It may be nearly impossible to prevent a cybersecurity incident, but preparing for the inevitability of one can help apartment firms mitigate the severity of the aftermath. During the 2016 OPTECH Conference & Exposition, a panel of experts discussed ten actionable steps to create a strong cybersecurity action plan.
The panel included moderator Keven Sticher, senior vice president of technology and security at Monogram Residential Trust; Chris Cwalina, partner with Holland and Knight; Ryan Byrd, chief information and vice president of engineering at Entrata; Heather Wilkinson, vice president and southwest regional manager of cyber and E&O at Willis Towers Watson; and Jeremy Rasmussen, cybersecurity director at Abacode.
More detail on the following steps can be found in the NMHC/NAA white paper “Multifamily and Cybersecurity: The Threat Landscape and Best Practices.”
1. Conduct an assessment of critical data and find vulnerabilities early
There has been an evolution in what cyber criminals are looking to steal. The ROI on personally identifiable information (PII) is significantly higher than that of credit cards. So, apartment firms need to look closely at what information they are collecting and who has access to that data beyond direct vendors. There are many touch points, and each should be evaluated.
2. Draft and regularly update an incident response plan
An incident response plan provides a roadmap for dealing with a cybersecurity incident. Insurers will want to see who is involved in the incidence response. It takes coordination on all levels, from IT level to c-suite. An incident response plan also should be tested; it can’t just be sitting on the shelf.
3. Understand your risk and consider cyber insurance coverage
The insurance market has been stabilizing after years of volatility. Revenues and record counts will always be the first thing that insurers will look at to determine rates. Apartment firms should consider whether they need the data they have, and dispose of unneeded data. For example, are you storing the information of potential residents who complete an application but don’t sign a lease?
An organization can also be more attractive to insurers by having a culture of security and by knowing where data is, what it is and how it is being stored.
4. Conduct security screenings on supplier candidates prior to and after engagement
Apartment firms need to do their due diligence and verify suppliers’ certifications and security controls. Look at reporting standards such as SOC 1 and SOC 2, which will show any exceptions during the audit period. You can ask your suppliers for annual certification showing they have been compliant with their IT security controls.
Also ask what suppliers’ security controls are. Apartment firms need specific details about their security policies, procedures and controls, not just a statement that the supplier passed. You also
5. Regularly review third-party contracts and ensure liability and responsibility is clear
Experts noted that roughly 75 percent of breaches they’ve encountered involved a contract element. This often happens because companies are working with so-called “old paper,” or contracts with long-time supplier partners. Because of these legacy relationships, often the cybersecurity provisions in the contracts are often out of date, creating vulnerabilities and liabilities. Many contracts often say there is shared security responsibility with the supplier.
6. Conduct regular audits of contracted suppliers’ data security practices
The multifamily industry is not highly-regulated and lacks high-tech sophistication, so it is particularly vulnerable to cyber attacks. But regardless of how the breach occurred, apartment firms are the ones ultimately responsible for the data.
In the event of an incident, the resident is not going to go after the supplier, they are going to go after the apartment firm. Anytime you let data leave your network or have data on your own network, you are liable for it.
For this reason, if a supplier is going to have a trust relationship with your system, they also need to be compliant and have technology, policy and procedure controls.
7. Retain outside expertise in advance of trouble
Today, there’s an assumption that everyone has been breached. The question is how quickly you can respond. You need to have an ability to monitor your systems and have proper governance in place prior to an event. Engaging counsel, forensics, notification and response firms after an intrusion is discovered will be costlier. Establish contracts with your response team before an intrusion.
8. Create security awareness training program for employees and test regularly
Consider having a training program that includes testing staff with phishing emails. This will greatly reduce your vulnerabilities. Also, look at mobile device management when considering firm provided and bring your own device (BYOD) policies.
The Verizon’s annual data breach investigations report is a great resource as firms build their security awareness training programs.
9. Conduct periodic assessments and cyber incident drills with relevant staff-legal, corporate, public relations, operations, etc.
Evaluate access points with testing and tabletop exercises. Make sure staff and suppliers can only access information that is appropriate for their job level and function.
Also, consider the length of time that systems are backed up to protect against ransomware. The only way you know if your backup system works is if you test it.
10. Ensure senior leadership understands your cybersecurity program and associated risks with regular reporting.
Apartment firms’ incident response plans should include individuals in HR, legal, executive leadership, daily IT management and governance. Insurance premiums are affected by what you’re budgeting both for IT and information security and for corporate governance - policy, procedures, training, employee outreach, etc.
As a part of proper governance, senior leadership must be involved in the firm’s data security program from the beginning. It’s unfair to put it solely on shoulders of IT. Consider IT and security as separate duties.
NMHC offers additional resources on how to better protect your firm’s data at nmhc.org/data-security.
- FTC Commercial Surveillance and Data Security Comment Letter
- Legislation that Creates Federal Data Privacy Standard Advances to Senate
- NMHC NAA Data Privacy Letter to Energy and Commerce Committee
- NMHC NAA Letter on Data Privacy
- Bipartisan Lawmakers Release Federal Data Privacy Bill That Would Have Impact on Multifamily Data Practices