Ransomware is considered the most significant cyber threat to the construction industry, where each incident leads an average of 24 days of downtime, a new report by global business insurer QBE warns.[1]
The increased adoption of digital tools such as Building Information Modelling (BIM), connected operational technology (OT) and AI-driven systems is expanding the cyber-attack surface across the construction and infrastructure sector.
When systems that process data are linked to systems that control physical equipment, efficiency may improve through streamlined operations, automated communications and enhanced oversight. However, connecting previously isolated environments also gives attackers new pathways into critical infrastructure, turning operational gains into potential liabilities.
QBE is calling on construction firms, brokers and risk managers to integrate cyber into project risk planning from the outset, rather than treating it as a standalone IT concern. This means prioritising governance, supply chain visibility and tested incident response plans, and ensuring that insurers and brokers are engaged early enough to address cyber exposures before they become liabilities.
Neil Fleming, Construction Portfolio Manager, QBE UK said: "A single ransomware incident can now derail an entire construction programme. When access to drawings, project data or digital platforms is lost, costs escalate, project completion is put at risk and subcontractors feel the knock-on effect immediately.
"Cyber resilience needs to be considered alongside traditional project risks to deliver on time and reduce unforeseen costs. Many construction firms still treat cyber resilience as an IT issue rather than a project risk. Early engagement between clients, brokers and insurers is essential to ensure cyber exposures are properly understood and addressed alongside other construction risks."
Every new remote connection across a construction firm's contractor and supplier network is a potential entry point for attackers, from collaborative BIM systems to shared project platforms.
Inadequate segmentation between IT and OT systems was a contributing factor in 81% of OT incident in 2025 , and in 2025[2], there was a 410% year-on-year increase in Internet of Things (IoT) malware activity targeting the construction sector[3] . Cyber incidents are no longer limited to data loss, but can halt site operations, disrupt supply chains and delay project completion.
Geopolitical tensions are also increasing the risk of cyber-attacks, with state-aligned cyber actors increasingly targeting critical national infrastructure and its supporting supply chains. The UK experienced 15 state-aligned cyber-attacks between 2022 and 2026, three more than Germany, France and Sweden[4]. Construction firms may rarely be the primary target of state-aligned attacks, but their role in designing and building critical infrastructure creates exposure, whether compromised as part of a wider attack chain or caught in the crossfire of an incident targeting a key supplier or partner.
David Warr, Cyber Portfolio Manager at QBE International Markets added: "The risk profile of a cyber incident in construction has fundamentally changed. Many breaches now interrupt workflows, lock out critical systems and, in some cases, affect the physical environment through connected operational technology. The line between cyber risk and operational risk has effectively disappeared."
Rising regulatory pressures will place greater expectations on organisations operating in, or supporting, critical national infrastructure. The European Union's updated Network and Information Systems Directive (NIS2) mandates stricter risk management, mandatory incident reporting within 24-72 hours, and personal liability for management . These requirements are expected to cascade through supply chains, making cyber resilience a commercial priority as well as a regulatory one.
In the UK, the proposed Cyber Security and Resilience Bill, introduced in November 2025, signals a clear direction of travel towards stronger cyber governance expectations, particularly across critical national infrastructure and its supply chains, bringing many construction firms into scope, whether directly or indirectly.
From blueprints to breaches was produced by QBE and Control Risks. The report explores how cyber risk is reshaping the construction sector, with practical insights for risk managers, brokers and insurers.
[1] From blueprints to breaches: digital transformation is reshaping cyber risk across construction and infrastructure projects, QBE Europe, p4.
[2] From blueprints to breaches, p11.
[3] From blueprints to breaches, p2.
[4] From blueprints to breaches, p9.