Gulfshore Insurance > Gulfshore Blog > Commercial Risk Management > Client Alert: Cyber Risks and The Construction Industry: Are You Prepared?

Did you know that…

  • More than half of U.S. businesses have experienced a cyber attack in the past year.
  • Of those businesses hacked, 72% spent $5,000 or more.
  • 1 in 9 system compromises happen in under a minute.
  • 83% of compromises took a week or more to detect.
  • All 50 states require notification when a data breach occurs.


In recent years, cybersecurity threats have become increasingly complex, and businesses of all kinds – including the construction industry – face ever-growing risks to their reputation, their finances, their continuity of operations, and even to the safety of their job sites and equipment. A recent Forrester survey revealed that more than 75% of respondents in the construction, engineering and infrastructure industries had experienced a cyber-incident within the last 12 months. It is projected that cyber crime will cost businesses approximately $6 trillion per year on average through 2021.

Cyber threats can expose all of a company’s digital assets: business plans and acquisition strategies; proprietary construction plans and designs; customer, contractor, and supplier lists and pricing; personally identifiable information of employees and contractors; protected health information of personnel; and facilities security information. Cyber risk can also cause business interruption and reputational harm: for example, a ransomware attack might not lead to a loss of information, but by shutting down a company’s computer networks, and potentially destroying information, it can cause an enormous amount of lost productivity and business delay. And the ability for cyber attackers to hijack physical devices – from security cameras to vehicle telematics to industrial control systems – means that there is an ever-increasing risk of property damage and personal injury due to cybersecurity incidents.

There are a number of ways to mitigate cybersecurity risk, including:

  • Policies and training. The very best IT can’t prevent human error. It’s essential to implement clear policies on cybersecurity basics like use of strong passwords, multi-factor authentication, use of encryption for sensitive data, and restrictions on the use of removable media. It’s also essential to train employees on best practices, including how to recognize potential phishing emails and sensitive information to which they have been granted access.
  • Vendor management. Contracts with subcontractors, suppliers, and others are an essential component of mitigating cyber risk. Legal review of representations and warranties about the cyber practices of a business partner, along with appropriately tailored indemnification and hold harmless provisions, can be a foundation for mitigating cyber risk associated with doing business with third parties.
  • Insurance. Cyber insurance is widely available and can be an effective component of an overall insurance program. Most cyber policies cover the costs of forensic investigation and breach notification associated with a cyber incident, but many do not cover other costs that could be associated with a cyber incident. For instance, a business email compromise, in which a spoofed email dupes a company into wiring money or employee information to a fraudulent account, is often covered under a crimes policy. However, property damage, personal injury, and environmental damage, all of which are possible consequences of a cyber-attack, may be more likely excluded from cyber coverage and, instead, covered under general liability or other policies. Because of the many ways in which cyber threats can play out, and the intricacies of the intersection of various insurance coverages, it is essential to assess cyber coverage in the context of a comprehensive insurance program.


Cyber-attacks now occur to every class and size of business. Although the steps listed above can’t eliminate cyber risk altogether, they can greatly reduce the likelihood of an incident, and reduce its cost and impact if one occurs. The high cost of cyber-attacks makes going without cyber insurance a real risk.

Working with a trusted insurance agent who has proven expertise in cyber security and familiarity with the unique risks posed to the construction industry is the best way for companies to ensure that they are adequately covered.