Weekly Briefing

article sponsor image
Partner Content

Piercing The Veil Between Investors and Operators

4 min read
listen to article Listen to this article

There is a veil of separation between the investor-owners of commercial and corporate real estate and the day-to-day operations inside of the building. With the increasing amount of building controls technology, continued vendor fragmentation, and staff turnover, material risks at the owner and “Director & Officer” levels must be addressed. This includes vendor contract requirements and insurance gaps and exclusions.

Since the 1980s, all building control systems (such as HVAC, elevator, lighting, parking, and elevators) have become digital, requiring computers, networks, and Internet access. However, the real estate value chain that specifies, designs, installs, and manages them does not have IT expertise, which creates a portfolio-wide operational, financial, and reputational risk that ultimately falls at the feet of the investor-owner. These risks stem from hacking, ransomware, data corruption, lack of backup, and other contractor system mismanagement. The consequences can include ransom payments, system replacement, complete operational interruption, life safety, and brand damage.

In addition to the apparent site disruption from any incident, the insurance industry has not yet addressed these specific areas in nearly any traditional insurance vehicle, including property and casualty, general liability, cyber riders, or directors’ and officers’ insurance. Further, most contractual language for service companies does not sufficiently address who the responsible party is—notwithstanding that the finger-pointing would hinder a building shutdown even more. While the insurance gaps are glaring, there are now a growing number of proactive exclusions for building-level operational technology (OT) cybersecurity impacts for bodily injury, equipment damage, and operational interruption.

In a high-profile court case last year, Merck & Co. prevailed in the argument that nation-state-originated ransomware was not considered an act of war and, thus, not excluded from traditional insurance coverage. Bloomberg reported, "The ruling noted that insurers didn’t change the war language to put companies like Merck ‘on notice’ that cyberattacks wouldn’t be covered, despite a trend of attacks by countries like Russia hitting private sector companies.” While it may sound appealing that the insurance customer won the case, it has had the adverse impact of launching many more proactive exclusions. For example, Lloyds of London has announced that starting this year, all of its insurer groups will have to exclude “catastrophic” state-backed attacks from their cyber insurance policies.

At Intelligent Buildings, we have performed over 7,000 site assessments and seen firsthand that ransomware is a leading cause of cybersecurity financial loss in the industry. We have seen many examples of commercialized and nation-state ransomware in building systems. Building owners and operators have had to pay tens of thousands in Bitcoin to resume operations. In some cases, hundreds of thousands of dollars were spent to completely rebuild control systems. We have also seen others that have had millions in operational losses due to inoperable building systems.

For many commercial real estate investors, it's surprising that these types of information technology (IT) risks are increasingly present in OT systems in buildings they own. We’ve had many discussions with investor types, including private equity, insurance companies, and pension funds, that cannot answer clearly who is accountable for meaningful financial loss, whether all insurance has been reviewed for gaps and exclusions, and if cyber policy requirements in vendor contracts are in place and enforced.

As noted earlier, legacy buildings and buildings systems are nearly all digital, Internet-connected systems since the 1980s, presenting a systemic, industry-wide risk and soft underbelly. However, we are also in the early stages of an era that promises to get existing portfolios to net zero energy or on a meaningful path to net zero. The upshot is that even more connectivity and data will be required to enable net zero, which creates further exposure and risks. While a path to net zero promises increased valuation from lower operational costs and attractiveness to occupants, having shoddy cybersecurity practices and being underinsured or self-insured likewise promises to detract from valuation.

These are widespread conditions and risks in the industry that each ownership group must address as a top-down initiative for both the operational realities and the financial exposure from insurance gaps and exclusions. Operators come and go, so owners and investors should immediately assess their portfolios for conditions on the ground, along with an insurance review. This means a site inventory of systems and contractors, a review of systems connected to the Internet, and if/how they are backed up. Further, service contracts should be reviewed and updated for cybersecurity, business continuity, disaster recovery policy requirements, and compliance reporting.

Tom Shircliff, Co-Founder, Intelligent Buildings
Tom Shircliff is a co-founder of Intelligent Buildings, a smart real estate service firm founded in 2004. Intelligent building provides services for technology strategy, vendor risk management and portfolio decarbonization.

This Week’s Sponsor

Intelligent Buildings® offers portfolio-wide cybersecurity site assessments and ongoing managed services including secure remote access, system backup and policy audits. We are the only company solely focused on real estate technology advisory, assessment, and managed services. Since 2004, we are the most trusted and experienced name in Smart Buildings. Find out more at www.intelligentbuildings.com.