RICS releases digital risks in buildings paper

Building stakeholders – owners, users and managers – should adopt a proactive and strategic approach to digital risk, integrating it into every aspect of building management.

Five steps to take

1. Identify, understand and plan for digital risks
   • Understand the technology in the building: Identify the technologies that your building relies on.
   • Use data protection impact assessments (DPIA): Evaluate how data is collected, stored and protected within building systems. A DPIA is particularly valuable when the impact of a new hardware, software or technology is being considered. Carrying out a DPIA before deployment can help to identify the risk to privacy. Guidance on how to do a DPIA is provided by the ICO.
   • Adopt systems thinking: Embrace a holistic view of digital risks, considering combined systems and both direct and indirect impacts on the building and its occupiers.
   • Understand compliance requirements: Stay informed about relevant laws, regulations and industry standards to ensure ongoing compliance.
   • Understand the risks facing your building: From all the above, you should create a risk register identifying the likely risks, outlining planned actions and articulating responsibility for each risk. It is important to assign ownership to each risk and ensure it is dealt with at the appropriate level within the business.

1. Enhance infrastructure and implement robust security measures
   • Invest in building upgrades: Allocate capital to modernise and update viable buildings with the latest technology.
   • Consider strategic divestment: To minimise risk, sell or repurpose buildings where updating is not feasible.
   • Implement strong access controls: Use multi-factor authentication and role-based permissions to secure systems.
   • Maintain regular updates: Establish processes for systematic patch management and keep all devices and software up to date.
   • Continuous monitoring: Deploy real-time monitoring tools to detect and respond to threats promptly.

1. Invest in employee training and awareness programs
   • Provide cybersecurity training: Educate all relevant employees on best practices and emerging threats.
   • Implement awareness initiatives: Foster a culture of security awareness throughout the organisation.
   • Conduct an incident response exercise: Carry out a desk-based ‘What if?’ exercise and prepare staff to act effectively during a security breach through regular simulations.

1. Integrate digital risk management with corporate governance
   • Align with corporate risk strategies: Ensure digital risk management is part of the overall corporate risk framework.
   • Report to leadership: Keep the board informed about digital risks and mitigation efforts for strategic oversight.
   • Encourage a security-first culture: Encourage all levels of the organisation to prioritise cybersecurity in their roles.
2. Manage third-party risks and prepare for incidents
   • Establish supply chain security requirements: Set strict cybersecurity criteria for all third-party service providers.
   • Conduct regular assessments: Evaluate the security practices of suppliers and limit their access to critical systems.

Consider insurance: Review and obtain effective insurance coverage to mitigate the impacts from digital risks such as cyber-threats and data breaches.

In such a large, but fragmented, sector, industry bodies have a vital role to play in ensuring that the digital risks in buildings are recognised and appropriately managed to ensure the safe and effective operation of all buildings.

Five steps to take

1. Develop and promote cybersecurity standards and guidelines
   • Set clear standards: Establish industry-wide guidelines on the management of digital risks and potential pitfalls of inadequate measures.
   • Clarify implications to existing standards and laws: Clarify how responsibilities under existing laws, legislation and standards are evolving as the buildings evolve and become more ‘digital’. Even where standards themselves do not change, the way they are interpreted may, and industry bodies need to support the sector to understand and embrace this in a consistent way.

1. Raise awareness and enhance skills
   • Support skills development: Offer training programmes and resources to build the necessary skills within the industry to manage and mitigate digital risks effectively.
   • Provide case studies: Share success stories and practical examples on repurposing existing buildings and implementing risk mitigation measures.

1. Support accurate valuations and strategic decision-making
   • Ensure accurate valuations: Advocate for valuation practices that accurately reflect the changing nature of occupier demand influenced by digital risks and the potential impact of digital risks on income and intangible value.
   • Guide investors: Carry out research on the impact of digital risks on building value and valuation.

1. Promote collaboration and knowledge exchange
   • Facilitate collaboration: Encourage collaboration among industry stakeholders to invest in research, explore innovative solutions and diagnose prevalent digital risks.
   • Disseminate information: Actively share findings, resources and tools that can help organisations within the industry enhance their cybersecurity stance.
   • Consider digital risks in existing content: Build the topic of digital risks into existing content such as conferences, workshops, journals and training, to ensure that professionals are aware of the digital risks in buildings and their responsibilities.

1. Support the sector with non-built environment standards:
   • Represent the sector with standard-setting bodies and legislators outside the built environment: There are a growing number of standards and laws regarding the use of data and technology that are not aimed at the built environment but are relevant for it. It is important for built environment industry bodies to engage with these new standard-setting bodies to represent the built environment’s perspective and use case.

Raise awareness and understanding: Make sure that companies in the built environment are aware of standards and legislation that impact them from outside the

Governments play a critical role in managing the digital risks associated with modern buildings, especially as it becomes a more obviously essential part of a nation’s critical infrastructure. As buildings become more connected and technology-driven, it is essential for governmental bodies to establish effective frameworks that safeguard assets, promote sustainability and provide regulatory certainty for all stakeholders involved.

Five steps to take

1. Engage with the built environment
   • Proactively engage with the built environment: The built environment is such a substantial, but highly fragmented, sector that there is a temptation for governments to engage around point solutions or small silos. This needs to continue; but in the same way that the sector needs to implement system thinking, so too do governments need to adopt a holistic approach to the built environment.

1. Provide long-term clarity
   • Ensure regulatory certainty: Release clear and consistent regulations well ahead of enforcement dates to give investors and industry stakeholders ample time to comply and adjust their strategies.
   • Encourage adoption: Encourage the repurposing and upgrading of existing buildings through tax incentives, especially when carried out in an environmentally sustainable manner.

1. Mandate minimum cybersecurity standards for buildings
   • Set mandatory security requirements: Impose minimum standards for the management of digital risks within buildings.
   • Integrate cybersecurity into building regulations: Update building regulations to include digital safety provisions as part of standard compliance requirements.

1. Enable data exchange
   • Facilitate data exchange: Address industry concerns about data sharing between landlords and tenants to promote transparency and efficiency and enable an improved approach to digital risks. A more robust approach to data sharing within management agreements should be encouraged.

1. Enhance awareness and skills
   • Provide sector-specific guidance: Offer tailored guidance and resources to help unregulated industries adopt best practices in cybersecurity.

Enhance national skills: Build the skills needed to address digital risks into education and training, both in schools for future generations and in the workplace to upskill today’s workers.