Construction sector needs to up its game on cyber risk management
Insurance alone not the answer
A race to upgrade and digitalise workflows in the commercial construction and infrastructure industry, akin to an “arms race”, is exposing the sector to potentially major cyber risks, just as the appetite of insurers is reducing, according to experts at Commercial Risk’s recent Construction Risk Management Conference.
The construction sector is relatively immature in its adoption of technology but is fast trying to catch up, largely through the use of building information modelling during the last decade, which experts say is transforming the way that the architecture, construction, engineering and facilities management industries work together.
This collaborative approach is based on shared information models that are developed and maintained across the lifecycle of the building or infrastructure. But adopting such methods of working comes with inherent cyber risks.
Experts at our recent event agreed that the construction industry needs to up its game on cyber risk identification and management. It cannot just rely on cyber insurance, which has become scarcer and more limited in recent times, they added.
Increased cyber risk
“The sector is quite immature in this respect but there is now an arms race occurring to adopt technology in a collaborative way, using the internet of things and the like. This is really opening up the sector to cyber risk in a way that has never been seen before. This goes all the way to the control of buildings and infrastructure,” pointed out Nathan Jones, director of cyber, infrastructure and built environment specialist, at Aon Mergers & Acquisitions in London.
David Warr, cyber and TMT underwriting manager at QBE Europe, agreed that cyber risk is on the rise in the construction sector.
“It is seeing increased automation. For me, the use of technology and efforts to streamline and improve processes has delivered efficiencies but also increases the risks faced,” he said during a panel hosted by Joel Appelbaum, chief content officer at the US-based International Risk Management Institute.
Aon’s Jones said that while the adoption of such technology brings benefits in terms of efficiencies, data sharing and transparency, the relative immaturity of the construction sector in this area too often leads to serious cyber exposures.
“Firms have to show that they are able to control the process and are monitoring the information, but too often there is no such big vision. I have been involved in critical infrastructure projects in which information is flying around and it is not encrypted or controlled. This is a far greater risk than in the past. Training of people is critical,” he said.
Jones added that the sector also needs to wake up to the cyber threat within its supply chain, because often that is where the “crown jewels” are held.
“With cyber you have to look for the threat. You need to go into the deep dark web and bring in specialist organisations that can do that in different languages and build a profile of the threats. When you do this, you invariably find that you are exposed through your suppliers. Almost on a daily basis you need to be looking at how vulnerable you and your supply chain are because the supply chain holds the crown jewels,” he said.
Hardening market
Risk and insurance managers across all sectors in Europe have had to face a rapidly tightening and hardening cyber insurance market during the last few renewals. The construction sector is no different, according to the experts.
“Cyber cover is immensely difficult to place in the infrastructure sector. Initially, we do controlled exercises. Traditionally, you would work with the IT team, but actually this is a business decision because it is about whether you are going to pay a ransom, what public relations activity would be needed and the like,” said Jones.
“At the same time, the risk is growing rapidly. We used to see one or two pieces of malware doing the rounds – now it’s six to eight. Also, malware and wiperware – whether you pay or not – increasingly destroys the chips, so you need to rebuild the network and secure new chips that are currently impossible to secure. These are big business decisions,” he continued.
Risk and insurance managers need to demonstrate that they are on top of cyber risk to secure adequate coverage.
“The landscape has changed materially in the last few years. Ransomware dominates most claims that we are seeing. Risk controls are needed to secure coverage. There need to be well-defined response plans and regular backups of data,” said Warr, at the event sponsored by Aon as headline partner, and also by Swiss Re Corporate Solutions, QBE, Zurich Insurance, Sedgwick, Scor and Jupiter Intelligence.
“If the measures are in place, you can often get the quotes from the market. But the rising cost of the claims and complexity is inevitably impacting rates. There will be some firms that are not demonstrating risk controls that will struggle to find cover. Well-managed firms will find cover but in smaller amounts than two to three years ago,” he added.
Jones agreed that risk managers need to be prepared for a lengthy and detailed discussion with the market.
“Cyber insurance was seen as the tool to solve the problem, but now it is just a tool. In the past, arranging this cover could take four weeks, but now it can take six months. If you can’t demonstrate to the market that you are on top of the risk, it will be really hard,” he said.