Protecting commercial property: the critical role of cyber insurance

Research by the insurer Aviva found that businesses are 67% more likely to have experienced a cyber-attack than a physical theft and almost five times as likely to have experienced a cyber-attack than a fire.[1] In today’s uncertain world, cyber insurance can help safeguard the operators of commercial buildings against the financial consequences of cyber incidents. In this article, we’ll discuss the increasing importance of IT systems in the management of commercial buildings and cyber insurance as a component of a comprehensive cyber resilience strategy.

The Importance of Cyber Security for Commercial Property
In scenarios where an office complex or retail centre lacks comprehensive cybersecurity protection, they jeopardize not only their data integrity and operational functionality but also their eligibility for insurance coverage. Insurance providers are increasingly instituting rigorous cybersecurity criteria as a necessary condition for offering coverage. Non-compliance with these conditions may result in the denial of insurance coverage or the termination of existing policies, consequently exposing property owners and operators to significant financial risks.

Hackers Take Control of Building Automation Systems
In 2021, a sophisticated cyber-attack on a German building engineering firm caused significant disruptions by seizing control of hundreds of Building Automation System (BAS) devices that managed functions like light switches, motion detectors, and shutter controllers. The attackers exploited digital security keys to lock out the company from its own systems, leading to a loss of smart functionalities across numerous devices. Security experts were able to recover the compromised system by extracting the hijacked key from a damaged device, underscoring the urgent need for enhanced cybersecurity measures in the management of interconnected building systems.[2] A year later, Security Week published a story about a vulnerability in Siemens Building Automation Controllers that could render them unavailable for days if successfully attacked.[3]

Managing Risk
In response to a continually evolving range of cyber threats, the cyber insurance market has matured, with insurers now requiring evidence of proactive cybersecurity measures before offering coverage. This shift reflects a broader recognition of the integral role that cyber insurance plays in the risk management strategy of many businesses including commercial real estate. By transferring some of the financial risks associated with cyber incidents to insurers, businesses can better manage the aftermath of an attack, including legal and regulatory actions, and focus on restoring operations and reputation.

The Threat Landscape
Commercial building owners and operators face increasing cyber threats. Phishing, social engineering, ransomware, malware, and data breaches are all common. Cybersecurity weaknesses in commercial real estate include Wi-Fi networks, wireless peripherals, key card access, HVAC systems, power supply hardware, and portfolio management software. Smart building technologies such as IoT devices expand the attack surface for potential cyberattacks. Insider threats from malicious staff and human error also present significant risks, as do complex supply chains and third-party service providers.

$8 Million Per Day Failure
In 2018, a Las Vegas casino fell victim to hackers through a smart thermometer. The casino had installed this thermometer to monitor the water temperature of an aquarium in its lobby. However, cybercriminals exploited a vulnerability in the thermometer to gain a foothold in the casino’s network. Once inside the network, they targeted the high-roller database, extracting sensitive information about the casino’s biggest spenders and other private details.[4] Similarly, MGM Resorts International experienced a significant cyber-attack that led to a 10-day computer shutdown including hotel reservations and credit card processing. While specific details about the extent of the breach have not been disclosed, experts estimate that the shutdown cost MGM Resorts up to $8 million per day. These incidents serve as a stark reminder that the proliferation of IoT devices makes organisations and infrastructure more vulnerable to cyber-attacks.[5]

Cyber Essentials
The evolving nature of cyber threats means that yesterday’s security measures may no longer suffice. The National Cyber Security Centre (NCSC) advises organisations to adopt recognised cybersecurity defences, such as those certified by Cyber Essentials or Cyber Essentials Plus, to enhance their security posture and potentially qualify for insurance discounts.

Cyber Insurance Requirements
Cyber insurance has evolved significantly from its early days. Now, insurers recognise the true risks and costs associated with cybercrime and have tightened their requirements accordingly. To get a cyber policy today you will have to complete a questionnaire, providing a detailed explanation of all your security policies and safeguards. Through these questionnaires, a set of core security controls has been established by insurers, although the individual requirements vary from insurer to insurer. If you’re missing any of these 5 controls, your application might be rejected.

5 Criteria for Cyber Insurance:

  1. Security awareness training educates employees with the knowledge and skills to protect an organisation’s data from hacking, phishing, and other breaches. Additionally, testing involves assessing employees’ ability to identify and counter cyber threats, often through real-world phishing scenarios, reinforcing security awareness and behaviour change.
  2. Multi-Factor Authentication (MFA) enhances security by requiring multiple credentials (such as a password and a code from an authentication app) to access IT systems and resources, making it more robust than traditional username-password combinations.
  3. Endpoint Detection and Response (EDR) is a security approach that concentrates on the endpoint environment, including devices such as laptops and desktop computers. The goal is to collect data that can be used to quickly detect, contain, and remedy any security threats. In contrast, Managed Detection and Response (MDR) provides a more comprehensive view of the network by analysing data from various sources. This allows for real-time detection and response to any potential security threats.
  4. Data backup best practice is known as the “3-2-1” rule. The rule requires an organisation to maintain three copies of backup data, stored across two different mediums, with one copy stored securely off-site such as the Cloud.
  5. Vulnerability management is a continuous and regular process of identifying, assessing, reporting, managing, and fixing cyber vulnerabilities present across IT systems. Security teams use various vulnerability management tools to detect vulnerabilities and implement different processes to patch or remediate them.

Commercial building owners and operators will face difficulties in obtaining cyber insurance coverage without adequate security controls. Furthermore, it’s essential to keep in mind that security is an ever-evolving concept. While many insurers currently require five core security elements to consider a firm’s eligibility for coverage, the requirements might change by the time you renew your policy. Therefore, it’s vital to stay up to date with security matters.

Help Meet Cyber Insurance Criteria
As an IT Managed Services Provider (MSP), Modern Networks helps property companies obtain or renew cyber insurance coverage. We do this by ensuring that your company’s IT infrastructure aligns with the required security standards and best practices. We help identify vulnerabilities, implement robust security measures, and provide evidence of compliance to insurers. Additionally, our team can work with you to assess risks, evaluate policy options, and facilitate the application process, ultimately safeguarding your organisation against cyber threats and potential financial losses.

Today, the commercial real estate sector needs to prioritise cybersecurity as it embraces new technologies. Cyber insurance is more than just a financial safeguard; it’s a key element of a robust cybersecurity plan. With cyber threats evolving, the industry needs to update its security strategies. Cyber insurance is crucial in reducing these risks and keeping businesses running smoothly. Commercial property companies need to meet the cybersecurity standards set by insurers to protect their assets, reputation, and financial health. Partnering with Modern Networks gives our customers the necessary IT support and expertise to defend against cyber threats, meet the strict cyber insurance criteria, and retain the trust of stakeholders.

To learn more about how Modern Networks can help landlords and managing agents of commercial buildings remain cyber-secure and insurance-compliant, contact us today. You can call our Exeter office on 01392 796 779 or our Head Office on 01462 426 500. Alternatively, visit our website.

Visit The National Cyber Security Centre (NCSC) website for cyber insurance guidance.

1. Aviva: One in five businesses victims of cyber-attack
2. Cyberattacks shut down Building Automation Systems
3. Security Week: Hackers can make Siemens Buildings Controllers unavailable for days at a time
4. A Casino Gets Hacked Through a Fish-Tank Thermometer
5. MGM Resorts computers back up after 10 days as analysts eye effects of casino cyberattacks