Ransomware attacks are perhaps the most well-publicized type of cybersecurity threat, but a variety of fraudulent activity continues to plague businesses, including REITs, that rely on technology to communicate and operate their companies.
The coming year is expected to see heightened regulatory scrutiny of cybersecurity risk and disclosure matters, ensuring that REITs remain laser-focused on this key corporate governance issue.
A cyberattack can compromise a company’s customers and create legal and financial hardships. The vulnerability created by today’s widespread adoption of remote work in response to the pandemic just adds to the pressure to develop protective policies against cyberthreats, experts say.
Despite preventative measures taken by businesses, the average cost of a data breach rose to $4.24 million in 2021, according to IBM’s Cost of a Data Breach Report, the highest average total cost in the report’s 17-year history.
“While the cybersecurity risks are different depending on the company, the Securities and Exchange Commission (SEC) has been really focused on this issue in recent years and is pushing public companies to be more transparent about their risk management procedures,” says Anna Pinedo, a partner and co-leader of the global capital markets practice at Mayer Brown.
While most REIT leaders and their boards of directors are fairly sophisticated about cybersecurity issues, policies and protections to avoid an exposure are always worth a refresh, says David Slotkin, a partner and co-chair of the REIT practice at Morrison and Foerster.
Prepare to Update
A prime focus of the SEC’s review of 10Q and 10K filings, Pinedo says, is assessing a public company’s risk factors for cyberthreats. The SEC wants to ensure that companies are tailoring their policies and procedures to the risks that are particular to their company and their industry, she says.
The SEC will take enforcement action against companies that talk about ‘hypothetical’ breaches if they have actually experienced a cyberattack. Public companies are required to provide specific information about a data breach, including the costs, and whether any litigation resulted, Pinedo explains.
“You need to disclose to the SEC and to investors the details of whether you contacted companies and individuals who may have been impacted by a breach, the remedies you took to address the issue, and whether you lost business, or your reputation suffered. It’s not an option to present boilerplate information: you need to be specific,” Pinedo says.
Slotkin notes that many REITs have a fair amount of personal identifiable information (PII), which is “the apex of risk” for federal enforcement to become involved. “If there is a data breach, the SEC and other agencies will want to know if PII was exposed and whether it was properly protected.”
REITs that lease space to government agencies have particular responsibility to notify authorities of an attack, Slotkin says. He notes that there is potential federal legislation that could require companies to notify the FBI or other authorities about a data breach within a specific timeframe, so REITs need to be aware that they may have to update their plans.
Legal experts say preparation for a possible cybersecurity attack should include procedures to prevent one from occurring in the first place, and then, what to do if one actually occurs.
“Whenever there’s a newer issue such as ransomware, you need to develop a new response plan—one that includes an analysis of whether you would pay any ransom,” given that there are legal risks if you pay someone on a government sanctions list, Slotkin says. The plan also needs to consider whether to contact the FBI or other authorities.
Rather than being handled solely by the IT department or the executive team, responsibility for cybersecurity risk management today is increasingly shared with the board of directors.
All board members need a basic level of education and understanding about cybersecurity, Pinedo says. “They need to know what ransomware is and what the data protection standards are for the company. Some states have their own data privacy standards, which the board also needs to understand.”
An outside counsel or a crisis management team can present materials to the board to educate them about cybersecurity and exercises can be done to model a breach and response for board members, she says.
Another consideration for REITs is where responsibility for cybersecurity oversight will rest within the board. Pinedo says it’s common for this to be part of the portfolio of an audit committee, although some companies have a risk management committee, or even a separate cyber risk committee.
“No matter which committee is responsible, there needs to be a system for periodic review of cybersecurity protections and a regular committee meeting with the chief information officer,” Pinedo says. Some committees may want to establish a relationship with an outside expert who periodically briefs the committee on risks.
In addition, an increasing number of boards include a member with cybersecurity expertise, Slotkin adds. REITs can recruit a cyber expert for their board through their network, their law firm, their audit firm, their IT consultants, or hire a board recruiting firm, Pinedo says.
Meanwhile, widespread adoption of remote work has heightened the challenge of cybersecurity, leading many companies to increase staff training and add special measures to audit cybersecurity, Pinedo says. The average cost of a data breach where remote work was a factor was $1.07 million higher than in breaches where remote work was not a factor, according to IBM’s report.
In addition to cybersecurity training for employees working at home, most companies have virtual private networks (VPNs) and multifactor authentication in place to reduce the risks associated with remote work, Slotkin says. Among the policies that companies can implement to reduce the likelihood or severity of a cyberattack are segregation of information and access to that information, he says.
Pinedo points out that it is important to have additional back-up for data storage and some type of emergency recovery system in the event of an attack. “Companies may want to contract with an outside vendor for back-up support and hire outside IT auditors to check their safety plans.” Slotkin, meanwhile, suggests that REITs hire a cybersecurity expert to audit their systems and do a breach test. “Companies can develop an instant response team after they have the audit to determine their vulnerabilities,” he says.
Slotkin also recommends tabletop exercises to test reactions to cyberthreats.
A tabletop exercise, he explains, is a simulation of a hypothetical breach or other crisis response to evaluate strengths and weaknesses. “Regulators want to see that you have these systems in place and that you are regularly reporting to your board about your cybersecurity plan,” he says.
Most of Slotkin’s clients have cybersecurity insurance that generally covers ransomware, but those policies should be reviewed like any other insurance policy, he says. “Cybersecurity insurance is evolving, and many have more exclusions than they did in the past.”
Experts agree that training management, employees, and board members about the risks of cyberattacks and the procedures in place are essential measures for REITs to protect their customers and their company, as well as to meet the growing expectations of investors and regulators that are likely to take center stage in 2022.