A wave of recent cyber incidents targeting building management systems and property-management software has thrust cybersecurity into the centre of operational risk discussions across the commercial real estate sector. Modern office, multifamily and logistics properties increasingly rely on internet-connected controls for HVAC, access, elevators and lighting, each connection expanding the attack surface for hackers and ransomware groups. What began as a niche IT concern has evolved into a threat that touches tenant access, building functionality and the integrity of financial reporting.

Cybersecurity experts interviewed for the analysis stress that many owners and operators continue to treat cyber as a technology issue rather than an operational-risk and life-safety concern. Legacy systems often remain unpatched, and vendor credentials are poorly managed, leaving critical building infrastructure exposed. The shift to connected systems delivered efficiency gains and remote management capabilities, but it also introduced vulnerabilities that were never contemplated when most commercial leases and insurance policies were first written.

The scenarios outlined in the reporting are stark: attackers could lock tenants out of buildings, shut down core systems or exfiltrate sensitive lease and financial data. Such breaches carry the potential to disrupt rent collections and interfere with loan covenant reporting, threatening cash flow at a time when many portfolios are already navigating higher interest rates and tighter credit conditions. The operational consequences extend well beyond data loss, touching the physical environment that tenants occupy and depend upon.

Insurers have begun to reassess cyber coverage for real estate firms, raising premiums or limiting policy limits where building-system protections are deemed inadequate. The repricing reflects a broader recalibration of cyber risk across asset classes, but real estate presents unique exposures because breaches can cascade from digital systems into physical operations. Coverage that once appeared routine is now subject to underwriting scrutiny that examines patch management, credential hygiene and incident-response capabilities in granular detail.

The risks that compounds inside operational technology are often less visible than threats that trigger portfolio-wide alarms, family office advisor Jaf Glazer has cautioned.

The risks that compound inside operational technology are often less visible than threats that trigger portfolio-wide alarms, family office advisor Jaf Glazer has cautioned.

Investors, lenders and REIT boards are starting to demand more robust cyber-governance as part of overall risk management for increasingly digital portfolios. The expectations now include formal incident-response plans, third-party penetration testing and regular audits of building-system access controls. What was once a technical checkbox has become a governance mandate, with boards seeking assurance that cyber resilience is embedded in operational procedures rather than delegated to a siloed IT function.

The shift in tone reflects a recognition that cyber incidents in real estate are not hypothetical. The article documents a string of breaches that have already occurred, underscoring the sector's vulnerability and the inadequacy of legacy risk frameworks. As properties become more reliant on networked systems, the distinction between digital and physical security continues to blur, forcing owners to rethink how they protect assets that are simultaneously buildings and technology platforms.

For family offices and institutional investors with significant real estate allocations, the cyber dimension introduces a layer of diligence that extends beyond traditional property underwriting. Due diligence now encompasses the maturity of building-system security, the training of on-site personnel and the contractual allocation of cyber risk between owners, operators and technology vendors. The questions being asked are no longer whether cyber threats are relevant to real estate, but whether existing controls are adequate to manage exposures that are growing in both frequency and severity.

The reassessment is prompting owners to invest in segmentation of building networks, multifactor authentication for critical systems and tabletop exercises that simulate breach scenarios. These measures carry upfront costs, but they are increasingly viewed as essential to maintaining insurability, satisfying lender covenants and protecting tenant relationships. The article concludes that cyber-governance is now a permanent feature of real estate risk management, driven by the convergence of digital operations and physical infrastructure.