8 — April 2026 — Spring Preview — M id A tlantic Real Estate Journal
www.marej.com
S pring P review
By Michael Mullin, IBSRE, Inc. (ProtectMyIT) Quiet Shift in Federal Cyber Rules Leaves Commercial Real Estate Firms Exposed A were current, and whether leadership took cybersecurity risks seriously.
growing number of commercial real estate firms may be unknow - ingly out of compliance with evolv - ing federal cybersecu- rity expecta- tions—de- spite having what appear to be adequate protections in place. For years, property owners and operators have treated cybersecurity as a technical issue, relying on firewalls, Michael Mullin
antivirus software, and third- party vendors to safeguard sensitive data. But a quiet shift in federal oversight—led by the Federal Trade Commis - sion (FTC)—is changing how organizations are judged when incidents occur. Cybersecurity is no longer viewed solely as an IT respon - sibility. Instead, regulators now treat it as a core business practice, placing accountabil- ity squarely on leadership. This change has significant implications for the commer- cial real estate sector, where firms routinely manage large
volumes of personal and fi - nancial data. Tenant applica - tions, rent payment systems, access control technologies, surveillance footage, and vendor platforms all contain sensitive information that must be protected. Under current FTC ex - pectations, gaps such as outdated policies, lack of multi-factor authentication, unencrypted data, or insuf- ficient employee training are not simply operational oversights—they may be con- sidered compliance failures. What makes this shift
particularly challenging is that enforcement is rarely proactive. There are no rou - tine inspections or advance warnings. Instead, scrutiny typically arises after a data breach, when attorneys rep - resenting affected tenants, employees, or vendors begin asking questions. At that point, the focus is less on the technology in place and more on the organization’s decision-making and over- sight. Investigators and legal teams want to know whether reasonable safeguards were implemented, whether policies
In many cases, organiza - tions struggle not because they failed to act, but because they cannot demonstrate that they acted responsibly. Docu - mentation—such as risk as- sessments, employee training records, and evidence of safe- guards—has become a critical factor in determining liability. The financial stakes are also rising. Cyber insurance policies, often viewed as a safety net, are increasingly tied to compliance with feder - al standards. If a firm cannot provide adequate documenta- tion after a breach, insurers may deny coverage, leaving the organization to absorb significant costs. Industry observers note that many of the most common vulnerabilities are not dra- matic failures, but everyday oversights: former employees retaining system access, ven- dors operating without proper security controls, or systems running outdated software. While these issues may seem minor, they can become cen- tral points of concern during a breach investigation. Despite the heightened ex- pectations, experts emphasize that compliance does not re- quire perfection or large-scale investment in enterprise-level security programs. Instead, regulators are looking for “reasonable safeguards”—a standard that includes under- standing where data resides, implementing basic protec- tions like multi-factor au- thentication and encryption, training employees, and main- taining up-to-date policies. Above all, organizations are expected to document their efforts. For commercial real estate leaders, the message is clear: cybersecurity is no longer just a technical issue to delegate. It is a governance and risk man- agement responsibility that requires active involvement from executives and financial decision-makers. As federal expectations con- tinue to evolve, firms that fail to adapt may find themselves exposed—not only to cyber threats, but to legal and finan - cial consequences that extend far beyond the initial breach. Mike Mullin is the presi- dent & CEO of IBSRE, Inc. (ProtectMyIT). MAREJ
FUTURE -PROOF! HACKER -PROOF! DISASTER -PROOF! SECURE YOUR COMPANY TO THRIVE IN THE NEW DIGITAL ECONOMY.
(973) 575-4950 ibsre.com
Made with FlippingBook Digital Proposal Creator