Property management companies handle far more than just keys and leases. They're engaged in invoicing, collecting rent payments, holding escrow payments and handling significant sums of money on behalf of property owners. These financial activities, along with the sensitive personal and financial data they manage, firmly place them under the purview of the Federal Trade Commission's (FTC) Safeguards Rule. Moreover, the National Association of REALTORS® (NAR) classifies property management as outside the scope of traditional real estate activities, further solidifying their inclusion under these regulations.
Let's delve into why these companies are prime targets for cybercriminals and how proactive cybersecurity measures can be a financial lifesaver.
Why Property Management Companies Are in the Crosshairs
Property management companies are particularly attractive to cybercriminals due to the nature of their data. They store personally identifiable information (PII) of tenants, financial transaction records, and sensitive property details. A data breach could lead to identity theft, financial fraud, and reputational damage, not to mention hefty fines for non-compliance with the FTC Safeguards Rule.
Busting the Cost Myth: Cybersecurity as a Competitive Advantage
Cybersecurity is traditionally viewed as a cost center. While this is traditionally true, it can also be a competitive advantage if your competition is not implementing it. Additionally, the costs can be offset by savings on your cyber insurance for having the proper protections in place. Most businesses "feel like" they are safe. But things have changed, and cyberattacks are way up. No business is safe anymore.
Key Requirements of the FTC Safeguards Rule
The FTC requires companies performing financially related services that are not covered under Banking regulations, such as property management, to implement a written IT Security Program and designate an employee of the company as the administrator of the program. This employee will either have to be the IT person or a liaison between the company and an IT vendor.
The FTC Safeguards Rule outlines several other key requirements, with data protection being of the utmost priority:
Govern:
Establish policies and procedures for ongoing management of the IT security program.
Have a written Incident response plan
Implement security awareness training for all employees
Conduct quarterly roundtable exercises to practice for a cyber incident such as a ransomware attack and executing the IRP.
Regularly review and update policies and procedures as needed to adapt to evolving threats.
Cybersecurity Risk Assessments: Conducting regular risk assessments (at least twice a year) is like performing due diligence on a building purchase. It helps an MSP assess your company's security posture at a certain point in time, identify vulnerabilities, and prioritize security efforts, leading to an action plan for FTC Safeguards compliance that is customized to your business.
Identify Objects: Identify and categorize all the "objects" that need protection. This includes anything that holds information, be it electronic (servers, laptops, cell phones) or physical (filing cabinets, storage locations, document destruction repositories). It's also important to identify online SaaS applications like property management software, email and document storage and file sharing sites.
Protect: Implement security measures to safeguard your objects and data. This includes encryption, access controls, firewalls, and secure data disposal practices. Ensure third-party vendors also have written robust security measures in place. Some common ways to proactively manage objects and data include:
Remote management and maintenance software (RMM)
AI-infused security software capable of detecting suspicious behaviors like ransomware attacks or unusual logins and executing an automated response to stop it
File-level encryption, both on devices and online applications
Monitoring logins and limiting file access
Conditional access per device or IP address to Email and Document Storage and file sharing sites
Detect: Deploy tools and technologies to detect security anomalies and potential breaches. This could include intrusion detection systems, log monitoring, and vulnerability scanning. AI is making headway in the security world and offers a huge advantage in detecting suspicious behavior, like malware installation from phishing emails. AI can also detect and respond to attacks that often take months to deploy, like those involving financial transactions or ransomware.
Respond: Have a plan in place to respond to security incidents swiftly and effectively. This involves:
Contacting your cyber insurance carrier and law enforcement
Hiring a forensics team, data mining company, and breach coach
Consulting a lawyer to protect you from liability and lawsuits
Containing the breach, notifying affected parties, and taking steps to prevent future incidents.
Don't Let Cost Be a Barrier: The True ROI of Cybersecurity
The cost of a breach extends far beyond the cyber attack itself. Consider the following expenses:
Hiring a forensics team, data mining company, and breach coach
Legal fees to defend against lawsuits and potential liability
Lost productivity and business disruption
Damage to your reputation and loss of customer trust and revenue
The cost of fines for not being FTC compliant is currently around $52,000 per day. Additionally, when an attack happens, your company will incur significant costs, and your insurance claim might be denied if you lack proper protections. On top of that you may suffer downtime (the average is 15-20 days according to the federal agency overseeing Cybersecurity, CISA)
Cybersecurity compliance is an investment, not an expense. By taking proactive steps to protect your data, you can avoid the devastating financial and reputational consequences of a data breach. Remember, the cost of compliance is far less than the cost of a breach.
If you're unsure where to start or need help navigating the complexities of the FTC Safeguards Rule, don't hesitate to seek expert guidance. Take advantage of our free 15 minute IT strategy session which you can book here --> https://strategy.cybersecurehawaii.com