In all the COVID chaos it is easy to forget about cyber security vulnerability and that the UK real estate industry remains exposed to cyber attacks through inadequate security systems and lack of preparedness.  The fundamental unsuitability of both institutional leases and standard buildings insurance policies to address cyber attacks that cause non-physical damage leaves investors and occupiers considerably exposed to interruption of use and/or occupation risks.  The COVID-19 pandemic has led the Financial Conduct Authority to launch a test case in the High Court to clarify the extent of cover where it has not been possible to use the property – and we have anticipated for some time that similar issues will arise from cyber attacks.

So the publication this week by the UK’s National Cyber Security Centre of its report on the Cyber Threat to Sports Organisations is a useful reminder that this threat is real, even if virtual.

The NCSC found that inside a year (to spring 2019) in the UK 70% of sports institutions had suffered some form of cyber attack.  Around 30% of incidents led to a loss, and the average loss was more than £10,000 per incident.  A wide variety of sports were targeted, including football, horse racing, rugby, tennis, cricket and athletics.

The report gives case studies of various threat trends:

• Business Email Compromise (BEC) led to a criminal intervening in an English Premier League player transfer, posing alternately as each club in the transaction to divert funds.  The attack was thwarted by bank security flags;
• Cyber-enabled fraud (a fraud facilitated by cyber technology) led to a UK racecourse being defrauded in relation to grounds keeping equipment;
• Ransomware led to the shutdown of the CCTV and turnstile systems of an English Football League club, resulting in several hundreds of thousands of pounds of losses, even though the match was able to go ahead.

It is this last criminal intervention that should have property investors hurriedly checking their security protocols.  Cybercriminals locking doors to prevent access could be materially problematic for many assets, such as shopping centres and office buildings, as well as any venue with paying customers.

The ransom risk is evident, quite apart from health and safety and business interruption consequences.  The report confirms a ransom was demanded of the Football Club, but was not paid.  However, by coincidence, on Wednesday this week, the press reported a ransomware attack on a cloud data provider that provides services to charities and universities around the world, where the threat was to encrypt hacked data and demand a ransom.   One UK university, which acknowledged the attack and confirmed that the data provider paid the ransom, is reported to be contacting 181,000 alumni that their personal details may have been stolen.

While that is striking, what is relevant is that the hacked data provider apparently paid a ransom to have the stolen files deleted.  We wonder if this was covered by their insurance.

So, ransom demands in exchange for permitting access to your property (not just data) are a real threat.  However, there are other lessons to learn from this incident (and we recommend reading the whole report which is most informative).

Although the attack vector remains unknown, the infection was likely enabled by a phishing email or remote access via the CCTV system.  With all systems connected to a Virtual Local Area Network, the infection spread quickly.  The Football Club subsequently identified that:

• the IT estate had grown organically and few security controls were in place.  Office networks had internet connected industrial control systems bolted on, and then physical security hardware added – there was no planned security architecture.  This is a common feature of business – and buildings – systems that have expanded organically, responding to emerging business needs piece by piece.
• a lack of network segmentation.
• no emergency response plan and no previously conducted response exercises.  Our mantra for businesses is “assess, prepare, respond, engage, defend” (see here for more details).   Is your business ready?
• the club had not recognised how digital/cyber reliant their business was, therefore, cyber security investment was low.

The one other detail that should concern a building owner that believes its building to be secure is the possibility that the Football Club was hacked through its CCTV system.  The common misconception is that the attack will come through the front door on the servers – in fact the criminal looks for the point of least resistance to strike.  It’s like the hotel that was hacked through its air conditioning system (see here).  And don’t forget that no system is free from a physical hack – we know of one system that was hacked by someone with a laptop and a network cable who bypassed physical security and got into a server room.

Game on.

[View source.]