July 9, 2026 · construction · verticals
Cyber insurance for construction contractors: what carriers require in 2026
The short answer
Construction companies applying for cyber insurance in 2026 need the standard controls — enforced MFA, EDR, tested backups, patching, training, and a written incident response plan — plus the control underwriters weight heavily for contractors: a documented funds-transfer verification procedure, because construction's large progress payments and subcontractor chains make it a prime target for wire fraud.
The Founder
Founder, Surable · 20 years in IT and information security
Construction didn't used to think of itself as a cyber target — no card data, no medical records, half the crew's "endpoint" is a tablet in a truck. Attackers disagree, for one simple reason: construction moves large sums of money on emailed instructions, on schedules everyone can see. A progress payment redirected to a fraudster's account is worth more than most data breaches, and it only takes one convincing email to a bookkeeper.
Carriers price accordingly. Here's what a contractor should have in place before filling out a 2026 cyber application — the standard list first, then the parts that are sharper for construction.
The standard seven still apply
Everything in the core requirements list applies to a contractor like any other business: enforced MFA on email, remote access, and admin accounts; EDR on the machines that run the office; automatic, tested, offline-capable backups (your estimating data and project files are ransom targets); patching with no end-of-life systems; documented security training; and a written, tested incident response plan.
If the back office runs on Microsoft 365 plus an accounting package plus a project-management SaaS, most of that list is configuration and paperwork rather than new spending.
The contractor-specific center of gravity: payment controls
The claims data is unambiguous — business email compromise and funds-transfer fraud drive 58% of incidents in Coalition's 2026 report — and construction's payment patterns are the textbook setup:
- Big, irregular payments (progress draws, retainage releases, material deposits) where an unusual amount doesn't look unusual.
- Long payment chains — owner → GC → subs → suppliers — where everyone emails everyone, and one compromised mailbox anywhere in the chain can inject "updated" bank details.
- Public project visibility (permits, bid results, signage) telling attackers exactly who owes whom, roughly how much, and when.
The control that neutralizes this is embarrassingly analog: a written funds-transfer verification procedure. Any change to bank details, and any unusual or urgent payment request, gets verified by phone at a number you already had — never one from the email — before money moves. No exceptions, including for the boss's own emailed instructions (attackers impersonate owners more than anyone). Train every person who can initiate a payment; keep the one-page procedure with your policies.
Some carriers ask about this procedure explicitly, and full funds-transfer-fraud coverage terms can depend on it. It's also the rare security control that costs literally nothing.
Field realities carriers will ask about
Shared logins. One "office@" login used by five people fails the access-control questions and makes incident investigation impossible. Individual accounts, MFA on each.
Personal devices on job sites. Foremen approving invoices from personal phones is normal — an application-honest answer requires at least a basic mobile/BYOD policy: screen lock, ability to remove company email from a lost phone, no sideloaded apps on devices that touch payments.
Subs and vendors in your systems. If subs submit through your project portal or a vendor remotes into your estimating server, that's third-party access; carriers ask how you vet it. A one-page vendor inventory plus security language in subcontracts covers the question at contractor scale.
The prequalification bonus
Here's the part that turns compliance into revenue: GCs and owners increasingly push cyber questionnaires down the chain during prequalification, because their carriers ask about their subs. A contractor who can hand over a written policy pack — MFA policy, payment verification procedure, IR plan, training log — clears prequal questions that stall competitors. The same documents answer the insurance application and the GC's questionnaire.
Five minutes on the free Readiness Check will show you where a contractor's application would stand today — and the Readiness Pack includes the funds-transfer verification procedure and every policy above, mapped to the questions carriers ask.
Common questions
Why do carriers care so much about wire fraud for contractors specifically?+
Because construction payments are large, frequent, project-based, and flow through long chains of GCs, subs, and suppliers — exactly the environment where a spoofed 'our bank details changed' email succeeds. Funds-transfer fraud and business email compromise drive the majority of small-business cyber claims.
We're a small sub with no servers — do we still need all this?+
You have email, a bank account, and customers who pay invoices — that's the whole attack surface wire fraud needs. The controls scale down: enforced MFA, a call-back payment rule, basic training, and a one-page incident plan cover a small sub's realistic risks, and the application still asks about all of them.
Do GCs actually check subcontractors' cyber posture now?+
Increasingly, yes — through prequalification questionnaires and contract security clauses, for the same reason carriers do: a compromised sub's email is how fraudulent payment instructions enter a project. Being able to hand over a policy pack answers those questionnaires too.
What should a contractor fix first?+
Two things, same week: enforce MFA on email (free, an afternoon) and adopt a written call-back rule for any bank-detail change or unusual payment request (free, one page, train everyone who pays invoices). Those two controls target the way contractors actually lose money.
Sources
Find out where you stand — free, in 5 minutes
Instant readiness score across the ten domains carriers probe, plus your top three gaps and how to fix them.