Large losses and increased regulation have raised awareness of cyber risk at a board level and driven a growing demand for specialist insurance. With 83% of large US organisations now purchasing standalone cyber cover, and penetration rates elsewhere rising, what should the UK construction and housebuilding market be doing to protect themselves?

2021 marks three years since GDPR became effective in the UK. Despite the increased risk awareness of cyber related attacks developed as a result, and the inevitable media scrutiny, we have continued to see a number of high profile data breaches:

Marriott Hotels

In early 2020, hackers accessed customer loyalty data for over five million guests, including names, birthdays, contact details and travel information. Unfortunately for Marriott, this came after another breach in 2018, which affected up to 500 million of their customers. As a result, the Information Commissioners Office (ICO) had indicated its intention to fine Marriott almost £100 million, however this amount was finalised in October 2020 at £18.4 million. 

British Airways (BA)

BA suffered a customer data breach in 2018, which went unnoticed for two months. Sensitive personal data of 400,000 customers was unlawfully accessed by hackers. This included credit card and other payment details. Having previously announced its intention to fine BA £183 million, the ICO finally settled on a reduced figure of £20 million in October 2020.

 

But have there been any breaches in the construction sector?

Until last year, the highest profile construction losses had all occurred outside of the UK. However, a series of ransomware attacks on UK construction businesses were reported in the second half of 2020. The victims included Amey, Bouygues UK, Interserve (and separately RMD Kwikform) and BAM Construct. Whilst details of these UK attacks are yet to be confirmed, they underline the very real risks facing companies operating in this sector. 

Let’s look at how these crimes have been perpetrated on construction companies in other countries.

Bouygues (France)

In January 2020, a ransomware attack shut down the computer system of Bouygues Construction. Maze encrypted Bouygues’ network and threatened to publish employees’ names, home addresses, phone numbers, social insurance numbers, banking details, and drug test results online, unless a ransom was paid.

Turner (USA)

In March 2016, Turner Construction was the victim of a spear phishing scam. Fraudsters tricked an employee into sending sensitive financial information to a bogus email address. In this case, the information contained employee names, social security details and tax details.

Target (USA)

Still one of the most famous cases, the Target breach in 2013 was perpetrated by exploiting a vulnerability in the IT systems of its HVAC contractor.

 

Have there been any prosecutions for non-criminal breaches?

In addition to criminal attacks, we have also seen data privacy prosecutions in continental Europe: 

CCTV

In January 2020, an Austrian retail food outlet was fined for use and retention of CCTV footage in public areas. The angle of vision of the camera included a public thoroughfare and neighbouring business, going beyond the requirement to install the camera in the first instance (which related to the outlet’s insurance policy).

Biometrics

A German company introduced a fingerprint recognition system to assist with timekeeping and reduce working time fraud. The court upheld an employee’s objection to the use of sensitive personal data for this purpose and ordered that formal warnings given for refusal to use the system be removed from HR records.

Facial recognition

Sweden’s first ever GDPR fine was issued to a local authority trialling a facial recognition system on 22 students to reduce teacher time in recording attendance. Despite having parental permission, the Swedish Data Protection Agency felt that there was insufficient reason to collect sensate personal data and that the students had an expectation of privacy when then entered classrooms.


Clearly an evolving area, construction companies must remain on their guard to ensure that they are effectively protected from both malicious actors and also regulatory punishment.

 

How can cyber insurance help?

Organisations are buying cyber insurance for a host of reasons:

  • To address regulatory and legal concerns – cyber insurance can protect against third party liability and regulatory costs, while breach services can help meet notification requirements.
  • For speed of response – responding quickly and effectively can directly impact the cost of a cyber incident. Cyber insurance can provide instant access to critical breach response services proven to mitigate business interruption losses.
  • To comply with commercial requirements – companies increasingly need to demonstrate that they have cyber insurance in place when tendering for contracts. It is also used to protect the supply chain.
  • For coverage and contract certainty – cyber insurance can address any gaps or exclusions in traditional property and casualty policies, such as system outages.

 

Recommendations

  • Remember that insurance is never the complete answer and should only be used as part of a comprehensive risk management plan.
  • Talk to a broker with specialist cyber capabilities, who can advise on both risk management and insurance options.
  • Understand the cover you have purchased and ensure it addresses your exposures. 

We're here to help