Since we have now reviewed a brief sampling of cyber incident terminology and have identified how there is cyber exposure in a variety of capacities that might not have been considered previously, the following examples further explore cyber-related incidents in the construction industry. These four examples demonstrate certain cyber vulnerabilities and are used to examine how the construction industry, in particular, has already been significantly and negatively impacted by cyber-attacks.
These examples are included here to help spark a dialogue about these cyber-events and to help those involved in the construction sector see how to best address cyber-event risk exposures based on their own unique circumstances. Perhaps, some of these present exposures have not even been considered due to the speed with which technology keeps changing. The final two illustrations specifically show how those involved with the construction of hospitals, even under pandemic conditions, were still subjected to cyber-attacks.
- Bird Construction (2019): Bird Construction, a Toronto-based large construction company known for its securement of both federal department and military contracts, experienced a ransomware attack in 2019 when 60 gigabytes (GBs) of its data was stolen, and a ransomware attack was initiated for its return as reported by CBC News. Spanning from 2006 to 2015, Bird Construction had secured almost 50 contracts with the Department of National Defence alone and such contracts surpassed $400 million. This also demonstrates how government contractors may be especially vulnerable to these cyber-attacks. In this instance, a $9 million ransom was demanded from Bird Construction so that it could secure the decryption key as reported by CBIZ.
- Bouygues Construction (2020): In a press release, Bouygues Construction, a French contractor, noted that on January 30, 2020 a “ransomware-type virus” was found on its computer network. In a follow-up press release, it was stated that “Following the virus attack on the Bouygues Construction computer network that occurred on January 30, specific measures have been taken to ensure that our work can continue in France and in other countries.” It was added there that “The company has filed a complaint and is working in conjunction with the competent authorities to identify the origin of this criminal action and to protect the interests of its customers and partners. Ad hoc insurance policies have been activated.” Again, a ransomware attack was the issue, and a total of 200 gigabytes (GBs) of the company’s data was allegedly stolen, a $10 million ransom was required for its return, and an entire network was shut down as explained by CBIZ.
- Bam Construct (2020): Those working in hospital construction have also been impacted by cyber-events. In 2020, BAM Construct, a contractor hired to construct a temporary coronavirus hospital in the U.K., experienced a cyber attack as explained by IT Pro. According to BBC News, the reported cyber-attack was described as a ‘significant’ one and one that involved a computer virus. BBC News went on to add that Bam Construct further noted that this event represented only a segment ‘of the wave of attacks on public and private organisations supporting the national effort on Covid-19.’
- Interserve (2020): Those involved in an outsourcing capacity can also fall victim to cyber-attacks. Also in 2020, Interserve, an outsourcing company involved with constructing another emergency coronavirus hospital in the U.K., suffered a cyber-attack, resulting in the theft of information from as many as 100,000 of its employees as reported by The Telegraph. This situation shows how apart from business and customer-related information employee information can also be jeopardized when a cyber-attack occurs. Therefore, it’s also necessary to examine how such information is protected so as to reduce the likelihood of a cyber-event that could result in theft of the information as was the case here.
The above examples emphasize that no matter the size of a business cyber-events can and do occur. Those involved with the construction industry, whether directly or indirectly, need to be aware of the various cyber-risk exposures present today and in the future. Awareness of these cyber-issues is pivotal; after all, Verizon’s 2023 Data Breach Investigations Report (“2023 DBIR”) determined that in three out of every four data breaches the human element was a factor!
There is a lot of overlap across affected industries. In the last two examples summarized here, hospitals were also involved. A 2023 IBM report emphasized that “The average costs of a studied breach in healthcare reached nearly $11 million in 2023 – a 53% price increase since 2020.” National Construction Appreciation Week, celebrated from September 18th to the 22nd, has given us the opportunity to facilitate discussion about how cyber-related events can impact the construction industry.
We have seen more cyber-related contractual requirements for the construction industry. Therefore, it’s advantageous to take a proactive rather than reactive approach to the issue of cybersecurity. According to the Council of Insurance Agents & Brokers, half of the cyber-attacks focus on small businesses. As a result, they go on to add that “[t]o help plan for and mitigate the risk of a cyber-attack, cyber insurance can serve as a means of protection on both the back-end to help cover the costs of a breach and also on the front end, as outside consultants can help bolster cybersecurity and work with employees to help raise awareness of vulnerabilities and the importance of good cybersecurity practices.”
The construction industry is a fast-paced industry, and a missed bid on a project due to a cyber event is a real possibility that could have real consequences. It’s important to further examine additional coverage options that may be available when such circumstances arise.
Synapse Services LLC does offer enhanced cyber insurance coverage options. Please contact one of our producers if you are interested in receiving more information about the enhanced options available.
By: Jessica Cambridge