Commercial Real Estate Is Unprepared For A Major Cyberattack
Want to get a jump-start on upcoming deals? Meet the major players at one of our upcoming national events!
Cybersecurity threats have become a constant and pervasive concern impacting multiple industries. In April, Boeing’s factory computers were held hostage by a ransomware virus, WannaCry. The same week, Baltimore was left without its 911 dispatch system for over 24 hours when hackers prevented calls from being recorded. For many commercial real estate companies, these growing threats have done little to spur significant investment in cybersecurity.
Over one-third of real estate firms have experienced a cybersecurity event themselves or at one or more of their properties in the last two years. But in a KPMG survey of real estate professionals, half of the respondents said they were not adequately prepared to prevent an attack.
For Newmark Knight Frank Executive Managing Director Geoffrey Kasselman, SIOR, it is only a matter of time before a significant cyberattack forces the industry to reckon with how insufficient cybersecurity will impact a company’s ability to develop, market and lease property.
“Real estate decision-makers are still using an analog model of real estate investment because they continue to make money,” Kasselman said. “Where has there been enough pain for people to completely reinvent their business model and include cybersecurity in the investment equation?”
Worth The Investment
A lack of understanding has made the industry slow to adopt and budget for cybersecurity. While using a firewall and strong passwords can help mitigate security breaches, comprehensive cybersecurity measures go beyond online incidents, Kasselman said. Security measures need to accomplish everything from safeguarding cloud services to preventing physical intruders from accessing the data centers that hold tenant information.
Building automation, especially building management systems that regulate HVAC, elevators and other services, have compounded the problem. While these systems have made buildings more efficient, they have also increased the number of entry points through which a hacker can access tenant data.
Frequent attacks could impact a company’s productivity and in turn, negatively affect a property owner’s ability to secure long-term leases.
“Let’s say you have a trophy building in a major market like a World Trade Center or TransAmerica Building,” NKF Executive Managing Director Steve Kapp, SIOR, said. “Somebody could come in and breach systems with thousands of people working there, hack into the system and turn all of the lights off. Now you have to evacuate the entire building.”
Hiring an executive who understands the complexities of cybersecurity has become a popular solution. After suffering a major data breach in 2014, Target hired a chief information security officer. A relatively new position within the C-suite, a CISO handles the strategic implementation of cybersecurity initiatives. The caveat is the price: The average median CISO salary is $204K.
With the exception of a handful of large real estate companies, that is cost-prohibitive. Mom-and-pop businesses cannot afford a full-time CISO, Kapp said. At the publicly traded level, REITs and multinational brokerage firms have invested in robust measures, from CISOs to training programs. At NKF, every employee is required to undergo an hour of cybersecurity training, and they must change their passwords every 90 days.
“It is a harder decision to invest in these measures when you are part of a company with only five employees,” Kapp said. “Maybe you don’t need a full-time person. Maybe it is someone who does an audit and then checks in on the status of the company quarterly. Maybe it is an outsourced service.”
For smaller shops that manage real estate assets through third-party contracts, outsourcing cybersecurity programs could help offset costs.
Who Is At Fault?
There has been a debate over whether tenants or landlords are responsible for preventing cyberattacks. Responsibility varies across lease terms and asset classes. In an industrial property, for instance, tenants assume responsibility for all building operations. In an office building, the landlord maintains control over building management. While the landlord provides amenities and the infrastructure to support the business, cybersecurity might come down to an individual tenant's needs.
“If a developer builds infrastructure for the building and a tenant uses that space and the tenant experiences a cybersecurity event, who is liable?” Kasselman said. “Is it the tenant because they use it or the owner because they designed it?”
Recent cyber events like the Equifax hack and Uber data breach have prompted interest in creating federal legislation that keeps businesses and consumers aware of cyberattacks. A proposed bill would require companies to notify customers of data breaches within 30 days of discovery and impose a five-year prison sentence on the leaders of organizations caught concealing incidents.
Unless a tenant and landlord enter a conversation prior to the lease-signing regarding cybersecurity responsibility, it is a discussion that will likely never happen, Kapp said.
Cybersecurity Benchmarking Standards
Office buildings mostly market security that prevents physical intrusion, whether through ID cards or a doorman in the lobby. While secure IT infrastructure or strong firewalls have yet to enter the conversation, in the future, cybersecurity could become a part of the amenities package, Kapp said.
Similar to how WiredScore and the WELL Standard have created benchmarks for internet connectivity and office wellness, a certification for cybersecurity could be used as a marketing tool for attracting and retaining tenants.
“Maybe there needs to be an accreditation, a third-party group that serves as a benchmark for cybersecurity,” Kapp said. “So you can get that stamp of approval. It would be interesting if the industry adopts that standard.”
No such benchmarking standards for cybersecurity are currently in the pipeline.
This feature was produced in collaboration between Bisnow Branded Content and SIOR. Bisnow news staff was not involved in the production of this content.