With an estimated 12.5% of our economic activity now conducted online, the UK’s percentage of GDP attributed to the digital economy is the highest in Europe. And this is a figure that only includes what is now measurable. A former governor of the Bank of England, Sir Charles Bean, concluded that if the digital economy was fully captured by the Office of National Statistics, the UK’s economic growth would be revised upwards by up to 0.6%. Whatever the measure, the digital economy will continue to expand and technology will continue to revolutionise all industries, including the real estate sector. And a fair chunk of this digital revolution will happen in London.
Consequently, UK businesses in the capital and beyond are particularly vulnerable to hacking, cyber-crime and cyber-terrorism. A 2015 government survey estimated that 90% of large corporations and 74% of small businesses suffered a cyber-breach, with the average cost of a breach being estimated at between £1.46m and £3.14m for a large business.
With most reported cyber attacks relating to data breaches (think password or bank account theft) it is easy to assume that the commercial real estate industry is neither a likely nor lucrative target for hackers. However, a real estate investor is no different to any other business, with the confidential data stored on its systems replete with financial information; and tenants of smart buildings often having their systems linked to the landlord’s Building Management System. Hacking a BMS may enable access to other data systems and networks, so a potential cyber-attack presents a unique problem which users and owners of smart buildings need to grapple with.
Start your free trial today
Your trusted daily source of commercial real estate news and analysis. Register now for unlimited digital access throughout April.
Including:
Breaking news, interviews and market updates
Expert legal commentary, market trends and case law
With an estimated 12.5% of our economic activity now conducted online, the UK’s percentage of GDP attributed to the digital economy is the highest in Europe. And this is a figure that only includes what is now measurable. A former governor of the Bank of England, Sir Charles Bean, concluded that if the digital economy was fully captured by the Office of National Statistics, the UK’s economic growth would be revised upwards by up to 0.6%. Whatever the measure, the digital economy will continue to expand and technology will continue to revolutionise all industries, including the real estate sector. And a fair chunk of this digital revolution will happen in London.
Consequently, UK businesses in the capital and beyond are particularly vulnerable to hacking, cyber-crime and cyber-terrorism. A 2015 government survey estimated that 90% of large corporations and 74% of small businesses suffered a cyber-breach, with the average cost of a breach being estimated at between £1.46m and £3.14m for a large business.
With most reported cyber attacks relating to data breaches (think password or bank account theft) it is easy to assume that the commercial real estate industry is neither a likely nor lucrative target for hackers. However, a real estate investor is no different to any other business, with the confidential data stored on its systems replete with financial information; and tenants of smart buildings often having their systems linked to the landlord’s Building Management System. Hacking a BMS may enable access to other data systems and networks, so a potential cyber-attack presents a unique problem which users and owners of smart buildings need to grapple with.
The reality of hacking a BMS
Potentially vulnerable BMSs are now found in many buildings. A 2015 paper published by QinetiQ listed systems that included: lighting (deactivation of lights may cause safety and productivity issues including public panic); access control (remote release of secure doors resulting in unauthorised access, erasure of access logs to cover criminal activity); HVAC (activation or deactivation of heating or cooling causing plant/equipment shutdown or malfunction); CCTV (increased situational awareness for intruders); lifts (denial of service, overriding lift access control); and tenant billing as possible targets for everyone from terrorists down to bored teenagers.
Such concerns are emphatically not just a futuristic nightmare. In China in 2014, Jesus Molina found that he could easily take control of the thermostats, lights, TVs and window blinds in all of the St Regis Shenzhen hotel’s 250-plus rooms. Recently, a member of the Free Software Foundation discovered much the same thing at the hotel he was staying at in London.
Fortunately for the hotel owners, neither hacker’s intent was malicious, but that is not always the case. The German government reported in 2014 that hackers had taken control of a steel mill’s blast furnace causing massive damage, and recent shutdowns in Ukraine’s power grid have beenn widely attributed to hackers. Late last year three NHS hospitals fell victim to a cyber-attack affecting the hospitals’ computer systems and forcing the cancellation of all appointments and operations for two days.
Vulnerability
With those involved in installing and managing BMSs tending not to have security expertise, new systems are often connected into wireless networks without adequate security. Alternatively, standalone systems are installed but later connected to wider networks or access points (think how you can now control your home heating system from a smartphone), and an independent system is always vulnerable to a disgruntled employee. As a result, a malicious attack on a smart building BMS in the UK may well be a matter of when, rather than if. It is all too easy to imagine a hacker gaining access to a property’s BMS and holding a building owner to ransom or setting off the sprinklers in a shopping centre and destroying stock, or overriding lift braking systems in a skyscraper.
Protection
The implications for landlords, tenants and their visitors and staff are varied and manifest. Quite apart from ensuring that systems are secure and security is current and maintained, we recommend implementing the following steps, which align with the government’s Cyber Security Strategy built on the principles of defend, deter and develop:
• Assess
Assessing the risk profile of individual assets along with the owner’s legal obligations (statutory and contractual including to its tenants) and incident and response readiness. This risk assessment is not something that can be pulled off the shelf – it requires bespoke planning and implementation.
• Prepare
Preparing before an incident occurs, developing response plans and incident response simulations, and consider insurance strategies.
• Respond
Management of breach notifications, communications and public relations (the reputational risk should not be underestimated), law enforcement interactions, and vendor and forensic expert identification.
• Engage
Interaction with the legal, regulatory and governmental authorities.
• Defend
Consider the risk of exposure to potentially costly and damaging claims and plan a defence strategy.
Other practical implications
• Insurance
Traditional buildings insurance in the UK does not fully address the challenges presented by these sorts of cyber-attacks. Property damage cover typically excludes losses resulting from cyber-attacks. Further, traditional business interruption cover isn’t triggered where the incident doesn’t result in physical damage to the building. For instance, turning up the heating in a refrigerated warehouse, or opening all the doors in a shopping centre out of hours may not result in damage to the building, but the consequences for the occupiers could be material. The insurance industry is consulting extensively with the government specifically on this issue.
Typical cyber-policies that do exist are focussed on data breaches and system failures and may not assist with the major exposures facing landlords because of BMS, or older control systems that may still have internal or external connections. Some providers are aware of the issues. Jack Lyons of the JLT specialty cyber team confirms that customised cyber policies can be placed to fit specific client needs including the insurance of liability arising out of ‘loss of quiet enjoyment’ resulting from a cyber-incident.
Even if a landlord can get insurance, who will pay for it? The relevant lease clauses need to be looked at carefully, as the traditional “insured risks” wording may be inadequate to enable recharging the cost to a tenant. If the cost can be recharged, but that cost is high, it may make the financial package on offer to prospective tenants uncompetitive.
• Service charges
Similarly a review of the service charge provisions is needed. With tenants increasingly astute about what services are covered and what they are bound to pay for, it is possible that a specific new insurance cost could not be put through the service charge (and again the cost may be problematically high). The same is also true of the costs of installing, upgrading, maintaining and securing a BMS. Tenants may also have a concern if the landlord is not under any obligation to maintain, upgrade and protect the BMS.
The real estate industry needs to focus on the unique challenges that it faces from technological innovation and cyber-attack before if becomes when.
