Cyber

Following a correction in 2020-2022, the cyber market continues to stabilize. This market has been hypercompetitive since 2023, driven by an abundance of new capacity entering the space and more thoughtful underwriting oversight.

While the cyber market remains favorable to buyers, signs of a firming market are appearing as claims frequency and severity continue to rise. These claims trends and aggressive pricing are pressuring insurers to hold the line on rate so far in 2026.

Threat actors continue to find inventive new ways to compromise IT environments and exploit victim organizations. Ransomware attacks, for example, are growing more sophisticated in response to construction and design firms' investments in more resilient security tools and practices. Threat actors are now favoring data exfiltration tactics over encryption. Extortion payments that were once made in exchange for decryption keys are now being made to suppress the publication of sensitive data stolen by threat actors.

Artificial intelligence is a double-edged sword. On one side, AI is enabling threat actors to craft seemingly legitimate communications to orchestrate more effective phishing attacks. On the other, AI is helping construction and design firms more quickly discover vulnerabilities, better prioritize cybersecurity investments, and more efficiently execute remediation efforts across IT environments.

Litigation following a cyber event is becoming more prevalent as a byproduct of expanding data privacy laws as states continue to enact stricter regulations. It is increasingly common to see third-party demands or class-action suits after data breaches.

Although construction and design firms are not rich in consumer data, the confidential business data they hold — particularly organizations focused on critical infrastructure or projects related to the Department of Defense (DoD) — is an enticing target for cybercriminals. As of November 2025, Level 1 compliance with the DoD’s Cybersecurity Maturity Model Certification was required for all organizations seeking to secure DoD contracts.

Generally speaking, construction and design firms have historically lagged other industries in cyber risk mitigation controls and practices. In recent years, they have largely closed the gap. Firms are investing in proper cybersecurity tools, personnel, and practices. There is no “finish line” in cybersecurity, however, as the virtual arms race between firms and cybercriminals will continue to intensify.