Exploring cyber risks for construction firms around the world

In the third episode of our Global Projects & Construction podcast series, host Steven Cannon, Partner at Clyde & Co, focuses on cyber threats in the construction sector. He is joined by Laura Coates, Dan Lever, William Barrington, and Alex Devereux, all from the Clyde & Co Global Projects & Construction Group, along with Helen Bourne, Rosehana Amin, Stephanie Luhrs, and Olivia Darlington, representing Clyde One, Clyde & Co’s new global cyber brand, which provides an end-to-end cyber solution.

Please check the timestamp for each region.

Europe - 02:45 
APAC - 10:05 
MEA - 17:50 
US - 28:10 

This episode explores the cyber risks facing the construction sector in four major global regions. Bourne and Coates present the picture in Europe, before handing over to Luhrs and Barrington in APAC, Darlington and Devereaux in the Middle East and Africa, and finally Amin and Lever in the US. Guests discuss the cyber threats facing construction firms in their region, the regulatory environment, and steps that construction clients can take to mitigate these cyber risks. 
 
In Europe, Bourne says that construction firms face the whole spectrum of cyber threats, however the sector is particularly susceptible to payment diversion fraud, due to the predictability of payments through the supply chain. The rise of construction technology and digitisation are also increasing potential exposure, and Bourne advises firms to be proactive in assessing and mitigating security and privacy risks through digital audits, maintaining digital hygiene, educating the workforce, and working with suppliers.

In the APAC region, Luhrs stresses that even though construction firms haven’t hit the headlines for data breaches, “the construction sector is certainly a target, we just don't hear about it as much.” Construction companies don’t usually hold large volumes of consumer data however the operational fallout of an attack can often be greater than for other types of business, due to impact on project deadlines, cash flow, spiraling costs, and contractual disputes. For this reason, she says cyber insurance is critical, not only as a risk transfer strategy, but because it “enables access to specialist cybersecurity vendors for the incident response.”

Moving on to the Middle East and Africa, Darlington says that rapid adoption of new technologies, smart city projects, “fairly limited” regulations, and “patchy” data management practices have made the region a key target for cyber criminals, particularly the oil and gas industries. However, she says the region is at a “turning point”, with Gulf Cooperation Council (GCC) jurisdictions and some of North Africa now implementing regulations with the aim of bringing them into line with international standards and improving awareness. Construction firms must also be aware of cybercrime laws which “make failing to report a cyber-attack a crime that is reportable to the police or a specified government authority.”

Finally, in the US, Amin says that the nature and level of cyber threats can be influenced by the type of project; for example, government, military, or infrastructure buildings are more attractive to cyber criminals. She also raises important litigation relating to the use of employee biometric data without consent, which could impact construction firms using biometrics in areas such as managing access controls. Businesses should also be aware of a new SEC rule, requiring business disclosure within four working days of a cyber incident, which demands much greater oversight from management, including across the supply chain. 

With much food for thought, Cannon concludes the discussion by introducing Clyde One, Clyde & Co’s new global cyber brand, designed to provide an end-to-end solution for clients, spanning “readiness, response and recover.” More information can be found on the website here.