Ransomware attacks on the UK construction sector are causing an average of 24 days of operational downtime per incident, according to a new report released by global business insurer QBE.
The report, From blueprints to breaches, produced in partnership with risk consultancy Control Risks, warns that cyber incidents now threaten to derail entire construction programmes as the industry increasingly adopts digital tools such as Building Information Modelling (BIM), connected operational technology (OT), and AI-driven systems.
QBE said the expanding use of these technologies is widening the attack surface across the sector. When systems that process data are linked to systems that control physical equipment, previously isolated environments are exposed to new pathways for attackers, turning operational gains into potential liabilities.
Neil Fleming, QBE UK construction portfolio manager, said a single ransomware incident could now put entire projects at risk.
“When access to drawings, project data, or digital platforms is lost, costs escalate, project completion is put at risk, and subcontractors feel the knock-on effect immediately,” Fleming said.
“Cyber resilience needs to be considered alongside traditional project risks to deliver on time and reduce unforeseen costs. Many construction firms still treat cyber resilience as an IT issue rather than a project risk.”
The scale of the threat has grown sharply. In 2025, Internet of Things (IoT) malware activity targeting the construction sector rose 410% year on year, while inadequate segmentation between IT and OT systems was a contributing factor in 81% of OT incidents recorded that year.
Geopolitical factors are also adding pressure. The UK recorded 15 state-aligned cyberattacks between 2022 and 2026 – three more than Germany, France, and Sweden each during the same period. QBE noted that construction firms may rarely be primary targets but remain exposed through their role in designing and building critical national infrastructure.
David Warr, cyber portfolio manager at QBE International Markets, said the nature of cyber risk in the sector had fundamentally shifted.
“Many breaches now interrupt workflows, lock out critical systems and, in some cases, affect the physical environment through connected operational technology,” Warr said. “The line between cyber risk and operational risk has effectively disappeared.”
Regulatory pressure is also mounting. The European Union’s updated Network and Information Systems Directive (NIS2) now mandates stricter risk management and incident reporting within 24 to 72 hours, with personal liability for management. In the UK, the proposed Cyber Security and Resilience Bill, introduced in November 2025, is expected to bring many construction firms into scope.
QBE called on construction firms, brokers, and risk managers to integrate cyber risk into project planning from the outset, ensuring insurers are engaged early enough to address exposures before they become liabilities.
The UK’s National Cyber Security Centre recorded 204 nationally significant cyberattacks in the year to September 2025 – up from 89 in the previous year, averaging four major attacks per week.
