ security, growth, and ability to innovate.
Attacks are becoming more sophisticated and increasingly expensive to remedy. Engagement with suppliers can also prove a data risk, as supply chain companies with weak IT networks could have their technology loopholes exploited by cyber criminals, to gain access to main contractors’ systems and data.
UK contractors’ cyber security needs to keep up, yet data governance and cyber security is only their sixth-most commonly cited risk, found the Contractor Risk Review 2020, our analysis of the risks most commonly identified by the UK’s largest contractors.
During our survey periods, 2017–18 and 2018–19, only 58% of UK contractors cited data and cyber risks in their annual reports. Yet numerous industry surveys rank cyber risks much more highly. For example, cyber and data risks topped the threat index in a leading insurer’s 2020 global risk barometer.
Possibly, contractors were not fully cognisant of the risk’s magnitude, or perhaps they had confidence in their mitigation methods. However, since our survey period ended, several large contractors have suffered ransomware attacks.
Data and Cyber Risk Management
During the Contractor Risk Review 2020 survey period, top contractors who cited data and cyber risks adopted a range of mitigation measures. These measures included setting up working groups to drive policy, procedure, training, and sharing best practice. They also organised management and end-user training on data protection, cyber security, and GDPR compliance.
Some top-tier companies have reduced cyber exposures in their supply chain by significantly cutting the number of approved suppliers. Some contractors also hired external security companies to conduct annual penetration tests and 24-hour threat monitoring.
Insurers’ Approach to Digital Risks for Contractors
This year, Marsh has worked with the cyber market to develop policies that address risks specific to the construction industry. Business interruption insurance has been tailored for construction firms, with coverage built in to reflect the large financial commitments that contractors make to respond to some tenders. Coverage has also been devised for issues related to BIM, drone use, and the loss of contracts due to business interruption.
At the same time, insurers are increasingly asking questions about the following issues:
- User access controls, especially with regards to administrators.
- Multi-factor authentication.
- Network segmentation.
- Not having any open remote desktop protocol ports.
- Backups, especially offline and protected backups.
- Endpoint protection.
For more details about construction-specific cyber cover, construction firms should contact their insurance brokers.
Read a broader discussion of contractors’ data governance and cyber security risk in the Contractor Risk Review 2020.
Find out more about UK Construction Risks
Get the Contractor Risk Review 2020 now: Download the report for an in-depth look at leading UK contractors’ top 10 business threats.