As technology associated with commercial real estate has evolved, landlords are confronted with conundrum: How to use new technologies to modernize buildings and increase profitability by attracting high quality tenants through maximizing tenant experience, while addressing the cybersecurity threats that accompany these new technologies?

The exact problem will differ based on the type of commercial property being offered by a landlord, but the overriding concern remains the same, namely, how to secure the property from cyber-security breaches.  For instance, whether a landlord owns: (i) a climate controlled industrial property used for housing cloud servers, storing food or pharmaceuticals, (ii) a multi-tenant retail property with an open WIFI network and cloud-based security system, or (iii) a mixed use development with state of the art building systems, should the integrated building systems of these properties be accessed and manipulated by a hacker, it could wreak havoc on the tenants, who will seek relief from the landlord. What can a commercial landlord do today to prevent this disaster from occurring and protect its assets and reputation?

Step 1: Technology Audit

The first step for any commercial landlord is performing a technology audit to assist in understanding the threats their particular real estate and tenants present. With increased connectivity to cloud-based building systems, the Internet of Things, and remote access employees, there are multiple points of access that can be exploited by hackers. It is now increasingly common that HVAC, electrical, lighting, security, safety and building management systems (BMS) can be accessed remotely in the ordinary course of building operations. It is crucial to know understand how such systems are integrated into the property, what data is contained therein along with how and who can access these systems.

Step 2: Strengthen Defenses

Next, it is critical for commercial landlords to understand how to strengthen their defenses to outside threats.  Establishing internal practices and protocols designed to keep software and hardware updated, conducting regular employee training about identifying cyber-threats including phishing attacks and spoofs, and maintaining ongoing communications with tenants about the building's technology and operational systems beginning from initial lease negotiations will all help to provide landlords a clear picture of the property's technical infrastructure. In turn, landlords will be able to establish comprehensive defenses to these threats, both internal and external. Likewise, policies covering issues such as cyber-threats need to be drafted and implemented covering such topics as remote access procedures and how to respond to a cyber-incident.

Step 3: Allocate Responsibility

Finally, landlords must take steps to allocate responsibility for technology system integrity to their tenants through lease provisions.  These provisions must clearly define each party's role and responsibilities in the security process.  Topics that must be addressed during lease negotiations include technology-related fit-up responsibilities, capping/limiting damages for cyber-related losses, indemnification provisions and cyber-related insurance concerns, among several more. Additionally, landlords must consider implementing requirements over third-party access to the property, such as a tenant's use of vendors for fit-up or repairs, to ensure that the vendors selected are utilizing security protocols commensurate with the landlord's. Let's not forget that the 2013 Target data breach that resulted in tens of millions in damages was caused by an HVAC contractor whose lax security protocols allowed a hacker to access Target's data. Demanding vendor information and reviewing vendor contracts before work commences is essential.

The unauthorized access of a building system can cause financial harm, disrupt a tenant's business and result in the destruction of property. Imagine, if a remotely accessible temperature control in a cloud server warehouse was accessed by a hacker, and the temperature was raised by 6 or 7 degrees. The result would be catastrophic, and the cost to a landlord could be equally devastating especially if there is no insurance to help address the losses. A prudent landlord must take the initiative to understand the cyber-security threats it faces, have a handle on how to confront the threats through technology and education, and finally, to document everyone's role and responsibilities in the lease governing the property.

Originally published 3 November 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.