Cyber risk isn’t reserved for tech companies anymore. If you’re processing invoices, storing client records, or relying on cloud-based project management tools, you’re exposed. For construction firms and small businesses, the risk often sits in places you don’t expect, supplier portals, subcontractor communications, payment systems, even site cameras connected to the internet.

Cyber insurance is built to respond when something goes wrong. But it’s not a catch-all, and understanding the boundaries matters before you need to make a claim.

What Cyber Insurance Typically Covers

A decent cyber policy responds to the direct costs of an incident and the flow-on effects. Common areas of cover include:

• Data breaches and notification costs – If client or employee data is compromised, you’re often legally required to notify affected individuals and regulators. Policies typically cover the cost of forensic investigations, legal advice, notification services, and credit monitoring for affected parties.
• Ransomware and cyber extortion – Ransomware attacks lock down your systems until a ransom is paid. Most policies cover the extortion payment itself (subject to conditions), plus negotiation costs, IT recovery, and system restoration. Some insurers also provide access to specialist negotiators and decryption support.
• Business interruption – If a cyber event shuts down your operations, whether through a ransomware attack, system failure, or third-party outage, policies can cover lost income and additional costs incurred while you’re offline. This is critical for construction firms where project delays trigger penalty clauses or lost tender opportunities.
• IT forensics and incident response – When an incident occurs, you need specialists fast. Cyber policies typically cover the cost of forensic investigators, legal counsel, IT recovery experts, and public relations support. Many insurers provide 24/7 hotlines and panels of pre-approved responders.
• Cyber theft and funds transfer fraud – This is where construction businesses are getting hammered. Cyber theft covers direct financial loss when funds are transferred following deception, think invoice redirection scams or fraudulent payment requests. It’s not the same as social engineering cover (more below), but there’s often overlap depending on the policy wording.
• Social Engineering: The Blind Spot – Social engineering attacks are now one of the most common causes of cyber claims, and they’re particularly effective in construction, where large payments, multiple subcontractors, and urgent timelines create the perfect environment for fraud.

What is social engineering?

It’s when a criminal manipulates someone into transferring funds or disclosing information by impersonating a trusted party. Common examples include:

• Invoice fraud: A subcontractor’s email is compromised, and you receive a legitimate-looking invoice with updated bank details. You pay it, and the money disappears.
• CEO fraud: You receive an urgent email appearing to be from a director requesting an immediate payment to secure materials or avoid a penalty. It’s fake.
• Payment redirection: Mid-project, you’re contacted by what appears to be your supplier requesting a change to their payment details. It’s a scam.

Coverage for social engineering varies significantly between policies. Some insurers include it as standard under cyber theft or funds transfer fraud sections. Others exclude it entirely or offer it as an optional extension. The Australian Federal Police flagged construction as a prime target for business email compromise scams in 2025, so this isn’t theoretical, it’s happening regularly.

If your business processes large payments, deals with multiple parties, or relies on email for financial approvals, confirm whether your policy responds to social engineering. If it doesn’t, consider adding it.

What Cyber Insurance Doesn’t Cover

Cyber policies aren’t designed to pick up the pieces when basic controls are missing. Exclusions and limitations commonly include:

• Poor security practices – If you’re not using multi-factor authentication, haven’t updated software, or failed to implement basic password policies, expect pushback on a claim. Insurers increasingly require evidence of reasonable security measures at both underwriting and claims stage.
• Known vulnerabilities – If your systems have unpatched vulnerabilities that you were aware of (or should have been aware of), claims may be declined. This includes ignoring software updates, failing to act on security audits, or continuing to use unsupported systems like Windows 10 post-end-of-life (October 2025).
• Non-cyber losses – Cyber insurance responds to losses caused by a cyber event. If funds are stolen through old-fashioned theft, or a system fails due to mechanical breakdown rather than a cyber incident, your cyber policy won’t respond, you’d need crime or property cover instead.
• War and systemic events – Losses arising from widespread systemic cyber events (like a major software supply chain attack affecting thousands of businesses simultaneously) may trigger sub-limits, higher retentions, or exclusions depending on the policy wording. Insurers are tightening this language as aggregation risk increases.
• Betterment and upgrades – Policies generally restore systems to their pre-incident state, not better. If you want to use the incident as an opportunity to upgrade infrastructure, expect to fund the difference yourself (though some policies include limited betterment cover).

What This Means for Construction and SMEs

Construction businesses face a unique mix of cyber exposures:

• High-value payments and complex supply chains increase exposure to invoice fraud and social engineering
• Remote sites with connected equipment (cameras, sensors, project management tools) create additional entry points for attackers
• Reliance on subcontractors and third-party platforms means you can be impacted by someone else’s security failure
• Tight project timelines mean downtime is expensive, business interruption cover matters

For general SMEs, the exposure often centres on customer data, payment systems, and operational reliance on cloud platforms. A two-day outage might not sound catastrophic, but if you can’t process orders, access financial records, or communicate with clients, the costs add up fast.

Key Considerations Before Arranging Cover

When reviewing cyber insurance, focus on:

1. Volume and sensitivity of data – What client, employee, or financial data do you hold? A data breach involving payment card details or health information triggers higher notification and regulatory costs than basic contact information.
2. Reliance on digital systems – How long could your business operate without access to your systems? If the answer is “not long,” business interruption cover becomes critical.
3. Payment processes and supply chain complexity – The more parties involved in your payment chain, the higher the social engineering risk. Construction firms processing six or seven-figure payments need explicit social engineering cover.
4. Existing security controls – Do you use multi-factor authentication? Are backups tested and stored offline? Is software kept up to date? Insurers will ask, and if the answers are no, expect higher premiums or declined cover.
5. Third-party and vendor risk – Are you exposed if your IT provider, cloud platform, or key supplier suffers a cyber event? Some policies include contingent business interruption cover for this scenario, others don’t.

Final Thoughts

Cyber insurance isn’t a substitute for good security, but it’s a critical layer of protection when things go wrong. For construction and SME businesses, the real value sits in incident response support, business interruption cover, and protection against the social engineering and cyber theft threats that are hitting Australian businesses hard right now.

Understanding what your policy actually responds to, and where the gaps sit, means you’re not finding out the hard way during a claim. If you’re processing payments, holding client data, or relying on digital systems to operate, a structured review of your cyber exposure is worth the time.