United Kingdom

Smart buildings need smarter risk management

By any measurement, Smart Buildings (or Building Automation) are growing quickly. Various sources suggest the market is worth between $5.7bn and $7bn annually, with projected revenue growth of +30% on a compound annual basis over the next four to five years . Adam Peckman, Global Practice Leader for Cyber Risk Consulting at Aon explains why landlords are increasingly concerned over cyber security.

Typically defined as the automatic centralised control of a building’s heating, ventilation, air conditioning, lighting, security and lift operating systems; smart buildings are enabled by networked solutions that connect some or all of a building’s systems together.

Aon’s own headquarters at 122 Leadenhall Street falls squarely into the category, as do other developments in the UK real estate investment sector’s portfolio.

For example, Land Securities’ 2013 reopening of the Trinity Leeds shopping centre included a networked infrastructure built by Cisco Systems connecting systems including video surveillance cameras; doors, escalators, customer information, and smartphone application interface software .

Cyber security

With connected and shared networks fundamentally changing the way our built environment is being used and operated, thoughts amongst landlords should simultaneously turn to cyber security.

While historically the highest profile cyber-attacks have impacted on the retail, travel, hospitality and financial services industries there is now increasing financial and reputational exposure for property owners, their tenants and stakeholders.

In 2013, researchers showed the potential vulnerabilities of a connected building when they successfully infiltrated the Australian headquarters of Google . Meanwhile, sinister reports of hackers using a specialised search engine called Shodan which finds the IP addresses of web-connected devices, illustrate the open door left by some less secure systems .

Increased reliance on IT solutions for building automation makes landlords potentially vulnerable to disruption on a number of levels,” he adds.

“For example, if hackers gain access to building management systems the property owner and tenants could experience all kinds of potential problems leading to property damage, personal injury, financial loss, business interruption and more”.

Links between building management systems and third-party software have been identified as a primary route for cyber criminals to attempt access into hitherto secure networks.

A similar ‘angle of attack’ was found to be the cause of Target Corporation’s 2013 data breach in which a contractor was linked to the retailer’s electronic billing system . There are many similarities between connected systems like these, and the ones used in a landlord/tenant context. Today’s real estate funds should consider their exposures carefully as standard insurance policy wordings may be insufficient.

If that weren’t encouragement enough, the pending European Union General Data Protection Regulation (EUGDPR) will create considerable obligations of its own. Intended to harmonise protection of personal data across Europe these will come into force on 25th May 2018 and require businesses to notify their local country regulator of any data breach within 72 hours and face fines of up to 4% of global revenue. The UK is likely to adopt a form of this legislation notwithstanding Brexit.

As the market invests more heavily in the technologies to support smart buildings, companies must conduct a thorough risk assessment to properly ascertain their own exposures at an enterprise level.

Within this assessment, should be the identification of credible cyber risk scenarios drawn from trigger event analysis (ie situations which could cause potential first and third party loss exposures).

Once this is properly understood, property owners can begin to model the potential quantum of financial exposure to cyber risk liability scenarios and differentiate between those risks which are insurable and those which can be retained.

It’s a rather blunt illustration, but what if a smart building’s lifts were to fail catastrophically? Does your existing property/casualty insurance programme pick up this type of risk when cyber breach is the proximate cause of loss?

1 Smart Building Market by Building Automation Software Global Forecast 2021; Zion Research – Smart Building Forecast 2014-2020

2 Cisco Systems Case Study; The Internet of Everything

3 BBC News “Help, my building’s been hacked!”

4 Forbes – The terrifying search engine that finds internet connected cameras, traffic lights, medical devices, baby monitors and power plants

5 Wall Street Journal, 6th February 2014