You are currently viewing Multi-family cybersecurity matters more than ever

Multi-family cybersecurity matters more than ever

There was a time, not so long ago, when issues such as cybersecurity and data security were not spoken in the same sentence as multifamily housing. However, topics that once seemed to be the sole concern of financial institutions perhaps as little as five years ago are now high on the list of concerns for apartment owners. This is largely due to the rapid increase in attacks and data breaches.

Additionally, after years of trying to craft cohesive legislation on a federal data standard, the U.S. Congress has revealed the foundations of a data privacy bill that would trump most laws. States. The legislation, designed for the industry in general, would contain many provisions that would have a significant impact on the multi-family sector.


READ ALSO: How the new cybersecurity reporting rules will affect multifamily homes


For owners and managers of apartment buildings, cybersecurity risks are akin to those of a banking institution, as they deal not only with the personal information of employees, but also that of residents. An individual’s most important and valuable details – social security number, employer information, emergency contact details, phone number, salary – are in one place to be taken by a semi-cunning hacker . Of course, the multi-family industry is not alone.

Nicole Upano, National Apartment Association

“When collecting and transferring sensitive information that would be used in the resident screening process, these are all considerations – with this volume of electronic data – where housing providers simply need to be aware of their responsibilities, and not just of their responsibilities, but how the responsibilities are distributed, say, between them and all the service providers they work with who also touch this data, ”said Nicole Upano, assistant vice president for housing, policy and National Apartment Association Regulatory Affairs.

According to Audit Analytics’ Trends in Cyber ​​Security Breach Disclosures report, cybersecurity breaches increased 118% year-over-year in 2021, with ransomware attacks up 44%. However, the figure only takes into account data compiled through filings with the Securities and Exchange Commission, so it represents only a fraction of the actual total.

The problem, as you might expect, is global. The website of risk management software company KonBriefing presents a list of cyberattacks around the world, and in recent months there has been an attack on a non-profit housing association in Austria, one on several housing associations in the Netherlands and, more recently, an attack on the United Kingdom. largest housing association, which still has a note on its website notifying visitors of computer issues due to a “cybersecurity incident”.

long-awaited movement

The National Multifamily Housing Council and other industry entities have long recognized the ramifications of these challenges and have welcomed advances in federal data security legislation; although progress, in this case, is relative.


READ ALSO: The Future of Proptech Retirement Homes


On June 3, 2022, leading members of the Senate Committee on Commerce, Science, and Transportation and the House Committee on Energy and Commerce released a draft discussion of a comprehensive privacy bill of data, the American Data Privacy and Protection Act. Lawmakers have openly admitted that the national data privacy and security framework has taken years to prepare, but the effort, while only a bill, is quite an achievement because it is the first comprehensive privacy proposal to gain bipartisan, bicameral support.

The draft covers many areas, including granting broad protections to Americans against the discriminatory use of their data and requiring covered entities to upfront minimize the data of individuals they must collect, process and transfer so that use is limited to what is reasonably necessary, proportionate and limited for specific products and services. The National Multifamily Housing Council and the National Apartment Association say that while the effort has many positives, there remain issues that must be addressed to protect the industry, and the organizations expressed their views in a letter. to members of the Ranking Committee applauding the progress of the House. on the legislation. One area of ​​concern is the security breach notification process.

As it stands, the ADPPA Discussion Draft contains consumer notification process provisions that require covered entities to communicate changes to privacy policies to individuals. The NMHC and NAA request that any service provider be required to first notify their customer and the apartment company of any privacy changes, breaches or security breaches.

“We want to make sure that we have a clear delineation between who is responsible in the event of a breach and if it is a third party who is ultimately responsible that they must first inform their client, who would be the accommodation provider, before to make any notification, as it is ultimately the reputational risk of the housing provider in the event of a breach,” Upano noted. “The housing provider should make that call on how to communicate that to residents or applicants, and for this bill, it appears to cover employees as well.”


