Cybersecurity isn’t the first thing that comes to mind when brokers think about placing coverage for large commercial construction projects. But perhaps it should be.

Coordinating work on building sites is a multi-year ballet, requiring the on-time arrival of building materials and workers to keep a job moving. And the growing trend of just-in-time component delivery sometimes collides with scarce labour resources to make the dance steps difficult.

Those shifting priorities have managers of construction jobsites adopting digital solutions to track and coordinate work, says Thomas Strong, NFP’s senior vice president of construction technology and innovation.

But adoption of digital site management creates risks heretofore unknown in the construction industry — hacking attacks and other cyber risks directly tied to the daily tasks performed on building sites.

“We’re all trying to digitize our work,” he says. “We’re all trying to introduce technologies, because there are huge benefits from a productivity and communication standpoint. But there are also risks in that we’re consolidating all our communication traffic onto digital systems that live on the internet.”

Moving all that information onto cloud-based digital systems means construction firms are, in effect, consolidating the target for cybercriminals who break in and take control of systems — and then demand ransoms to unlock clients’ data. Manual systems, while inefficient, can indirectly enhance security.

“If all your information is dispersed on clipboards, it’s a lot harder for someone to disrupt. [In a digital scenario] if you lose access to your systems, your construction projects can’t operate, so that’s a major [business disruption] risk,” he tells Canadian Underwriter.

“Many big general contractors have used, or are moving towards, big cloud-based enterprise tools, so I would encourage them to make sure they have the expertise to ask the questions in terms of business risk and gravitate toward systems that have gone through certifications required, like ‘SOC 2,’ to make sure their systems and data are protected from cyber risks.”

Systems and Organizations Controls Type 2 (SOC 2) is a security specification defining how organizations will protect customer data and other vulnerabilities.

What’s more, construction firms should develop strategies for disaster recovery, backup and endpoint security. From there, Strong says, they should “consider additional risk controls, such as an insurance coverage.”

So far, there are no publicly reported incidents of general contractors experiencing worst-case-scenario attacks involving loss of information or lockout of building automation systems. “I would be more concerned with the things that most businesses are concerned with: Keeping their services up and running, safe from intrusion, and doing the basics like making sure they don’t have viruses emerging on their systems,” he says.

“The types of bad actor activity in the construction realm [are] often low-tech things like fraudulent invoices. But contractors need to stay vigilant against these emerging threats and invest in the appropriate risk controls and internal cybersecurity training for their teams.”

On the bright side, many emerging technologies — from wearables that keep workers safe, to systems that speed shutdown of water or other systems that may be in jeopardy — can manage construction risk.

“The big trend is a smart, connected job site…You’re walking the job site with a 360-degree camera that captures the entire environment…and then the algorithms pick away at it and give you updates on, say, the percentage of complete construction,” Strong says.

 

This story is excerpted from Canadian Underwriter‘s 2025 February/March print edition.

Feature image by iStock/Fahroni