June 27, 2017, was the day when cybersecurity and cybersecurity insurance changed forever. Ukrainian companies were among the first hit in a major global cyberattack that used a new variant of the encrypting malware called Petya, which would later be known as “NotPetya.” Soon after, NotPetya infections cropped up in France, Germany, Italy, the U.K., Poland, and the United States, but most infections targeted Ukraine, including the National Bank of Ukraine. Many believe the attack was all but certainly a politically motivated one against Ukraine from the Russian government, though it quickly spread worldwide.
NotPetya caused enormous damage, crippling dozens of corporations, government institutions, and critical infrastructure. Many estimates say the damage of the attacks was more than $10 billion globally, one of the most devastating cyber-attacks in history and, therefore, one of the most closely studied. In a close examination of the attack and malware, Wired magazine said in 2018 that “the release of NotPetya was an act of cyberwar by almost any definition.”
The NotPetya attack has had such a gigantic influence on cybersecurity insurance because the scale of damage led many carriers to introduce cyber exclusions across their commercial insurance policies. Perhaps the most noted of the exclusions centers on Mondelez International, a multinational food company headquartered in Chicago that makes snack foods (including Oreos). Mondelez was walloped by the NotPetya attack, so the company filed a claim for damages with its carrier, Zurich, which was promptly denied because Zurich claimed it didn’t cover damages caused by war.
Mondelez suffered estimated total damages of more than $100 million, and they sued Zurich over whether NotPetya was sufficiently “warlike” to trigger an exception in the cyber insurance policy. So what does all this have to do with commercial real estate? More than you may think. Because of threats like NotPetya and other recent notable cyber-attacks, the traditional property insurance market has been removing cyber attack inclusion from its product lines.
Part of this is because insurance carriers have little to no visibility of the types of cybersecurity measures that commercial property owners and companies have in place. According to the cybersecurity experts I spoke with, this has led to the growth of a stand-alone cybersecurity insurance market that has led to confusion in the real estate industry.
Many commercial property owners and firms may not be aware that their traditional blanket insurance policies have exclusions for cyber-attacks. The cyber insurance market is also coming out of a so-called “hard market cycle,” meaning the frequency and severity of attacks have forced insurers to change their underwriting practices to protect against an onslaught of expensive claims. Cyber insurance premiums have become more expensive, coverage is harder to obtain, and the cybersecurity prevention measures property owners must have in place have gotten more comprehensive. This is something many commercial property owners may not be very aware of now, but a liability concern in the industry that is beginning to ring alarm bells.
A new level of sophistication
As commercial real estate increasingly relies on digital systems and smart building technology, the threats and vulnerabilities have risen, too. And while real estate is not traditionally a big target for cyber-attacks like the education, government, and finance sectors, the reality is no industry seems safe anymore. Cyber-attacks have risen exponentially across all sectors in recent years, especially since the onset of the pandemic. Cybercrime is estimated to account for a loss of $10.5 trillion globally by 2025, according to a report from Cybersecurity Ventures. To put this enormous number into context, consider that the nominal GDP for the entire United States in 2021 was $20 trillion.
Jason Lund, Leader of Technology Infrastructure, U.S., at JLL, said the commercial real estate industry is at “the beginner’s level with cyber insurance right now,” though many are doing a decent job raising awareness about it. “We’re building the boat as we sail it,” Lund said. Unfortunately, there’s still some skepticism in the industry about the threat of cybercrime. “Some building owners think the threats of cyber-attacks are the things that only happen in movies, like ‘Mission Impossible’ stuff.” That’s starting to change, albeit slowly.
The threats of cybercrime in real estate are growing, so awareness about cybersecurity and cyber insurance must grow in tandem. But Lund said the misconceptions about cyber insurance are leading to increasingly common situations where building owners think they’re covered when an attack happens, only to discover they’re sorely mistaken.
The first step for building owners is to ask basic questions on what level of cyber insurance protection their property has, including if cyber coverage is even included in the first place. From there, property owners can begin shopping for different cyber policy providers and work with insurance brokers to evaluate their level of risk and what type of coverage they’ll need. The type and scope of coverage will depend on the building and tenant mix. For example, obtaining coverage for a warehouse or industrial property where machine downtime is a big concern versus a property with financial or banking tenants will be much different.
Building owners should also know that obtaining coverage has become more complex recently. Carriers will send detailed questionnaires specific to the types of cybersecurity prevention measures in place, and you can’t just say “yes or no” anymore to the questions, which was the case only a few years ago. “Questionnaires for cyber insurance used to be just one page, but now they’re much more detailed, with online forms with about 60 detailed questions,” said Sandy Jacolow, CTO at Empire State Realty Trust, whose firm just went through the cyber insurance renewal process. “There’s a level of sophistication now in getting coverage because so many insurers have gotten burnt.”
