As the current pipeline of infrastructure projects becomes larger and ever more complex, contractors are making increasingly risky bets that projects will be delivered on time and on budget. In the last year alone, we’ve witnessed two global contractors either file for creditor protection or go into liquidation.
This unforgiving paradigm is exacerbated by the caliber of competition: With the global construction sector witnessing increasing M&A deal size volume, the world’s largest players are increasing their presence in international markets, despite current geopolitical tensions.
Tech Offers a Competitive Advantage
Contractors seldom have ways to maintain any competitive advantage except for operational efficiency. At a time when construction labor productivity has actually declined over the last 50 years, construction companies are increasingly willing to make other bets to win bids. And technology is increasingly becoming one of the main investment levers to unlock performance improvement and growth.
Technology startups geared toward the construction industry are booming. Contractors are adopting wearable tech to prevent and mitigate worker injuries and using 3D printing technologies for building components. The industry has seen a proliferation of building information modeling to foster digital collaboration between architects, engineers and contractors.
Virtual and augmented reality allows contractors to build faster and more collaboratively with designers and trades. In 2018, the industry also witnessed the first blockchain-derived twin, i.e., a digital replica, of a construction project, providing the benefit of secured and unchangeable project documentation. In summary, technologies like these provide the promise of cheaper, faster and safer delivery of our built infrastructure.
With New Technologies Come New Cyber Risks
But while technology provides contractors the opportunity of attaining a competitive advantage by securing faster, cheaper and safer project delivery, risks associated with technology adoption should also be weighed. Most notably, with increasing interconnectivity of devices, digitization and the adoption of other technologies, the risk of cybercrime increases in frequency and severity.
The construction industry has witnessed a correlation in technology adoption and cybercrime incidents. According to a recent Kroll Survey, over 93 percent of responding construction companies reported a cyber incident—a 16 percent increase from the prior year. The most common incidents were viruses, email phishing, data breaches and wire-transfer fraud. Strikingly, 23 percent of the incidents were perpetrated by industry competitors.
The construction sector is impacted by cyber risk under two categories—those arising from enterprise-system technology or from project-specific technology. Enterprise-related risks include loss of client data or confidential project information data, intellectual property and sensitive commercial material, employee data, subcontractor and supply chain management data and/or financials and outage or disruption related to critical software, applications, data or networks.
The Risk to Physical Infrastructure
Project-specific technologies could relate to construction plant and equipment and control systems, site access or other operating systems. Increasing building and other physical infrastructure are including devices connected through the Internet of Things. IoT devices provide additional access points to cybercriminals: They can be used to access data and cause physical malfunction of physical infrastructure.
Cyber incidents can often be accidental—but they can also arise out of malicious intent and be carried out by random criminals, competitors or rogue employees. The target is often the theft or deletion of data or the disruption of systems. These incidents can range from malicious attacks, to inferior security systems or protocols, to system glitches and even to employee-related causes, whether wilful or accidental.
A cyber breach, whether through ransomware, social engineering, cyber terrorism and the like, can result in a number of first- and third-party impacts to a contractor. Most notable are the immediate costs incurred when responding to a cyber breach. In the event of theft of third-party information, like confidential client data, consequential impacts such as loss of revenue, liability and reputation damage can result.
Regulators are also placing greater onus by requiring organizations, including contractors, to be greater cyber stewards. Regulations like the GDPR allow authorities to penalize companies with inadequate data management and breach-response protocols.
Assess and Analyze, Insure and Secure
Cyber risk has risen up the ranks as one of the top emerging risk-management priorities for many organizations. In spite of this priority, only 30 percent of organizations have prepared with cyber response plans. A critical factor contributing to inaction is the lack of understanding of how cyber risk can impact firms financially.
A number of companies have specialized in helping firms across various industries understand their cyber-risk exposures. As one of the fastest maturing products in the insurance industry, cyber policies have undergone radical changes to be tailored to emerging cyber exposures across various industries—including the construction industry. Principal coverages include coverage for response costs related to a cyber event including delay costs and extra expense. It is also possible to insure physical damage arising out of cyber incidents, which is increasingly concerning when considering physical infrastructure as a target of cyber terrorists.
Declining labor supply, waning productivity, amplified competition—contractors are facing tremendous downward pressure on margin.
Many are turning to technologies in the construction value chain to unlock growth. While adoption of new technologies can create a competitive advantage, they can also radically increase exposure to a cybersecurity breach. It remains to be seen how the industry adapts and whether it can step up and address cyber risk with a vigor that matches the speed of its turn to emerging technologies.