We are in a new era of cybersecurity risks in commercial real estate, driven by decades of technological advances that impact all buildings’ physical and environmental functionality. There are material risks for investors, owners, operators, and occupants. Risks include insurance gaps relating to nation-state attacks and for-profit ransomware, as well as from ill-equipped building managers and contractors.
Insurance carriers and brokers increasingly deny cybersecurity insurance coverage. When you can get a policy, the premiums skyrocket, and there are gaps and exclusions in existing policies. Often, cybersecurity incidents in building control systems are not addressed in property and casualty (P&C), general liability, and cyber riders and can result in litigation as well as the aforementioned exclusionary language emerging notably in P&C. Directors and Officers (D&O) insurance is now rising in importance with some cybersecurity lawsuits against individuals and recent SEC Cybersecurity disclosure proposals.1
This is not a so-called smart building or Internet of Things (IoT) problem, which continues to add to risks, but rather a 40-year build-up as our main systems (e.g., HVAC, elevator, lighting, access control, parking) have all required computers, networks, and Internet connections since the 1980s. These IT elements are necessary to provide building-wide control between devices and floors as well as remote maintenance and updates. Notwithstanding those multiple decades of technology inundation, there have never been suitable technology or cybersecurity skill sets in the entire CRE value chain from design to development and management. Therefore, the problem is systemic and pervasive throughout the entire industry, which is unfortunately now on full display in a global era of cybersecurity awareness.
More recently, there has been a steadily intensifying cybersecurity theme from state actors such as Russia (publicly) and Iran (in secret documents) and for-profit hackers that all target critical infrastructure in the West. This is not only power plants and dams but also commercial real estate and all non-single-family use types. In one specific instance, Russian malware was recently discovered in REIT HVAC systems only one week after the U.S. government warned of the malware by name and country of origin.2 Iranian documents mention specific system and manufacturers of HVAC, lighting, and metering systems when stating their malicious intentions for commercial real estate.3 These real estate targets include corporate office properties, banks, schools, hospitals, public venues, and more. The Boston Children’s Hospital HVAC contractor was ransomed by international hackers and created intense concerns.4
Consequences can include life safety issues, equipment replacement, unmitigated access to corporate networks, full-building downtime, and significant brand damage. We are entering the perfect storm from the confluence of decades of tech buildup, lack of skill sets, cultural ignorance, savvy bad actors, and a dependency on commercial real estate as critical infrastructure. This impacts all stakeholders but can be influenced most broadly by investors and owners as their policies and requirements can be mandated downstream to asset managers and property managers for assessments, policy enforcement, and active monitoring.
Source: “Cybersecurity Interruptions“