Third-Party Cyber Risks in the Construction Industry

Third-Party Cyber Risks in the Construction Industry


Ensuring that your construction company survives and even thrives after a cyberattack requires the ability to pivot and deflect cybersecurity vulnerabilities as you become aware of them. After a cyberattack it is too late to pivot.

Third-party cyber risks can make construction companies, or their subcontractors, or third-party suppliers, low-hanging fruit for hackers and fraudsters.

Social engineering schemes against your third-party contractors puts your company at risk of a cyberattack.

Your valuable client list may be attractive to hackers -- who will use Island Hopping to steal your data.

Fortunately, construction companies can turn to an essential cyber solution – comprehensive Stand-Alone Cyber Insurance – to address specific business risks and risk tolerance levels.

Construction Industry Cyber Risks

Notably, social engineering risks make construction companies, or their subcontractors or third-party suppliers, low-hanging fruit for hackers and fraudsters.

According to the Verizon 2020 Data Breach Investigations Report, social engineering is one of the leading cyber threats to the construction industry.

Social engineering schemes often involve phishing emails that entice employees to click on links that release malware into the network.

Phishing email attacks can happen in your shop when employees are unaware of the cyber threat, or at off-site work environments when employees may be distracted.

Third-Party Risks

Social Engineering

If social engineering occurs in your subcontractor’s facility, you are at risk.

Virtual private network (VPN) credentials could be accessed via a hack into your subcontractor’s network, allowing them to load malicious software into your network and steal valuable data assets.

The results of the Ponemon Institute’s third annual (2018) study Data Risk in the Third-Party Ecosystem indicate that 61% of US companies surveyed had experienced a data breach caused by their vendors or third parties (up 5% from 2017 and 12% from 2016). Dr. Larry Ponemon reported that companies need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability.

Funds Transfers Fraud

Funds Transfer Fraud is a type of cyberattack that manages to re-direct seemingly legitimate company payments to cybercriminals. This type of fraud is accomplished through social engineering techniques that prey on our inherent sense of trust, typically originating from email spoofing or spear phishing.

Funds Transfer Fraud is a significant business for cybercriminals, and without the right protocols in place, companies are vulnerable to sending massive payments with devastating financial consequences.

The most common type of funds transfer fraud involves a social engineering attempt where an email is sent to a specific employee, such as the controller, posing as an executive that demands immediate payment of a bill/invoice. The attacker might research the executive’s behavior online and carefully craft the payment request email to make it look as authentic as possible. Once the company realizes the funds have been fraudulently transferred, it's often too late.

Adequate Stand-Alone Cyber Insurance covers this type of attack, giving you protection and peace of mind.

Invoice Manipulation

A more daunting and complex form of funds transfer fraud is Invoice Manipulation. With Invoice Manipulation, an attacker gains access to a company email account, typically through phishing, and sends an authentic email to an outside party requesting payment for a fraudulent invoice. Having reviewed correspondence in the hacked email account, attackers will often mimic the sender's behavior to make the request look authentic. When the company follows up for the original invoice payment at a later date, they discover the fraud and the funds are long gone.

Most Stand-Alone Cyber Insurance policies have quickly responded to this threat and now provide coverage for invoice manipulation. However, outdated coverage forms and packaged policies might only respond to funds transferred by employees, potentially leaving businesses uninsured.

The Gateway Leading To Your Network

Third-party risk can arise from a contractor granted access to your network. The most notable example is the Target data breach in late 2013. A small heating and air conditioning (HVAC) firm that remotely connected to Target’s network became the gateway to a data breach. The HVAC firm experienced a breach via malware delivered in an email during which the cybercriminals stole Target’s virtual private network credentials. From there, the hackers pushed malicious software down to all point of sale cash registers at more than 1,800 Target stores.

According to 10-K filings with the SEC, Target has suffered gross expenses of approximately $292 million from the breach. Reports indicate that Target had $100 million in cyber insurance coverage written by multiple insurance carriers (with a $10 million deductible).

The Target breach illustrates how important it is to have Stand-Alone Cyber Insurance that addresses your company’s risk tolerance and balance sheet requirements. This type of data breach could happen to a company of any size dealing with outside contractors or suppliers.

Island Hopping for your Valuable Client List

Your valuable client list is just as crucial to hackers as it is to you. Cybercriminals will use island hopping to get to the source, which is your company. By attacking the supply chain and third parties around larger organizations, bad actors can island hop their way into more extensive networks.

VMware Carbon Black’s 2019 Global Incident Response Threat Report noted that cybercriminals are seeking to own your entire system. Notably, 50 percent of cyberattacks leverage island hopping. Attackers are after your network and all organizations in your supply chain.

Your company’s adversary may be invisible and go unnoticed as they pursue the weakest link in supply or distribution chain. The weakest link could be the Managed Service Provider (MSP) or the Managed Security Services Provider (MSSP). The latter could be granted unlimited access to their customers’ networks to carry out their cybersecurity work.

This cyber tactic highlights the need for businesses of all sizes to conduct vendor risk management assessments in addition to their cyber risk assessments.

