01-27 GENERALS WINTER25 FINAL EDIT (JAN 25) - Flipbook - Page 22
INNOVATION
CYBER RISK IN CONSTRUCTION
From Operational Threat to Compliance Reality
By DAVID BOWCOTT, Executive Vice President, Platform Insurance
and SADIE PERRI, Senior Vice President & Team Lead, Platform Insurance
and ANTHONY CURCURUTO, Miele Technologies International Ltd.
xecutive Summary
The construction industry’s digital
transformation has outpaced
its cybersecurity governance,
creating a critical in昀氀ection point
where cyber risk now threatens
not only operational continuity but
market competitiveness and regulatory
standing. Arti昀椀cial intelligence has
weaponized attacks against construction’s
unique business model—fragmented
supply chains, mobile workforces, and
urgent payment work昀氀ows—while new
legislation like Canada’s Bill C-8 mandates
compliance across critical infrastructure
projects. This bulletin outlines the speci昀椀c
threats facing contractors, the essential
requirements for policy compliance, and
the measurable costs of inaction.
E
Construction Cyber Risks
THE EVOLVING THREAT LANDSCAPE
Cyber risk has matured from an IT
inconvenience into a material operational,
昀椀nancial, and regulatory exposure for
construction contractors. Unlike traditional
physical risks managed through decades of
re昀椀ned controls, cyber threats exploit the
industry’s distinct characteristics:
AI-ENABLED ATTACK SOPHISTICATION Cybercriminals now leverage arti昀椀cial intelligence to
orchestrate hyper-personalized phishing
campaigns at scale, mimic legitimate communications with near-perfect accuracy,
and rapidly analyze organizational hierarchies, 昀椀nancial work昀氀ows, and project
structures. For construction 昀椀rms where
project managers, 昀椀nance teams, and
subcontractors exchange time-sensitive
instructions daily, this creates ideal attack
conditions. A single fraudulent email altering wiring instructions or invoice details
can divert hundreds of thousands—or
millions—of dollars before detection.
INDUSTRY-SPECIFIC VULNERABILITIES Construction contractors face unique exposures:
22 the generals • WINTER 2025/2026
For construction leaders, the path forward is unequivocal: cyber
risk must be controlled and financed with the same discipline
applied to safety and liability risks.
Fragmented digital ecosystems: Large
projects rely on dozens of third parties
accessing shared platforms containing
sensitive drawings, bid data, and
commercial information
Mobile operations: Field teams operate
across job sites with temporary networks,
personal devices, and cloud-based project
management systems prioritized for speed
over security
Compressed payment cycles: Urgent
approval timelines create opportunities
for social-engineering attacks to bypass
traditional 昀椀nancial controls
Trust exploitation: Attacks succeed not
through technical sophistication alone,
but by manipulating established project
work昀氀ows, urgency, and inter-party trust
DOCUMENTED IMPACT The risk is demonstrably real. Major international contractors including Skanska and Bouygues
Construction have publicly acknowledged
incidents resulting in system encryption
and data exposure. Insurance claims data
and litigation records reveal a sharp rise in
business email compromise attacks across
North America, affecting 昀椀rms of all sizes.
Critically, organizational scale and sophistication provide no immunity—small
regional subcontractors and multinational
corporations alike have suffered ransomware events, data breaches, and payment
THEGENERALS.NET
