Last May, a cybersecurity researcher discovered a security flaw on the website of First American, a leading provider of title insurance to homebuyers and sellers, that had left an estimated 885 million sensitive files exposed to the world. The digitized documents contained private information ranging from bank account statements and tax records to driver’s license images and Social Security numbers.
First American took immediate action to fix the breach, but the incident highlighted the vulnerabilities that are created when digital technology meets real estate. Cyber risks lurk in the multifamily industry, too, as apartment residents generate larger digital footprints and building management functions migrate online.
“Cybersecurity and cyber vulnerability are starting to become a lot more topical” for executives at multifamily groups, said Jake Fingert, a general partner at real estate technology-focused venture capital firm Camber Creek.
That’s a good thing, because many industry players need a crash course in best practices. “The primary challenge for property owners and managers is that they very rarely have the expertise in-house to know what they don’t know, to know what the risks are,” said Felicite Moorman, co-founder & CEO of smart apartment technology provider STRATIS IoT.
“If you’re a big company, in the top 25, at this point you probably need to hire somebody in infosec (information security) or data security,” rather than just IT, Moorman added. “If you have tens of thousands of residents—it’s time. Our world has shifted in property enough that it’s worth that person.”
SIZING UP THE RISKS
Fingert identifies data risk and the Internet of Things (IoT) as two major areas of cyber concern for the multifamily industry. The data side encompasses information that residents share on their rental applications—from their Social Security numbers to details about their pets—as well as other data that is gathered more surreptitiously, such as by access control systems and on-premise video cameras.
“Ideally you’re storing that in a secure way,” Fingert says. “But a lot of that data and information is sensitive.” Compounding the challenge, multifamily owners and operators are also rolling out mobile apps to create experiences for residents, generating more personal data in the process. For example, an app that provides meal delivery services knows what you’ve had for dinner.
IoT and smart building management create additional threat vectors, as everything from door locks to water systems and temperature controls get plugged into an IP network. An example of the dangers was provided by a Distributed Denial of Service (DDoS) attack that shut down the heating systems in two apartment buildings in the city of Lappeenranta, Finland, in November 2016.
“Could someone hack into (smart) systems and devices for nefarious purposes?” said Fingert. “That’s another very serious concern that people in the industry should be thinking about.”
Operators of smart apartments and intelligent buildings will typically engage a vendor that has created an application programming interface (API) layer integration or software development kit (SDK) with the property management platform that the operator is using, Moorman said.
“That can create, without some serious cyber-secure design, vulnerabilities just like the Target hack,” she added, referring to the 2014 theft of customer data using the stolen credentials of the retail giant’s HVAC vendor.
BEEFING UP SECURITY
Multifamily firms can shore up their cyber defenses in various ways. First, they should carefully vet companies that they are looking at partnering with, such as smart device providers, to ensure that they have the systems and controls in place to mitigate risks. In some cases, multifamily owners and managers can build their internal capabilities to do the vetting themselves. Otherwise, they may need to rely on advice from cybersecurity or other specialty firms.
“Making sure there’s a good strong track record of security and privacy practices in place already” is essential, says Julianne Goodfellow, senior director of government affairs at the National Multifamily Housing Council (NMHC). It’s also a good idea to consider the financial strengths of a potential technology partner. “If you’re expecting to have a technology for five, 10, 15 years, will they be implementing firmware upgrades or other types of security upgrades, or are you going to be left on your own to manage those?” she adds.
In addition, property owners and managers should ask their vendors for a static code analysis as well as the results of a penetration test—a simulated cyber attack to gauge whether the software being used by the vendor is secure.
Multifamily groups should also implement policies to enhance their own cybersecurity practices. These policies can cover data destruction, regular backups of data, internal audits, compliance and vetting of the company’s own cybersecurity, along with training for employees that handle personally identifiable information.
Cybersecurity insurance, which is designed to protect businesses from losses due to hacking, is another option to consider. “Anecdotally, we’ve seen a massive increase in the number of firms that are buying cybersecurity insurance, relative to where we saw the market maybe five years ago,” noted Fingert.