Certain industry sectors – such as banking/finance, healthcare, and defense contracting – have government mandated requirements for protecting sensitive information; for example, private healthcare records or export-controlled intellectual property. These industries tend to be serious about investing in cybersecurity measures; because, frankly, if they don’t, they will not be able to operate. Regulatory fines will rain down upon them, reputation damage will ensue, and soon, they will be out of business.

Anyone who has been to the doctor lately is probably familiar the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which was designed to help protect private medical data. The law has a Breach Notification Rule that requires covered entities and their business associates to provide notification following a breach of unsecured protected health information.

Look at the "wall of shame" maintained by the U.S. Department of Health and Human Services Office for Civil Rights that shows some of the offenders who allowed unsecured protected health information to get into the hands of hackers.

Imagine if your business name were on that page. What is brand image and reputation worth to your company?

While there is currently no cybersecurity legislation specific to the multifamily housing industry, there is emerging data breach regulation at both the state and federal levels that could have an effect on the industry.  The NMHC/NAA Joint Legislative Program published a white paper called “Multifamily and Cybersecurity: The Threat Landscape and Best Practices” that provides an excellent summation of this regulation.

The European Union (EU) has always been very concerned with privacy protection. The EU's General Data Protection Regulation (GDPR) went into effect on May 25, 2018 and includes mind-boggling fines for breaches of private data up to 20 million euros or 4% of a firm’s global turnover, whichever is larger. If the US follows suit, companies could be looking at enormous economic liability here as well.

So, there likely are compliance mandates for cybersecurity in the multifamily housing industry. But even if there weren’t, in this modern era, data and IT infrastructure are two of the most valuable assets any organization has. Probably 95% of a company’s revenue flows through its IT systems. So, wouldn’t you want to go about securing these systems according to best practices to protect your company’s finances – whether someone “made” you or not?

Also, when it comes down to it, compliance typically amounts to a checklist. A checklist is only as good as it is complete, and there is no complete checklist when it comes to cybersecurity. Cybersecurity is a process – a journey – and requires a feedback loop with continuous improvement. Therefore, even if you are “compliant”, you may not be “secure.”

To achieve cybersecurity maturity, an organization must undergo certain steps:

1. Establish a baseline. This requires a third-party assessment of the enterprise IT components and all security operations practices.
2. Develop a framework and governance. This is achieved via implementing formalized policies and procedures with executive management buy-in and leadership.
3. Implement continuous monitoring. This allows you to have visibility into your enterprise and provides feedback on how effective your security controls are.
4. Develop security analytics. Dashboard reporting indicating reduction of risk over time is an effective tool in aiding management to apply adequate funding for security measures.
5. Tweak the system over time. Continuous improvement requires a post-mortem after any incident so that effective countermeasures can be enacted, and the enterprise can improve each time.

In the end, we ask clients: do you want to be compliant, or do you want to be secure? Compliance, in my mind, often means “checking a box.” Security, on the other hand, implies that you have not only applied the best practices but are continually evaluating these to achieve optimal protection levels.

I will conclude with this story: my friend Kirk Downey told me that he once spoke to the CEO of a multifamily company that told Kirk he didn't want to do a cybersecurity assessment of his company, because then he would know how bad they were doing, and then they would have to do something about it (at great expense, he feared). Flabbergasted, Kirk tactfully explained to this gentleman that he was already responsible, whether he did anything about it or not.  If the @$#%$ ever hits the fan, and a government entity (say, the FBI) gets involved, and comes asking questions about how a data breach occurred exposing thousands of people's private data, they are likely not going to the IT guy or the cloud service provider first. They are coming to see the people who are ultimately responsible for security – executive leadership.