The UK is one of the world’s most advanced digital economies, with 12.5% of our economy activity now conducted online – a figure that will only increase. Consequently UK businesses are particularly vulnerable to hacking, cyber-crime and cyber-terrorism. Indeed, last year a government survey estimated that 90% of large corporations and 74% of small businesses suffered a cyber-breach, with the average cost of a breach being estimated at between £1.46m and £3.14m for a large business. And property businesses are by no means immune. On the contrary, property owners face some unique challenges when it comes to cyber-security, particularly in relation to their Building Management Systems.
Potentially vulnerable BMS are now found in many buildings. A 2015 paper published by QinetiQ listed systems including lighting (deactivation of lights may cause safety and productivity issues including public panic), access control (remote release of secure doors resulting in unauthorised access, erasure of access logs to cover criminal activity), HVAC (activation or deactivation of heating or cooling causing plant/equipment shutdown or malfunction), CCTV (increased situational awareness for intruders), lifts (denial of service, overriding lift access control) and tenant billing as being possible targets for everyone from terrorists through to bored teenagers.
Such concerns are emphatically not just a futuristic nightmare. In China in 2014, Jesus Molina found that he could easily take control of the thermostats, lights, TVs and window blinds in all of the St. Regis Shenzhen hotel’s 250-plus rooms. Recently, a member of the Free Software Foundation discovered much the same thing at the hotel he was staying at in London. Fortunately for the hotel owners, neither hacker’s intent was malicious. But with those involved in installing and managing BMS tending not to have security expertise, new systems are often connected into wireless networks without adequate security. As a result, a malicious attack may well be a matter of “when” rather than “if”. For example it is all too easy to imagine a hacker gaining access to a property’s BMS and holding a building owner to ransom. And the risk is not merely theoretical. As recently as Tuesday, three NHS hospitals fell victim to a cyber attack affecting the hospitals’ computer systems and forcing the cancellation of all appointments and operations for two days.
And what might the implications for a landlord in a multi-let building be in this scenario? Almost certainly, leases do not address the issue head on, either with express provisions or through the service charge and insurance clauses. Following the government’s launch of the National Cyber Security Strategy built on three core pillars of defend, deter and develop, perhaps the time has come for the industry, owners and occupiers, to give this issue some serious thought.