The Growing Costs and Risks for Personal Liability

The costs of cyber incidents are rising and can include financial, reputational and, increasingly, criminal liability. IBM estimates that the average cost of a single data breach is US$ 4.35 million, up 12.7 percent since 2020. (IBM Security, 2022) The costs to society are high as well. The cybersecurity firm McAfee and the Center for Strategic and International Studies estimate that cybercrime and espionage cost global society over US$ 1 trillion in 2020 — a 50 percent increase since 2018. (Smith, 2020)

Cyber insurance is more challenging to obtain as cyber insurers’ losses jumped 300 percent from 2018 to 2021. Cyberattacks are happening so frequently, and carry such unanticipated costs, insurers are stopping coverage, increasing the costs of coverage, or instituting carveouts for cross-sector or government-sponsored hacks (Zang, 2022).

It is unclear whether property and casualty (P&C) insurance will cover physical damage caused by a cyber incident on an OT system that leads to physical injury or the loss of life. Many insurance companies are rewriting insurance policies to exclude coverage from a cyber incident resulting in an impact on human health or property. For example, Merck experienced US$1.3 billion in losses due to the Russian NotPetya cyberattack on Ukraine in 2017. Merck invoked its P&C insurance to recover some of its losses, but, these insurances had “war exclusions” that barred coverage for damages caused by states’ “hostile or warlike” actions. Given that geopolitical tensions are on the rise and state-organized hacks will be more common, companies will have difficulty covering cyber risks via insurance (Bateman, 2020).

CEOs face the risk of greater personal liability. Gartner and a recent case from Finland highlight the risks to CEOs stemming from cyber-physical incidents. Gartner estimates that 75 percent of CEOs risk being held personally liable for cyber-physical breaches. Gartner argues this risk is based on leadership’s lack of security focus and ensuing misalignment of spending on risk mitigation and remediation.

CEOs used to be able to hide behind ignorance of the cyber risks facing their organizations or could transfer cyber threats over to insurers (Moore, 2020). This is no longer the case. National authorities are increasing their alerts and information campaigns in critical infrastructure industries. CEOs are being held to account as a result. In Finland, a CEO was given a three-month suspended sentence for his company not following cybersecurity and GDPR practices, which led to a massive data breach.

Cybersecurity risks are at the top of building owners’ agendas. They should also be on FMs’ agendas. In 2022 and 2023, surveys of real estate owners conducted by PwC identified cybersecurity as one of the leading disruptors to the real estate industry alongside digital transformation (PwC, 2023). Building owners and facility managers have both a physical liability risk and an asset valuation risk for a cyber incident that can strike immediately without warning. Attempting to transfer cyber OT risk to insurers does not remove the liability of building owners for the safe operation of a building and the responsibility for any incident that results in a loss of life or property.

Real Estate Industry Disrupters

2022

Figure: Cybersecurity leading disruptor in the built environment according to building owners (Source: PwC, 2022 and 2023)

2023

FMs share these risks. Hotels in Austria made extortion payments after ransomware attacks locked the computers controlling their electronic keyless entry systems. Guests could not open the electronic locks with their key cards, and the hotel could not reprogram the locks or key cards to let guests into their rooms (Smith M., 2017). A DDoS attack on two apartment complexes’ heating systems left residents without heat during a Finnish winter (WAQAS, 2016). A German building automation engineering firm lost access to hundreds of its building automation systems and devices — light switches, motion detectors, shutter controls and others after a cyberattack locked the company out of its building automation system. (Higgins, 2021)

In addition, FM’s operations could be at the epicenter of an attack that can affect customers and the supply chain. For example, an HVAC vendor was responsible for one of the largest cyber breaches, costing over US$220 million in costs, fees and fines. In 2013, hackers broke into the retail chain Target’s network using login credentials stolen from a heating, ventilation and air conditioning (HVAC) company that worked for Target at several locations. Through this breach, hackers accessed 40 million customers’ credit card numbers.