Preventative Action Steps

Construction companies need to implement cybersecurity controls. Here is a sample checklist:

  • Implement internal cybersecurity controls and procedures to protect your most valuable, critical data.
  • Dual controls that require two individuals to authenticate funds transfers and any changes in the bank details or wire instructions.
  • Ask your clients, vendors, or customers to validate invoice requests sent via email.
  • Regularly test and evaluate your controls and procedures via audits and cybersecurity assessments.
  • Establish and regularly test your incident response plan via an annual simulation.
  • Share your cybersecurity measures with your organization to raise employee awareness of both cyber threats and the need to protect your company’s assets.
  • Obtain a comprehensive, Stand-Alone Cyber Insurance policy to reduce the financial loss that your company will suffer from a cyberattack.
  • Ensure that your subcontractors or third-party suppliers have undertaken their cyber risk assessment and that they have obtained their own Stand-Alone Cyber Insurance policy.

Why You Need Stand-Alone Cyber Insurance

Recent cyber loss history reveals that cybersecurity measures alone may not protect a business from suffering a devastating financial loss.Intervening factors (such as human nature and new cyberattack vectors) play an essential role.

Human Nature
  • Following a request by supervisor or colleague -- such as a request to change the bank account or wiring transaction details.
  • Following a warning that you need to provide personally identifiable information (PII), such as to click on a link or box to update an account, renew a subscription, or for further information on COVID-19.
  • Lack of cyber risk awareness, such as an innocent mistake by clicking on a hyperlink in an email without realizing a fake sender’s address.
  • Distractions in the new remote work or work from home environment, such as opening a suspicious email and link when your guard is down.
Evolving Cyberattack Methods or Vectors
  • Supply-chain attacks
  • Third-party vendor attacks
  • Ransomware attacks combined with a data breach and the threat of public disclosure of your stolen data.

Your business can survive a cyberattack (directed at you or a third-party vendor) with the help of cyber insurance to protect your bottom line:

  • Cybersecurity measures do not provide you with a dedicated incident response plan, and team, as does a robust Stand-Alone Cyber Insurance policy.
  • Even if you have established your own internal incident response plan, can your company bear the costs incurred to carry out the plan? The out-of-pocket costs for the various consultants alone illustrate the value added from a dedicated cyber insurance policy.
  • Here are some of the benefits of having an incident response plan supported by your cyber insurance carriers:
    • Stop a data breach or fend off a ransomware attack.
    • Investigate a data breach or ransomware attack to stop future cyberattacks.
    • Notify your clients, consumers, and employees (in compliance with various laws) after a cyberattack.
    • Assist you with recovering or restoring lost or stolen data.
    • Assist you with meeting your business continuity plan.
  • If you suffer a data breach, your business will need to stop the breach, conduct a forensic investigation, notify all those impacted, recover or restore your data, use public relations to maintain your brand, and possibly defend third-party liability claims or lawsuits for damages by injured parties.
  • If you suffer a ransomware attack, you can obtain support in negotiating the ransom demand, and be compensated for the ransom payment (made with the prior written consent of the insurer).
  • If you experience business interruption from a cyberattack, you can be compensated for lost profits, and extra expenses such as payroll, during the downtime (after a brief waiting period).
  • If you experience funds transfer fraud, you can obtain support in recouping some of the funds as well as compensation for the funds that are not recovered.

Stand-Alone Cyber Insurance is a valuable, complementary solution for those instances where your cybersecurity measures do not prevent a cyberattack. Those instances are referred to as “residual cyber risk.”


  • Understanding the financial loss that you can bear on your own and what risk needs to be transferred to a Stand-Alone Cyber Insurance policy will help you survive a cyberattack.
  • Beyond your own business, you need to ensure that third parties such as business partners, suppliers, and vendors are maintaining adequate cybersecurity levels. If they are not cyber secure, then you are not cyber secure from hackers in search of weak links in the chain.
  • Ideally, third parties that access your network touch your company, or touch your sensitive or critical data should have their own robust, Stand-Alone Cyber Insurance coverage to respond to a cyber incident.
  • You are advised to confirm both the cybersecurity measures and cyber insurance coverage when you conduct your vendor cyber risk assessment, and when you negotiate relevant contract provisions (working with your legal counsel on SLAs).  
  • Stand-Alone Cyber Insurance is a valuable, complementary solution for residual cyber risk – when cybersecurity measures to do not prevent a cyberattack.

Reach out to a specialist cyber broker, such as Cyber Armada Insurance, to request and robust Stand-Alone Cyber Insurance solutions appropriate for your needs and cyber risk tolerance. We understand the evolving demands and expectations of cyber insurance clients.

Contact Cyber Armada today to examine how your company faces potential financial losses from third-party risk of a cyberattack. Contact us at 888.727.6232.

Next Article

Please watch for our next article on recent ransomware attacks on construction companies.

This article is made available for informational purposes and is not intended to be a substitute for professional or legal advice. No attorney client relationship is formed or implied between you and the authors(s) or Cyber Armada Insurance.

Topics: Cyber Threat Third-Party Risk Construction

Cyber Armada Team
Posted by Cyber Armada Team on Aug 3, 2020

Apply for Cyber Insurance Online

Answer a few questions online and Cyber Armada will design a cyber insurance policy tailored to your particular needs.

Apply Online
Apply for Cyber Insurance
Schedule an appointment with Cyber Armada

Can we talk?

We're ready to talk when you are. You can schedule an appointment to speak with a representative from Cyber Armada when it is most convenient for you. Whenever possible we use online meetings to increase productivity and increase the amount of time we can spend with you. We use Zoom Meetings as our preferred video conferencing platform.

Schedule Appointment