An increasing number of multifamily CEOs list cybersecurity as one of their top concerns as the number of significant data breaches continues to rise. In fact, according to a preliminary report by the Identity Theft Resource Center, 2016 breaches are up thus far more than 25% year over year.
While growing awareness of the issue, as well as the business, brand, and legal consequences associated with an incident, is a positive, as an industry we often underestimate the risk of—and remain underprepared to deal with—a cyber incident.
One area in particular where many apartment firms misjudge their exposure is in their relationships with their third-party suppliers, who often have access to sensitive data or systems. Many multifamily companies assume that since they use suppliers to handle or store sensitive information that they’re largely off the hook, which is far from the case. Many in the industry remain unaware that in the event of a supplier incident or data breach, regardless of whether the supplier is at fault, the company with whom the supplier contracted—the apartment firm—is often held responsible, because it maintains the consumer-facing relationship.
Most suppliers of the industry, who typically have third-party suppliers of their own, are increasingly prioritizing their cybersecurity practices and are good partners in the fight for better cybersecurity. It’s still advisable, however, to take steps of your own to protect your systems and bottom line by carefully managing your relationships with third-party suppliers.
Contractual provisions that detail how your suppliers protect sensitive information and address data breaches should be strongly negotiated by both parties to ensure the agreements reflect the realities of today’s challenging cyber landscape.
Do Your Due Diligence
It’s now more important than ever that apartment firms know a lot about the organizations with which they do business. Beyond understanding what information a supplier has and how it uses and protects that data, it is also important that the supplier give sufficient assurances and details as to its data security practices.
This can be achieved through a data security questionnaire or a formal RFP process that requires suppliers to provide specific information on these issues. Clients may also ask for any assessments the suppliers have conducted (and the results and mitigation plan) or certifications they may have. This information is essential to have before engaging with a new or existing supplier.
Review and Standardize Your Contracts
Apartment firms should establish an internal review process to ensure that adequate protections are included in all supplier contracts that have the potential to deal with sensitive information. Often such reviews are required only when contracts exceed a certain dollar amount, but such policies fail to account for the sensitivity of the data to which suppliers have access. Similarly, apartment firms should establish pre-approved contract provisions that are incorporated into all supplier contracts.
Your contract provisions should have explicit details on:
• Data use approval and sharing obligations
• Data security and privacy standards
• Accountability and liability
• Breach notification obligations and disclosures
• Investigation cooperation expectations
• Compliance audits
• Cyber insurance requirements
And remember, it’s a two-way street: Apartment firms should understand their own contractual obligations with third parties.
Check for Compliance
Data security standards and privacy mandates are effective only if the supplier adheres to them. Monitoring a supplier’s data practices and compliance with its contractual obligations will help keep the supplier accountable and provide visibility into the vendor’s practices, allowing apartment companies to identify and mitigate potential issues before an incident occurs.
Typically, contracts will include a right-to-audit provision, allowing clients to “kick the tires” on the supplier’s program. You can choose to audit a supplier internally or retain a third party to conduct this process on your behalf.
Centralize Your Contracts
While collecting information on your suppliers and their data security practices is important, an inability to quickly access, analyze, or verify that information could cause substantial delays during an incident investigation. Thus, the information must be centralized and well managed.
One way to ensure suppliers are centrally managed is to require that all supplier contracts be vetted and approved by your company’s legal department.
It is also useful to set a periodic schedule by which all contracts should be re-evaluated to ensure the terms are still accurate and appropriate. Problems often arise with respect to older contracts that have been in place for some time. While it may be harder to make changes for contracts that are ongoing in nature and not subject to renewal or approval, a plan should be in place to review historical contracts. Companies often triage this process by “risk ranking” all suppliers and starting with the top tier of them. Vendors are accustomed to being asked to agree to security provisions, and most understand it’s in everyone’s best interest to have rules upon which everyone can agree.
Make It a Leadership Issue
Cyber risks will continue to grow, so multifamily firms need to acknowledge that data security is no longer just an IT issue but a topic that must be taken seriously at the C-suite and board-of-directors levels. A comprehensive cybersecurity program is one that never rests; it must continually be updated, fine-tuned, and tested to ensure that both internal and external threats are mitigated to the greatest extent possible. The new security landscape facing the industry, and the legal and regulatory system, requires it.
More information on cybersecurity is available in the NMHC’s recently released white paper “Multifamily and Cybersecurity: The Threat Landscape and Best Practices,” at http://bit.ly/2aabfjQ.