Golden thread: BSA requirements create additional cyber exposure

The Building Safety Act 2022 and the associated Building (Higher-Risk Buildings Procedures) (England) Regulations 2023 introduced significant information retention requirements through their ‘golden thread’ provisions. These apply to buildings defined as ‘higher risk’ in the legislation.

The golden thread comprises information to create a proper understanding of a building and consequently the steps needed to keep both the building and people safe. It is envisioned as a building’s ‘single source of truth’, and to avoid obsolescence and omission errors, it is not intended to be held across multiple sources or even duplicated (save back up).

The legislation stipulates that the golden thread information must be held digitally, and to protect both personal information and the security of the building, it must be held securely.

Increased cyber risk for duty holders

There are multiple duty-holders for the creation, maintenance, and retention of the golden thread information during the lifespan of a building. They are the client, Principal Designer and Principal Contractor during the construction of the building, and then the Accountable Person(s) during the occupancy and use of the building.

The legislation includes criminal sanctions for breach of its requirements by duty holders and these include fines and even custodial sentences.

As a result of these changes, professional firms who have undertaken Principal Designer and Principal Contractor roles now face an increase in cyber risk. The same is true for persons or entities holding the Accountable Person duty.

They are responsible for the security and integrity of information which must be held electronically.

They are responsible for the transfer of this information to a new duty holder - for example a client/Principal Contractor passing the golden thread information to the Accountable Person on the completion of a development, or an outgoing Accountable Person transferring the golden thread information to an incoming Accountable Person due to the sale of the building.

Sanctions for breaches of responsibility

The duty holder can breach their responsibilities – and therefore face the sanctions under the Act – in a variety of scenarios including:

  • Breach of security such that a threat actor has accessed the golden thread information – this could be Personal Data contained within the golden thread database; alternatively, this could be building security information contained in the database

  • Malicious corruption or deletion of the golden thread information

  • Loss of access to the golden thread information due to malware (i.e. a ransomware attack)

The benefits of cyber liability insurance

Cyber-liability insurance can assist in dealing with these issues.

One of the most important areas that a cyber-liability policy can assist with is in establishing what has actually happened. If there was a suggestion that the golden thread had been accessed or tampered with, does an individual person or firm have suitable expertise to confirm the existence of an issue or identify its extent?

Reconstitution of Data is cover which is often available via cyber-liability insurance, and as might be anticipated, insurance assistance with a malware problem or ransomware attack can also potentially be included.

Cover varies considerably across different insurance products so it is essential that an insurance broker experienced in cyber-liability insurance is used, and care should be taken by a prospective policyholder to explain that their exposure includes golden thread responsibility so that the broker can consider the extent of and any restrictions on the appropriate covers.

If you have concerns around the changes introduced by the Building Safety Act and associated legislation, do discuss these with your broker and we can be contacted as set out below.

The following links may be of assistance in considering this issue further:

Health & Safety Executive: https://www.hse.gov.uk/building-safety/golden-thread.htm (opens a new window)

Building (Higher-Risk Buildings Procedures) (England) Regulations 2023 (see sections 31 and 38 in particular): https://www.legislation.gov.uk/uksi/2023/909/regulation/31/made (opens a new window)

For further information, please visit our Construction Professionals (opens a new window) page, or contact:

James Burgoyne, Senior Vice President

T: +44 (0)117 906 5077

E: james.burgoyne@lockton.com (opens a new window)

Our latest construction professionals insurance insights

Construction site inspection
Articles

Construction professionals: key tips for completing your proposal form