How big of a threat is cybercrime?
The raw numbers charting the growth in cybercrime are staggering—but is it something the multifamily community needs to worry about? Remote tours, touchless leasing and new ways to pay rent all create “surfaces,” a term used by cybercrime fighters to designate entry points for fraudsters. Multifamily housing owner-operators have been dealing with personal data since before the internet was invented but that doesn’t mean the industry is safe from attacks.
“Back in 2019 before I started, a hacker compromised the email accounts of about 50 users,” says Luke Chalmers, IT Director of Los Angeles-based Decron Properties. “The company enabled multi-factor authentication soon afterwards. We have since enabled numerous policies against phishing and implemented policies around password protection, location blocks and enlisted managed detection and response systems.”
The low-hanging fruit for cybercriminals and those charged with thwarting them remains the digital inbox. “The number one threat vector is user error,” says Julianne Goodfellow, Vice President, Government Affairs, National Multifamily Housing Council (NMHC). “Though there can be insider threats, the most likely scenario is that an employee incorrectly believes an email is from a trusted source. Employees at all levels fall for incredibly sophisticated spear phishing attacks, meaning those that are directly tailored to them and are incredibly believable.”
Many owner-operators rely on third-party IT help to fend off the spear phishers using standardized defensive maneuvers. “Similar to every business, many phishing attempts often come through a Rookwood Properties email address, but many are caught from the email filters that were set up by our IT partner,” says Abbie Huffman, Director, Multifamily Operations, for Cincinnati-based Rookwood Properties. “If a company email were to be compromised, our IT partner automatically forces a sign-out of all sessions, resets the password and checks the account for any malicious rules or setting changes.”
Subbing It Out
Subbing out vital cybersecurity services comes with inherent risk. “Apartment owners and operators rely on service providers and suppliers, and those service providers and suppliers also rely on service providers and suppliers,” says Goodfellow. “The saying that you are only as safe as your weakest link applies here.” NMHC has been tracking cybercrime in the multifamily housing industry and in January released a security checklist that includes some commonsense tips for vetting IT partners.
Huffman agrees. “Even an organization with the best cybersecurity practices is vulnerable if another organization down the chain exposes them,” she says. “We have implemented robust measures by partnering with reputable technology providers. They employ advanced encryption protocols and regular vulnerability assessments to ensure the protection of our [residents’] data. Additionally, our systems have stringent access controls in place, allowing only authorized personnel to access sensitive information.”
The Legal Side
Data protection regulations in the U.S. are shifting, forcing owner-operators to learn a whole new set of acronyms. Several states have enacted data protection legislation based on the European Union's General Data Protection Regulation (GDPR). The GDPR is a “rights-based” approach that allows individuals to own their personal information and control where it goes. Right-based is opposed to “harm-prevention-based,” which seeks to minimize damage caused by hacks.
California leads the way in rights-based measures starting with the Investigative Consumer Reporting Agencies Act (ICRA), which came into play in 2018. The law became relevant for the multifamily industry by way of a U.S. Supreme Court decision. ICRA regulates how criminal background checks can be used and shared. In the same year, the state also passed the California Consumer Privacy Act (CCPA), which was then amended by the California Privacy Rights Act (CPRA). The rules went into effect in 2020.
Colorado, Connecticut, Utah and Virginia started enforcing their own new GDPR-inspired statutes in 2023 with more states likely to follow. Safeguarding resident’s data is becoming more complex. “This is a very challenging task, especially in California,” says Chalmers. “The bulk of our data is stored in our software platform which has maintained certain security standards and allowed us to stay in compliance with CCPA, CRPA and [ICRA]. Banking details and social security numbers are protected and starred out. Internally we have data loss prevention policies in place which prevents personal identifiable information (PII) from being sent via email. We are working on blocking incoming emails with PII but have struggled to get that to work.”
Owner-operators come in a variety of sizes and shapes. Businesses that stretch across state lines can also encounter conflicting regulations about data handling requirements. “There’s no one-size-fits-all approach, because organizations collect varying levels of data and have different levels of resources,” says Goodfellow. “[NAA and NMHC] have long communicated the need for flexible and scalable national cybersecurity and data privacy standards that preempt state laws to help organizations that operate in more than one state.”
Working across state lines or even across town raises risk as the data flows from one location to the other. “With multifamily, you aren’t only worried about a handful of corporate locations and your employee’s data and how it’s handled, but also the employees that work remotely or at the property offices,” says Chalmers. “Then you have residents and applicant’s data to worry about. Data exchange is hard because we can impose policies and procedures to block the exchange of PII moving out, but we have very little control on how applicants or residents choose to provide data to us.”
Held for Ransom
Ransomware is a hot game in the cybercrime business model. Cybersecurity Ventures estimates that a new ransomware attack occurred every 11 seconds in 2021, an uptick from 2019 when it was every 14 seconds. Especially at-risk industries include energy companies and the financial services industry, but multifamily is not immune.
“Ransomware is a very real threat that is only increasing as hackers become more sophisticated,” says Huffman. “The reality is that organizations will have to navigate attacks and will fall victim to cybercriminals. An apartment firm has to prevent every single attack while the criminals just need one unknowing victim to click a link or download a file. Ensuring good online security will make any incident less impactful. That means having a strong incident response plan in place so the organization can respond appropriately to single computer incidents and enterprise-wide hacks.”
As technology continues to evolve the burden of stopping cybercrime before it gets into the company database slides back to effective training. “At Rookwood Properties, we have a partnership with a local IT support company that has created a cybersecurity awareness training program that we utilize for all our employees,” says Huffman.
“Each month, every employee receives a quick video to watch on topics such as password management, two-factor authentication, what it is and why it’s important; Wi-Fi insecurities and how to reduce Wi-Fi risks; or spotting and avoiding phishing attacks.” The video is followed with a quiz.
Rookwood’s IT partner also employs password managers on every company computer and multi-factor authentication on internal company platforms. The software package includes antivirus and endpoint detection and response systems, continuous server and email backups, email log monitoring and spam filters on all company email addresses.
The ability to insure a business from various types of cybercrime is rising in tandem with the threats. Cybersecurity Ventures predicts the cyberinsurance market will grow to $14.8 billion in 2025 and will exceed $34 billion by 2031.
“Cyberinsurance is widely used in the industry,” says Goodfellow. “Often times by going through the process of obtaining a policy, organizations benefit from insurers’ requirements that they update practices to get coverage.”
NMHC recommends that when shopping for a policy, owner-operators should use their own experts and legal professionals to vet systems and procedures rather than choosing from an insurer’s list of subject matter experts. Some key policy terms including retroactive dates may be negotiable based on risk-transfer needs. Many policies only cover online
incidents occurring after the retroactive date, which may result in an uninsured loss. It’s best to clarify whether a policy is written on a “duty to defend” basis or a “non-duty to defend.” Duty to defend puts the burden of hiring legal counsel on the insurance company in the event of a claim.
“I think with the explosion of AI it will be interesting to see how federal regulations adjust,” says Chalmers. “Every day a crazy amount of data is ingested into our systems, so the need to protect that data gets larger and larger.” As the Internet of Things continues to get smarter through emerging technology, owner-operators have to stay on their toes.
“Cybercrime is a constantly evolving threat, so it is crucial that we stay proactive and ahead of potential attacks,” says Huffman. “This involves staying informed about the latest trends in cybercrime and implementing effective security measures to keep our systems and data safe. We regularly train our staff on data handling best practices to ensure they are equipped with necessary knowledge to safeguard our [residents’] data.”
Scott Sowers is a frequent contributor to units.