Many people don’t think of commercial real estate when they think about cyberattacks. But they should. A cyberattack can come from almost anywhere, including internet-based building management systems, third-party vendors, SaaS applications and employee’s use of personal devices to access company applications and data. Cyberattacks can result in significant economic and reputational losses and exposure to legal liability.
The type of harm inflicted by a cyberattack depends on the access point of the attack. An attack on data can result in email leaks and theft of personal or proprietary information. An attack on a building management system may result in disruptions to HVAC systems, safety systems and elevators, while an attack through third-party vendors or SaaS applications may lead to treasury management losses or disclosure of personally identifiable information. Even seemingly minor attacks often result in multifaceted losses.
Company leadership needs to assess how their existing technology and practices leave their companies vulnerable to cyberattacks. They must also consider how implementation of new technology may create issues. Finally, leadership should develop cyber risk management plans to include the following:
– Designating specific people with responsibility for cybersecurity
– Implementing formal security protocols and frameworks
– Determining levels of sensitivity of data
– Investing in cybersecurity systems
– Providing training to employees
– Implementing password custody policies
– Implementing diligence requirements for prospective contract counterparties—especially vendors
– Outlining cybersecurity requirements for contract counterparties and
creating incident response plans
Taking these steps can minimize both the number and scope of cyberattacks. However, not every attack is preventable. Once an attack has been detected, it is critical to assess damages, including legal liability.
A company may have multiple types of liability as a result of a single attack, and multiple companies may be liable for the same incident. Companies may find themselves subject to civil liability, government investigations or fines for breach of employee data. An owner of a retail property may find itself liable to its tenants for breach of lease or negligence. Property managers and vendors may be similarly liable to owners. Owners, managers, vendors and tenants may all be liable to the tenants’ invitees. In the case of mixed-use properties, companies face the additional challenge of protecting residential tenants’ personally identifiable information. In addition to private lawsuits, companies that are victims of cyberattacks may also be subject to regulatory violations, including violations of local building and fire codes.
Fortunately, there are several nontechnology steps companies can take to eliminate or minimize their legal exposure. A combination of effective business and legal action can provide strong protections against cyber-based liability.
One of the most important protections companies can employ is smart contract drafting. Inclusion of clauses delineating which party is responsible for different aspects of security; eliminating or limiting liability for certain occurrences; caps on damages; indemnification provisions; confidentiality provisions; provisions governing storage and use of information; and audit requirements can all be employed to insulate or lessen a company’s liability for cybersecurity-related events. Companies can also require that their contract counterparties carry insurance against cyber-based loss and limit their counterparties’ ability to subcontract.
Experience the next generation of interactive security services and solutions with GenX Security.
With custom security integration solutions come custom quotes designed for your needs. Please contact us by clicking here or calling 866-598-4369.