Cyber incidents in construction: 24 days downtime on average (QBE research)

Ransomware is considered the most significant cyber threat to the construction industry, where each incident leads to an average of 24 days of downtime, a new report by global business insurer QBE warns.

The increased adoption of digital tools such as Building Information Modelling (BIM), connected operational technology (OT) and AI-driven systems is expanding the cyber-attack surface across the construction and infrastructure sector. 

When systems that process data are linked to systems that control physical equipment, efficiency may improve through streamlined operations, automated communications and enhanced oversight. However, connecting previously isolated environments also gives attackers new pathways into critical infrastructure, turning operational gains into potential liabilities.

79% of senior digital risks experts surveyed by Control Risks see ransomware as the threat most likely to significantly impact construction sector organizations.

QBE is calling on construction firms, brokers and risk managers to integrate cyber into project risk planning from the outset, rather than treating it as a standalone IT concern. This means prioritizing governance, supply chain visibility and tested incident response plans. 

Kyle Gray, QBE Canada Underwriter Team Lead, Cyber said: "A single ransomware incident can now derail an entire construction project. When access to drawings, project data or digital platforms is lost, costs escalate, project completion is put at risk and subcontractors feel the knock-on effect immediately. Many construction firms still treat cyber resilience as an IT issue but it needs to be considered alongside traditional project risks to deliver on time and reduce unforeseen costs."

Every new remote connection across a construction firm's contractor and supplier network is a potential entry point for attackers, from collaborative BIM systems to shared project platforms. 

Last year, Internet of Things (IoT) malware activity targeting the construction sector increased by 410%. And 81% of operational technology (OT) incidents involved inadequate separation from IT. 

Cyber events can halt site operations and delay projects. 

Amid rising geopolitical tensions, state-aligned cyber actors are increasingly preying on critical infrastructure and supporting supply chains. While construction firms are rarely the primary target, their role in building critical infrastructure creates exposure.

"The risk profile of a cyber incident in construction has fundamentally changed. Many breaches now interrupt workflows, lock out critical systems and, in some cases, affect the physical environment through connected operational technology. The line between cyber risk and operational risk has effectively disappeared," Kyle Gray added.

Produced by QBE and Control Risks, the From blueprints to breaches report explores how cyber risk is reshaping the construction sector, with practical insights for risk managers, brokers and insurers.