Cyber risk is an existential issue for companies of all sizes and in all industries. The integration of technology and automation, and related collection, use, and sharing of information into everyday business practices presents an enormous opportunity for efficiency and precision, especially in the real estate sector. However, it also exposes companies to additional layers of risk.
For those in the real estate industry, including real estate owners, developers, property managers, real estate investment trusts (REITs), hospitality groups, and investment managers, cyber risks are more complicated because of the multilayered environment and multiple stakeholders who are involved. Managing cyber, privacy, and technology exposures through insurance can be complex and requires expert attention to detail around some key areas: contractual risk management, insurance coverage negotiation, cyber-physical damage risk, and the constantly expanding universe of regulatory and privacy litigation.
We’ll dive into some of these key challenges and provide recommendations to address them.
Whose Liability Is It Anyway?
Real estate entities and their trading partner ecosystems are more complicated from a contractual perspective than other industries. Specifically, property owners often hire a property manager or branded hotel operator to oversee the day-to-day operations of a given asset within their portfolio. Frequently, the liability associated with slip-and-falls is pushed up to the owner—and within that same upstream push, so goes privacy and data breach liability.
While this is standard practice for addressing liability within the universe of real estate, deliberate and precise actions are required when negotiating cyber insurance coverage. All stakeholders, including insurers, need to understand whose cyber insurance policy responds to an incident. The industry standard for real estate insurance programs is to ensure that liability flows to the property owner. For underwriters to agree to this reverse flow of cyber liability up to the property owner, property managers must work with the owners and both sides’ insurance stakeholders to ensure the underwriters can effectively gauge the property manager’s and owner’s cyber hygiene.
Without having these discussions, off-the-shelf cyber policies do not respond to loss arising from a property manager or other third party’s negligence, and the property owner’s data breach coverage will not respond to indemnification agreements in favor of the property manager. Even worse, boilerplate contractual liability exclusions within most cyber insurance policies will exclude coverage for special purpose vehicles or other interested parties.
Property owners also should push liability to the managers if the managers are collecting or storing personally identifiable information (PII) for their own business use (like loyalty programs or co-branded marketing benefits).
Real Estate Portfolios Are Uniquely Exposed to Cyber Physical Damage Risk
Smart keys, smart thermostats, smart people movers, and smart HVAC equipment are all very smart— well, until they’re not. Threat actors and hackers are keenly aware of the crippling damage they can cause to real-world infrastructure if they can access those systems during a cyberattack.
|Property owners and managers alike must understand that a material gap exists within their insurance portfolios: Property policies provide little or no coverage for physical damage and business interruption when it results from a cyberattack, and cyber policies specifically exclude physical damage loss.
We recommend owners who have property portfolios that are exposed to industrial control systems or other smart IoT technology undertake a coverage gap analysis to understand where there are deficiencies in coverage. They should also work with their broker to assemble a clear and bespoke solution to transfer that portion of the risk to a cyber-physical damage insurance policy.
The Regulatory Landscape Continues to Increase in Complexity
Real estate companies have always had to protect confidential information. From background and credit checks for employees and tenants to bank account and credit card information for rent payments and hotel stays, the standard suite of PII has always existed within real estate operations, and this exposure was always subject to various data protection requirements all over the world. Management contracts should identify the entity responsible (and liable) for data breach notifications, privacy suits, and regulatory investigations arising out of a privacy event.
But there is a more sinister privacy risk that will also drive claims activity for property owners and managers. With the advent of biometric protection laws and resulting class action suits, wrongful and/or unlawful collection litigation on the rise, and increasingly aggressive state attorneys general pursuing claims of discrimination based on improper credit and consumer report use and reporting, real estate entities need to devote a considerable amount of time and resource to managing non-data breach privacy exposures. Video surveillance, fingerprint and retina scanners, and outsourced tenant application intake strategies are all sizeable blind spots owners and managers rarely think about from a privacy perspective.
While the cyber insurance market is very much in flux on whether to insure these risks, there are still opportunities to achieve coverage enhancements for those clients with sophisticated controls or sizeable premium spend. Frankly, non-data-breach privacy risks may not always be insurable, but they will always exist. Real estate entities should consider engaging their broker, outside counsel, and consultants to ensure the best possible controls and privacy implementation techniques are in place to avoid embarrassing regulatory scrutiny and painfully expensive class action litigation.
There’s Good News—You Don’t Have to Go It Alone
Determining liability, identifying coverage gaps, and keeping up with privacy regulations are just some of the unique cyber challenges within the real estate industry. To address these challenges, work with insurance specialists who understand your business and the industry and have the insurance expertise to guide you through risk transfer options.
Woodruff Whiteboard Breakdowns: Cyber Insurance Policy Basics
Related Blog Posts
Get our review of insurance rates and pricing trends in the directors and officers (D&O) cyber, casualty, and property segments.
Learn what CISOs and stakeholders should consider as they work through their cyber risk strategy and insurance renewals.