As the extent of the damage caused by the recent WannaCry ransomware virus becomes clearer, businesses across the world have been reminded of the critical importance of cyber security measures, and the potential fall-out should those measures prove insufficient or ineffective.
The virus worked by encrypting the victims’ data and then demanding payment for its release, exploiting a weakness in Microsoft systems relating to file sharing, a facility that is vital to the way modern businesses work. Particularly notable was the range of entities that suffered. Some NHS trusts had to cancel appointments and operations due to their inability to access their computer systems, and the public were encouraged not to use emergency services unless absolutely necessary as a result. Companies across the globe, from Deutche Bahn to FedEx, were affected.
Late last year, we blogged about the implications that a cybersecurity attack like this might have on landlord and tenant relationships, in particular where multiple tenants occupy a building with a ‘smart’ building management network, controlling everything from online storage to heating and electricity controls. Depending on the nature of the system used, WannaCry could in theory have taken advantage of any interconnectivity or filesharing between the tenant’s system and the building’s system to reach the tenant’s business records.
This begs the question of what landlords can do to protect themselves against these risks, and whether tenants need to be asking more questions regarding their landlord’s cyber security systems, particularly if tenants’ own data can be accessed via their landlord’s system. Such measures might include:
• adding loss caused by a cybersecurity attack as an insured risk (but note below);
• putting each party under an obligation to take all reasonable precautions against the threat of a cyberattack including an obligation to have sufficiently strong anti-virus software at all potential entry points to the systems;
• ensuring separation of BMS/landlord/tenant networks where appropriate.
Landlords might well resist widening the definition of insured risks depending on their policy coverage because the insurance industry is still struggling to address losses arising out of attacks like these and cover is not widely available. There is also little understanding as to cost, and as the tenant will ultimately be bearing the cost it needs to know what those costs might be.