Construction cyber insurance applications now require documentation of specific IT controls: MFA on all remote access and email, EDR on all endpoints, offline/immutable backups, privileged access management, and employee security awareness training. Insurers may also require network segmentation documentation and evidence of annual security assessments. Firms without these controls either cannot get coverage or pay significantly higher premiums.
Why Construction Cyber Insurance Changed
Construction was one of the most-attacked industries from 2020–2024. The sector's characteristics made it attractive: large financial transactions (wire transfers for land, materials, subcontractors), complex multi-party projects with many email threads to exploit, and historically weak IT security compared to sectors like finance and healthcare.
After significant losses, insurers responded by:
- Increasing premiums 30–80% for construction firms in underwriting cycles from 2021–2024
- Adding specific security control requirements as conditions of coverage
- Conducting deeper technical underwriting assessments before binding
- Excluding certain attack types (ransomware sublimits, war exclusions) that previously had full coverage
The good news: firms with documented IT controls can still get competitive rates. The bad news: "we haven't had any incidents" is no longer an acceptable substitute for documented controls.
Controls That Are Now Standard Requirements
Most cyber insurance underwriters for construction firms require evidence of these controls at application:
Multi-Factor Authentication (MFA)
MFA is now a near-universal underwriting requirement. Specifically:
- MFA required on email (Microsoft 365, Google Workspace)
- MFA required on remote access (VPN, RDP)
- MFA required on financial systems and banking access
- Some insurers require MFA on all cloud applications
Firms without MFA on email are routinely declined or offered coverage only with significant exclusions and higher deductibles.
Endpoint Detection and Response (EDR)
Traditional antivirus is no longer sufficient by most underwriting standards. EDR tools (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) provide behavioral detection of ransomware and other threats. Underwriters verify EDR deployment across "all endpoints" — meaning every Windows and Mac device, including laptops used by field staff.
Backup and Recovery
Underwriters ask three specific questions about backups:
- Are backups tested? (How recently?)
- Are backups stored offline or in an immutable format that ransomware cannot reach?
- What is your recovery time objective (RTO)?
Cloud backup alone (if it syncs automatically and can be overwritten) may not satisfy the "offline/immutable" requirement. Platforms with immutability enabled (Azure Blob immutable storage, Backblaze B2 with Object Lock) or true offline/tape backup satisfy underwriters.
Security Awareness Training
Most applications ask: do you conduct annual security awareness training? Some ask for phishing simulation frequency. Training must be documented — a log of who completed training and when.
Patch Management
Applications increasingly ask about patch management processes, particularly for critical vulnerabilities. Underwriters want to see that critical OS and software patches are applied within 30 days of release.
Construction-Specific Risks Insurers Focus On
Construction underwriters focus on several industry-specific risks beyond general cybersecurity:
- Wire fraud / BEC: Business email compromise targeting wire transfers is the #1 construction cyber loss. Underwriters ask about wire transfer verification procedures — do you have an out-of-band verification call to a known number before processing any wire transfer request received by email?
- Third-party vendor access: The supply chain attack vector. Underwriters ask whether vendors have direct access to your systems and how that access is controlled.
- Field device management: Tablets and phones used on jobsites create coverage questions. Are they managed? Can they be remotely wiped?
How to Prepare for a Cyber Insurance Application
- Deploy MFA on all email and remote access immediately — this is the single highest-impact action for underwriting
- Deploy EDR on all workstations and laptops before the application date
- Verify backup immutability and document a successful restoration test
- Implement a written wire transfer verification policy
- Document training completion for all employees
- Engage a construction IT provider to complete an IT security assessment and provide documentation for underwriting
Frequently Asked Questions
How much does cyber insurance cost for a construction company?
For a mid-size construction company ($10–50M revenue) with adequate IT controls, cyber insurance typically runs $5,000–$20,000 annually for $1–2M in coverage. Companies without MFA or EDR may be quoted $30,000+ or declined entirely. Premium reduction for implementing required controls can be $10,000+ per year.
Does my general liability policy cover cyber incidents?
Standard general liability and property policies typically exclude cyber incidents or cover them only in very narrow circumstances. The 2014 ISO exclusion effectively removed cyber coverage from most GL policies. Dedicated cyber liability coverage is required for meaningful protection.
What is a sublimit in the context of cyber insurance?
A sublimit is a cap on coverage for a specific type of claim within a larger policy. Ransomware sublimits became common after 2020 — a policy might have $2M overall coverage but only $500K for ransomware claims. This is a significant term to negotiate when purchasing coverage.