Data breaches are so common that except for the largest of them, they barely seem to be news anymore. Yet the threat to the multifamily real estate industry is very real, even though apartments have so far been a relatively infrequent target of hackers.
The industry got a wake-up call two years ago, when Essex Property Trust Inc. reported that some of its networks containing personal and proprietary information had been compromised.
Upon detecting unusual activity, the Palo Alto, Calif.-based company took immediate steps to assess and contain the intrusion and secure its systems, retaining independent forensic computer experts to analyze the impacted data systems. As Essex president & CEO Michael Schall observed at the time: “Unfortunately, cyber-criminals are finding new ways to infiltrate data systems every day, leaving companies increasingly vulnerable to these kinds of events.”
Did the multifamily industry take Schall’s warning to heart? Not entirely, it seems. Cybersecurity expert Ian Marlowe, the founder & CEO of FITECH, pointed out that real estate has often trailed other industries in technology-related matters, including protecting itself from cybercrime. “Positive movement is happening,” he noted. “But it’s a little slow. Real estate’s always two or three versions behind the latest tech. But the industry knows about the problem.”
Kevin Donnelly, vice president of government affairs for the National Multifamily Housing Council, also credits the industry for increasing awareness. “The multifamily industry has really stepped up its game on cyber and data security and has come a long way in preparing to face the realities challenging our industry,” he said. “Apartment firms no longer view this as an IT issue but as a C-suite-level matter, with implications and responsibilities across the entire enterprise.”
Despite its reputation as a slow adopter, real estate is now embracing smart building technology. Ironically, that poses a problem when it comes to security. If an owner or manager isn’t careful, an individual community or an entire portfolio of smart apartments can fall short in warding off cyberthreats.
“Until very recently, apartment managers weren’t keeping close enough track of all the new systems they were having installed,” explained Marlowe. “Some still aren’t. Buildings have been converting analog systems to digital piecemeal. Managers often don’t think of their buildings as a network yet, and that can cause vulnerabilities. We still see a remarkable number of building systems without firewalls.”
Systems that automatically control HVAC, lighting or safety have are now fairly widespread. Also, apartments are increasingly connected to residents and vendors through building management, communication technology and other systems. In a smart building, these systems allow efficient portfolio management through availability of information. That’s the upside.
The downside: “At an asset level, the interconnectedness through Internet protocol-based networks, HVAC and other industrial control systems, and open Wi-Fi networks, increase data vulnerability,” Deloitte points out in a 2015 report.
“Do these asset-level cybersecurity risks solely impact the CRE owners? Not in the least—because intelligent buildings tend to be interlinked with tenant systems, creating exposures to tenants whereby their systems and data can be accessed through the CRE owners’ IT systems.”
That adds up to a double downside. Not only is an apartment management company at risk, so are its residents. According to an analysis by the Deloitte Center for Financial Services, the most visible objective for cyberattacks on CRE companies has been the theft of personal as we
ll as other sensitive information, such as strategic plans and engineering drawings.
Newer building systems also use hardware, software and communication protocols that are more standardized than they used to be, and hackers are adept at learning their vulnerabilities. Remarkably, many apartment properties lack password protection or anti-virus and anti-malware programs, and that puts them at greater risk.
The industry is stepping up its efforts to tackle these concerns. NMHC and the National Apartment Association make the case for a comprehensive approach in “Multifamily and Cybersecurity: The Threat Landscape and Best Practices,” a white paper published in July. Major issues to address range from incident response strategies and evaluation of third-party relationships to oversight, staff training and risk mitigation.
Experts emphasize that responsibility for cybersecurity starts with top executives, who must acknowledge the hazard, assign the development and implementation of a risk management strategy, and then ensure that the company adopts best practices.
Understanding the risks in detail is also important. For instance, a gap analysis can go a long way toward identifying potential weak points. That assessment will lay the groundwork for establishing and testing safeguards against them.
Apartment owners shouldn’t have to fight digital threats alone, and lawmakers recently took steps intended to make it easier to enlist government help. Last year, Congress enacted the Cyber Security Information Sharing Act, which provides clear authority for companies to share information with each other and with law enforcement agencies. The goal is to open a channel for the private sector to share threat information without fear of antitrust or liability concerns.
“That’s a game-changer for not just multifamily but all businesses as we look for ways to thwart attacks and prevent cyber incidents from occurring,” said Donnelly. “With the news of massive breaches of late, federal attention on cyber and data security can only be expected to increase greatly in the near future.”
Originally appearing in the November 2016 issue of MHN.