TO LISTEN: How Proptech Can Help Put the S and the G in ESG


Another issue in the draft that is highly relevant to the multi-family industry is the consumer’s right to access, correct, delete and export covered data. Although NMHC and NAA did not ask for any guarantees regarding this provision in their letter other than a reasonable time to respond to consumer inquiries, they emphasize to their members that consumers’ control over their data will have a direct impact on the multifamily housing industry. .

“This would give consumers the right to consent to the collection, processing and transfer of covered sensitive information. So as we process, collect and use all of this data from applicants, residents and employees of different types, it is certainly important for the industry to understand it,” Upano added. “There are just a lot more rules or standards that they have to build into their current processes. So having a federal standard, we’re certainly very supportive of it, and we think it would be a good thing for the industry to help navigate the operational consequences of this patchwork of state laws that’s currently in place.

Run for cover

With the rapid spread of cybersecurity breaches and data security breaches, comes the growing need for liability protection. Cyber ​​insurance is a relatively new product, with the first cyber laws requiring notification having emerged in the early 2000s. However, the monetary damages that come with breaches such as ransomware can be debilitating for a business and a multi-family owner or business corporation. apartments is no exception.

Thomas Bentz, Holland & Knight

“The authors found they could get away with ransomware just fine. It used to be a $10,000 ransomware problem, now it’s more likely a seven-figure problem. And the carriers had to trying to accommodate and manage that, which they’ve done by sometimes increasing retentions, your deductible, sometimes putting sublimits on coverage, and sometimes putting other requirements in the policy or excluding completely industry-specific coverage,” said Thomas Bentz Jr., a partner practicing insurance law at Holland & Knight.

Premiums for cyber insurance have risen dramatically over the past three years as ransomware activity becomes more rampant and more costly for the insurance industry, which is still trying to figure out how to price this coverage in a meaningful way. appropriate. And then there’s the issue of silent cyber issues, a cross-issue that contradicts the traditional insurance concept of a single policy to address one issue.

The premise is not so simple when it comes to cybersecurity incidents. Bentz points to a customer whose system hack caused a fire suppression system to accidentally go off, resulting in hundreds of thousands of dollars in damages. Hacking was a violation of cyberpolice, which covered data loss, but not hardware damage. The general liability policy acknowledged that there had been property damage, but because it was caused by a data breach, refused to cover the damage.

“With cyber, it gets really complicated really quickly because there’s so many potential crossovers or crossovers for these other policies, you end up with these policies pointing back and forth and really trying to figure out at what this loss really belongs to,” Benz said.

Even if an apartment owner is sufficiently covered against cybercrime, the police are useless if those responsible do not know how to use it. Unlike property crimes, cybercrimes need to be solved in a short period of time, usually within hours. Fallout management requires special knowledge and, as Upano noted, “the potential for litigation is quite high when there’s this patchwork of state laws.”

Bentz noted that, now more than ever, it is vitally important to select the best underwriter, which is not necessarily the most profitable option. When the issue arises, the option of an attorney will be very important and if your coverage pays a maximum of $200/hour for an attorney, will you pay coinsurance for that attorney, or will you have enough options for representation is essential or if anyone in the office knows who the carrier is or where the police are.

“You really need to have everything set up and ready to go so that when you hit the problem, you’re not trying to figure it all out. And you need to make sure everyone is on the same page. There’s a lot of disconnect in my experience between C-suite executives, IT and the risk management group as to who you want to hire, what’s working, what’s going well, what’s not,” Bentz said. “Probably the biggest problem we’ve seen in the last couple of years: Risk managers losing their jobs or CFOs losing their jobs because he or she didn’t coordinate this.”

For now, any real change is in the hands of the government. There was a sub-committee markup on the ADPPA draft discussion on June 23rd. the concept. “Maybe we’ll get there.”

Read the August 2022 issue of MHN.

Leave a Reply