REITs are increasingly reliant on technologies across the spectrum of information technology (IT) and operating technology (OT) that range from cloud-based systems and the Internet of Things (IoT) to automated building management systems, workplace experience apps, and augmented reality. The rapid pace of innovation in an increasingly digital real estate universe means more blocking and tackling across a larger arena when it comes to shoring up defenses against cyber threats.
Cyber attacks can have significant business and financial impacts, as well as threats to human safety. One of the most high-profile attacks is the ransomware attack that forced a shutdown of the Colonial Pipeline in 2021, with the company reportedly paying $4.4 million to attackers to regain control of critical operating systems.
“What we’re seeing with companies’ desires to gain a competitive advantage is that businesses sought these emerging technologies, but they weren’t always adequately thinking through the risks,” says Tunde Lawson, principal at EY.
Ransomware attacks account for the majority of cyber attacks with bad actors that access systems, encrypt or “lock” systems, and infiltrate data. Oftentimes, a company has to pay to decrypt or unlock systems, and in some cases, pay a double ransom to remove private information that cyber criminals have posted publicly.
A proposed SEC rule that is expected to go into effect this year is pushing the focus on cyber risk even more to the forefront for the REIT industry. Although the release of the final rule is still pending, at a high level, the rules outline expectations for the reporting of material cyber incidents in a timely manner; require disclosures on policies and procedures related to cyber strategies; and also create some standards around how cybersecurity disclosures are presented.
“I think the most significant implication is accountability with those charged with governance and the management teams of the enterprise. Gone are the days where we would say, ‘cyber is an IT issue.’ There’s recognition that it needs to be treated no differently than any other strategic initiative that a company is partaking in and deserves the same level of attention,” Lawson says.
Taking a Proactive Approach
Smarter connected devices and systems are increasingly ingrained in everyday life. People can see who’s at their front door or adjust their thermostat anytime and anywhere via their smartphone. Likewise, real estate owners and managers are using technology to automate a variety of tasks ranging from door locks and lighting to air filtration systems.
“When you have all of these connected technologies that you can operate virtually, it’s convenient, but it creates a risk. Cyber risk is growing every day and we need to address it proactively,” says Lucian Niemeyer. The former assistant secretary of defense for energy, installations and environment is now CEO of Building Cyber Security (BCS), a non-profit organization that is focused on advancing physical security and safety in the public and private sectors.
A key focus within the cyber industry is to work with manufacturers and service providers to create security that is embedded into devices and systems, and BCS is among the groups that are advocating for the need to design cyber safety and security into all smart technologies. The non-profit also has created a performance framework that provides an assessment and then certifies continual performance.
“The push is to take the framework we’ve developed and inform the design, development, and construction requirements,” Niemeyer says. The framework also can be used in existing buildings to identify cyber risk and even simple steps a company can take to improve security, such as changing default passwords for smart systems or installing multi-factor authentication.
Work in Progress
Property owners and managers now have a full spectrum of IT and OT devices and systems that they have to protect. Whereas IT is more of a mature space, the OT side is newer and doesn’t have a strong legacy of cyber security measures, experts say.
“A lot of systems might last 10 to 15 years, and you need a capital event to update and move it forward. So, it is a journey for the industry, and the maturity of the control environment on the OT side is a work in progress right now for companies operating in the industry,” says Jim Whalen, senior vice president and chief information and technology officer at BXP (NYSE: BXP).
BXP thinks about cyber across three primary technology buckets. One covers all of the technology and systems required to run the business. The second relates to the tech that gets embedded into properties that occupants and guests engage with, ranging from using a wi-fi system to getting through a turnstile. A third category focuses more on the behind-the-scenes technology, such as HVAC systems and security camera networks. BXP looks for cyber security solutions that can support all three areas.
“We’re using data to drive the efficiency of our buildings, along with supporting the growth in technologies enabling amenitization, experiences, and convenience for our clients . Each intervention requires an elevated cyber posture to protect those assets,” Whalen says.
Whalen is a co-founder of the Real Estate Cyber Consortium (RECC), which serves as a resource to the broader commercial real estate industry. The mission of the group is to elevate awareness and share best practices to improve cybersecurity preparedness so that companies don’t have to reinvent the wheel. RECC also is working to influence the supply chain to develop proactive cyber safety measures and security standards.
REITs face a number of issues as it relates to managing cyber risks. One is simply the growing scale and rapid pace of change with technology that is becoming increasingly entrenched in a variety of systems, applications, and devices.
“As we try to guide our clients to protect against trends we’re seeing in the sector, it really begins with understanding their situational awareness,” Lawson says. Some key questions to assess a company’s cyber awareness are:
- Do you understand what your high value assets are?
- How can your business strategies make those assets vulnerable?
- Could you detect if you have been breached?
- Do you have a plan in place to respond to a breach, and have you routinely practiced that plan?
- Are you able to continue with business operations and minimize disruption in the face of an attack?
The answers to those questions help to guide a framework for how to think about practical solutions, processes, and controls to address cyber risks, and ultimately safeguard assets, Lawson says. In addition, challenging a company’s capabilities across some of those questions, as well as adopting a security risk management framework that is aligned to leading practices, helps businesses keep up with rapidly changing and evolving technologies, he adds.
Another key issue for REITs relates to third-party service providers, vendors, and business partners that have different maturity levels on cyber, which can potentially create vulnerabilities to cyber threats. One of the notable examples of third-party risk is the Target data breach in 2013, where hackers gained access through an HVAC vendor.
“Establishing a third-party security risk management framework is a really effective tool to mitigate risks from those business relationships,” Lawson says. A third-party security risk framework allows companies to design policies, procedures, and standards on how they engage with those third parties.
An important step in creating that framework starts with gathering an inventory of vendors, service providers, and other business partners. Once a company has that inventory, they can then classify them according to risk level depending on the nature of the data and level of access into a business or specific property.
Yet perhaps one of the biggest challenges companies face relates to the human element within organizational change, Whalen adds. “You need to drive awareness across all of your teams— physical security, engineering teams, facilities and property management—and closely partner with them in adopting the required changes,” he says. “It’s not just that IT comes in and puts a cyber security solution in place, it really requires working with the human side of our talent that service clients and operate buildings every day.”