Q&A: How important is cyber security to the real estate industry?
Dan Norris, UK head of real estate, Hogan Lovells
Cyber security risks are rising in the commercial real estate industry — and building management systems can be part of the exposure.
Like any other industry, commercial real estate is not immune to cyber security threats. Both property owners and tenants may hold their sensitive data in separate systems, but increasingly the systems connect, exposing them both to the weakest link in their security.
Dan Norris, UK head of real estate, Hogan Lovells
Cyber security risks are rising in the commercial real estate industry — and building management systems can be part of the exposure.
Like any other industry, commercial real estate is not immune to cyber security threats. Both property owners and tenants may hold their sensitive data in separate systems, but increasingly the systems connect, exposing them both to the weakest link in their security.
Building cyber “bridges” between systems not only exposes data to privacy violations (it is outside the scope of this article, but both landlords and tenants need to give thought to GDPR), but also to security breaches. Breaches can have expensive and disruptive consequences.
What is the exposure to hacking and cyberterrorism, and what protection is available?
Cyber breaches are a particular issue for modern, commercial multi-let investment properties. In more sophisticated buildings, the BMS commonly interacts with tenant systems, the landlord’s property management systems, and may offer wi-fi to visitors. Cyber-terrorists will look for the weakest link.
There are reported cases of whole hotel heating and cooling systems being hacked by guests using tablets (one during a cyber security conference); and if you think changing the temperature is not a problem, then think of the steel mill in Germany that literally melted when its thermostatic controls were hacked; or what might happen in a temperature-controlled warehouse.
Stand-alone systems with no wi-fi are not secure from the disgruntled employee or enterprising hacker – we know of a security consultant, hired by a company to test its computer security, who simply made his point by sending a photo of himself jacked into the server having breached physical security.
The insurance industry is working hard to develop affordable products that will protect property owners from both physical damage resulting from hacks and losses caused by hacks that do not cause any physical damage (such as sealing the doors, or jamming the lifts). Insurance products are emerging, but you need to check the policy terms very carefully – and then think about who is going to bear the cost. (This insurance should not be confused with policies that are available for data breach, which are more developed.)
At the moment, institutional leases are completely silent about any kind of cyber risk. In the simplest terms, a lease says that the landlord will insure against damage to the property by fire and other usual risks.
In the event of damage, the landlord will use the insurance proceeds to rebuild the property, and the tenant’s rent is suspended (covered by the loss of rent insurance). The landlord may be able to include cyber as an insured risk. If it can’t, then the uninsured risk provisions may help, if there are any, which usually means the landlord will bear the loss. However, if there is no physical damage then there are no provisions in the lease that will help.
Would the tenant have a claim for breach of quiet enjoyment?
The policy needs to cover that. In sophisticated buildings, building management systems need to be kept secure. That means software and hardware will need to be upgraded and tested for security. The lease may not provide for the cost of that to be recovered through the service charge, so that may be another cost to the landlord.
Landlords need to prepare for the worst – with meaningful maintenance plans, an effective response strategy and a fresh look at their leases.