There are certain cybersecurity practices you absolutely need to have in place to obtain coverage, such as multi-factor authentication. It also comes down to your programs and software tools, as some are safer than others. For example, cyber insurance carriers will evaluate policies based on companies’ use of Google or Microsoft programs, and they could adjust premiums based on the choice. Google uses an effective two-factor authentication solution, but many cybersecurity experts consider Microsoft’s authenticator superior. That’s just one example of the countless nuances in the types of computer systems used that could affect cyber insurance coverage.
Cyber insurance carriers will also want to know if you have a crisis management team and response plan for ransomware attacks and, in many cases, who will be the approved negotiator if you get hit by one of these attacks. If you don’t use the insurer’s approved negotiation vendors for ransomware, you risk not being reimbursed for the costs of a ransomware incident. Cyber awareness training regularly among employees is also critical in carriers’ eyes, and it must be done often. “People are the biggest risk in cybersecurity,” Jacolow said. “Phishing exercises show what users aren’t up to speed and who’s clicking on malicious links. One of the biggest challenges is to get folks to realize that cybersecurity is everyone’s responsibility, not just IT’s responsibility.”
Frequently, maintenance workers are those who need the most cybersecurity training. More of what they do today relates to technology, like the use of tablets, smartphones, and smart building systems, and maintenance employees may not be the most tech-savvy on the staff. Carriers will evaluate several of these critical cybersecurity practices before offering coverage, and it’s usually a long list. Other things carriers will look for are endpoint detection and response, patch management, secure remote access, email filtering, and adequately architected user management and service accounts.
Premium costs are rising
If building owners and firms follow the best cybersecurity practices, they likely won’t have to pay higher rates and will have a better chance of obtaining coverage. The complexity of the vetting process for obtaining coverage also means property owners shouldn’t wait until the last minute before renewal to start the process. There’s so much that needs to get done that there must be adequate time set aside, or it won’t be done on time.
The average cost of cybersecurity insurance is rising, though it pales in comparison to how expensive cyber-attacks are. Average premiums in 2022 range from $650 to $2,357 annually based on companies with moderate risks, according to a study by AdvisorSmith using quote estimates and rate filings from more than 43 insurance companies in the U.S. The premiums were based on liability limits of $1 million, with a $10,000 deductible and $1 million in company revenue. The damage of cyber-attacks is far worse, as the cost to respond to a data breach for small to midsize businesses in the U.S. is an average of $86,000.
The same study by AdvisorSmith showed the average cost of premiums rose by 25 percent between 2020 and 2021, with some policyholders paying a more than 80 percent higher rate in 2022. Depending on the size and revenues of the company or property, rates will obviously be higher and can still be higher depending on the risk level. Building owners may pay higher premiums because of the data they store and the tenants they have, who may store sensitive information like social security numbers and financial information.
Spending more on cybersecurity is something many property owners may have to do, which can lower the cost of premiums, according to Dave Cahoon, CTO at Red Bison, a commercial real estate cybersecurity firm. “Many businesses spend 5 to 10 percent of their budgets on cybersecurity, and I don’t think that’s nearly enough,” Cahoon said. “I come from a high-tech background, and much of the tech and cybersecurity in commercial buildings are woefully behind the times.” Cahoon said there’s a lot of focus on IT and ransomware in real estate but not nearly enough focus on operational technology systems like Internet of Things sensors and smart building systems. Many of these sensors are big threat windows and don’t have built-in security.
Cahoon agrees with many experts that numerous building owners aren’t aware of the intricacies of cyber insurance and what they need to do. Still, he thinks more regulations will come soon from the federal and local levels that will mandate more cybersecurity measures for businesses and landlords. At least 40 U.S. states introduced and considered more than 250 pieces of legislation that deal with cybersecurity in 2022, according to the National Conference of State Legislatures. In addition, the SEC proposed a rule in March 2022 that would require public companies to disclose whether their boards have members with cybersecurity expertise.
Major cyber-attacks like 2017’s NotPetya have significantly changed the market for cybersecurity insurance in all industries, and commercial real estate is no exception. Obtaining the best cyber insurance policy is vital for real estate owners as threats continue to rise, but it’s not easy. The confusion around cyber coverage in real estate is widespread, but that’ll have to change if property owners don’t want to get caught off-guard.
Costly cyber-attacks continue to worsen in frequency and severity, and insurance carriers are changing underwriting practices to protect themselves. If another major attack like NotPetya occurs again, the real estate industry may not be specifically targeted, but it could still stand to lose big money (as the multinational snackmaker Mondelez International found out in 2017). And attacks don’t have to be as massive as NotPetya to cause significant problems. Having the best cyber insurance coverage and being proactive about this little-talked-about aspect of the industry could mean the difference between a slight loss and one that could substantially hurt a property owner of any size.