At the heart of underwriter insights - Construction
Construction Portfolio Manager
From a UK underwriting perspective, the most striking shift in the use of technology in construction is just how quickly cyber risk has become a delivery risk.
Construction projects in the UK are already operating under pressure, with tight margins and increasingly complex delivery models. Against this backdrop, disruption quickly becomes extremely expensive. When a cyber incident removes access to project data, interrupts coordination between contractors or halts site operations altogether, the consequences stack up as delays, disputes and costs.
What’s also changing in the UK is the regulatory and customer environment. The proposed UK Cyber Security and Resilience Bill, introduced in November 2025, signals a clear direction of travel towards stronger cyber governance and resilience expectations, particularly across CNI and its supply chains. Given how closely much of UK construction activity is linked to transport, energy and water, many companies will increasingly find themselves in scope, whether directly or indirectly. For brokers, this means cyber resilience is becoming a more prominent part of client conversations, not just from a risk perspective, but as a requirement for securing and maintaining work. Cyber risk is overlapping with procurement, contracting and project governance in a way we haven’t seen before.
From an underwriting perspective these shifts are redirecting our attention on cyber from a supporting exposure to a significant risk – one that can directly impact whether a project is delivered on time and on budget.
In my conversations with construction customers and brokers, we’re focusing on digital risks more than ever before, particularly on bringing cyber into project risk planning. If losing access to systems, drawings or BIM models would delay delivery, it needs to be considered alongside other project risks, with clear contingency planning. To date, the UK is ahead of other nations on BIM adoption, but this also introduces more concentrated points of potential failure. It’s important to plan for disruption, not just prevention; ransomware incidents can take many weeks to resolve so risk managers should be clear on how operations would continue (or pause safely) during that period.
I also think it’s important that we’re talking with brokers and customers more regularly about unpacking and understanding their supply chain exposure. In the UK market, risk is rarely held in one place. The sector’s reliance on multi-tier chains / subcontractors and shared digital platforms means that while cyber exposure is distributed, the consequences may not be. This also goes for contractual liability; fixed price contracts and delay damages can kick in quickly, regardless of where the incident originated. Visibility over third-party cyber maturity is therefore becoming increasingly important.
One of the key shifts is mindset. Cyber resilience is really about protecting project delivery. While cyber cover is not typically provided within traditional construction insurance policies, these risks can be considered separately by specialist cyber underwriters. Large insurers will often bring together both construction and cyber expertise to assess these exposures holistically, before issuing separate policies for coverage. Early engagement with brokers and insurers can help ensure cyber exposures are properly understood and addressed, particularly as the risk landscape continues to evolve.
At the heart of underwriter insights - Construction
Construction Portfolio Manager
From a UK underwriting perspective, the most striking shift in the use of technology in construction is just how quickly cyber risk has become a delivery risk.
Construction projects in the UK are already operating under pressure, with tight margins and increasingly complex delivery models. Against this backdrop, disruption quickly becomes extremely expensive. When a cyber incident removes access to project data, interrupts coordination between contractors or halts site operations altogether, the consequences stack up as delays, disputes and costs.
What’s also changing in the UK is the regulatory and customer environment. The proposed UK Cyber Security and Resilience Bill, introduced in November 2025, signals a clear direction of travel towards stronger cyber governance and resilience expectations, particularly across CNI and its supply chains. Given how closely much of UK construction activity is linked to transport, energy and water, many companies will increasingly find themselves in scope, whether directly or indirectly. For brokers, this means cyber resilience is becoming a more prominent part of client conversations, not just from a risk perspective, but as a requirement for securing and maintaining work. Cyber risk is overlapping with procurement, contracting and project governance in a way we haven’t seen before.
From an underwriting perspective these shifts are redirecting our attention on cyber from a supporting exposure to a significant risk – one that can directly impact whether a project is delivered on time and on budget.
In my conversations with construction customers and brokers, we’re focusing on digital risks more than ever before, particularly on bringing cyber into project risk planning. If losing access to systems, drawings or BIM models would delay delivery, it needs to be considered alongside other project risks, with clear contingency planning. To date, the UK is ahead of other nations on BIM adoption, but this also introduces more concentrated points of potential failure. It’s important to plan for disruption, not just prevention; ransomware incidents can take many weeks to resolve so risk managers should be clear on how operations would continue (or pause safely) during that period.
I also think it’s important that we’re talking with brokers and customers more regularly about unpacking and understanding their supply chain exposure. In the UK market, risk is rarely held in one place. The sector’s reliance on multi-tier chains / subcontractors and shared digital platforms means that while cyber exposure is distributed, the consequences may not be. This also goes for contractual liability; fixed price contracts and delay damages can kick in quickly, regardless of where the incident originated. Visibility over third-party cyber maturity is therefore becoming increasingly important.
One of the key shifts is mindset. Cyber resilience is really about protecting project delivery. While cyber cover is not typically provided within traditional construction insurance policies, these risks can be considered separately by specialist cyber underwriters. Large insurers will often bring together both construction and cyber expertise to assess these exposures holistically, before issuing separate policies for coverage. Early engagement with brokers and insurers can help ensure cyber exposures are properly understood and addressed, particularly as the risk landscape continues to evolve.
Article