By Gil Hirsch & Tasmeea Islam
Since the 2016 Paris Agreement, nations across the world have pledged to strengthen their climate change efforts, reduce greenhouse gas (GHG) emissions, and lower their carbon footprints. The Canadian government alone has committed to decreasing emissions by 40-45 per cent by 2030 and reaching net zero carbon emissions by 2050. With buildings responsible for almost 30 per cent of Canada’s annual GHG output and 40 per cent of global GHG emissions, the building sector must be at the forefront of change.
As we transition to a low-carbon future, smart and sustainable technologies will be crucial to build clean, net zero infrastructure, enhance energy efficiency, and optimize building functions. However, the insurance implications of this movement cannot be ignored.
How will insurance companies respond to rapid green transformation? Are smart buildings, and by extension, net zero buildings more risky—and costly—to insure? What impact will advanced technologies, increased automation, and online connectivity have on data privacy and security? And above all, how can building owners, landlords, and operators prepare for these risks? Keep reading to learn more.
What are smart and net zero buildings?
According to the Canada Green Building Council (CaGBC), a zero carbon, or net zero, building is “a highly energy-efficient building that produces onsite, or procures, carbon-free renewable energy or high-quality carbon offsets to counterbalance the annual carbon emissions from building materials and operations.”
To achieve net zero carbon, buildings are powered by smart technologies, which use automation and Internet of Things (IoT) enabled devices to connect and centralize all of a building’s control systems, like heating, ventilation, air conditioning, lighting, lifts, security, and more. Through this networked infrastructure, smart technologies can monitor control systems, collect, and analyze data on trends and patterns, and optimize a building’s environment and operations. These “smart buildings” can also mitigate risks, like water leaks or temperature fluctuations, and initiate response protocols to minimize any damage and conserve resources.
But while smart and net zero buildings might be easier to manage, eco-friendly, and more comfortable to live and work in, they might also be more costly to insure. Here’s why:
The cost of smart technologies: Smart technologies that lower the chances of property damage can make a huge difference to your bottom line when it comes to repairs. Water damage, for example, is one of the costliest and most common claims for buildings, with the average cost of a commercial water damage claim at $89,000 USD. In comparison, the installation cost for most commercial grade water detection systems today is anywhere from $0.20-1.75/ft2 (USD). That means a system in a 270,000 square foot building would only cost $54,000—a bill you’d only have to foot once for installation to avoid potentially dozens of claims in the building’s entire lifespan.
Because these systems help prevent mold, wood rot, and drywall warpage, and generally “de-risk” the building, some insurers may offer premium reductions for buildings with leak and corrosion detection and humidity and temperature sensors. Other companies, however, may raise the cost of insurance depending on what you install. Why? Complex technologies usually include more parts that are difficult to source and expensive to purchase, repair, and replace. Plus, they typically require more specialized service personnel to perform routine maintenance or respond in case of a breakdown. These repair costs are also multiplied by the number of technologies within the building.
In addition to the cost of parts and breakdown, smart tech boosts the overall value of a building and thus increases what an insurance company would have to pay out in the event of a claim. And the larger the building, the higher the cost of equipment, and the more to be paid out.
The rising threat of privacy breach: Growing reliance on IoT solutions, automation, and interconnectivity between various building management systems can open up new cyberattack vectorsthat were not previously encountered within the design process, like third-party compromise. Threat actors are able to infiltrate larger enterprises by exploiting the security gaps between building management systems and smaller, less secure outside partners, suppliers, and distributors. In fact, this is how Target’s famous 2013 breach happened; hackers accessed the financial information of over 40 million people through an HVAC vendor.
Once they’re in, cybercriminals can steal confidential data for other criminal activities, like identity fraud or funds transfer fraud, or worse, they can encrypt it, hold it hostage, and demand payment for its safe release. Either way, property owners and any involved stakeholders risk severe financial loss, regulatory penalties, legal action, and reputational harm.
With attacks at an all-time high, cyber insurance is not taken lightly by insurers. After years of incurring major losses from cyber insurance payouts, insurers are raising premiums, pulling back on protections, and being more selective about what risks they can take on. To secure coverage, organizations will have to, at the very least, demonstrate their commitment to data security and what protective steps, if any, they’ve taken to both assess and reduce risk.
Business interruption exposures: Smart buildings need access to a constant, uninterrupted stream of data to be fully functional. But if a privacy breach were to compromise a building’s management system, vital networks could shut down. HVAC systems may become faulty. Power outages could hamper financial transactions. Lift systems and fire alarms could malfunction or stop working altogether, threatening people’s safety.Operational issues could cause disruptions on a number of levels, leading to property damage, bodily injury, and widespread business interruption.
On top of that, remediation protocols could extend system downtime if the organization that’s suffered the breach needs to conduct data forensics, shut down for repairs, or fight a lawsuit. The building—and all the businesses inside it—could be affected for quite some time.
Who would pay for the resulting financial loss? Without explicit cyber coverage, your insurer may cover the property repairs, but not the lost profits from months of business interruption. And even if you had a standard business interruption policy in place, you wouldn’t be covered for utility service interruption losses.
How can building owners protect themselves?
Smart and net zero buildings are the way of the future. Industry experts predict that the IoT market will grow from an installed base of 15.4 billion devices in 2015 to 30.7 billion devices in 2020 and 75.4 billion in 2025. The majority of these devices will be deployed in public works, buildings, and critical infrastructure to create a seamless, all-connected urban landscape.
But as we take steps towards a more sustainable world, we must also work towards a sustainable risk management ecosystem to mitigate the exposures that accompany it. Here are some key tips to get started:
- Bolster your digital hygiene. To truly be cyber-safe, security cannot be an afterthought—it must permeate all aspects of the building process, from design to engineering to operations. Companies cannot continue to rely on insurance carriers to replace what they’ve lost and make them whole again. Instead, business owners should focus on becoming resilient to attack and shrinking the window of opportunity for cybercriminals to wreak havoc. Plus, without even basic security measures in place, insurers will be unwilling to take you on.Conduct a thorough risk audit to determine your potential exposures and implement safeguards accordingly. Ensure all systems are promptly and frequently patched with the latest security updates and back up data regularly. Practice good password etiquette. Develop an incident response plan tailored to the unique needs of your organization. (For a detailed list of cybersecurity measures, visit this Cyber Security & Privacy Toolkit.)
- Build a cyber-aware workforce. Security efforts, while valuable, are not enough on their own to completely remove risk; a key part of risk management is education. Everyone who is part of a network—building owners, operators and any employees or residents with direct access to the internet—should know the basics on how to protect it.Take steps towards a more cyber-aware workforce and avoid human error. Provide regular security awareness training specific to your building’s network. Consider partnering with a cybersecurity firm or specialist to offer high-quality courses.At minimum, security awareness training should be clear on:
- How to handle sensitive data and use software safely;
- What cyber threats your organization faces and how to identify them;
- How to identify and report signs of a data breach.
- Vet your vendors. To ward off the threat of a supply chain or third-party attack, establish a formal vendor management program that classifies each vendor’s type of data and level of access. Make sure all third-parties with access to your network operate with least privilege and maintain cybersecurity measures that are at least as good as your own. Perform annual audits to check if they meet your standards. Amend your contracts to clarify how data will be returned or destroyed at the end of an engagement and when.
- Strengthen your insurance coverage. Look into various coverages that will help to offset the potential financial loss from any major events. That includes:
- Equipment Breakdown Insurance: This will cover any losses caused by the mechanical or electrical breakdown of equipment.
- Data Security and Privacy Breach Insurance: Your general liability policies won’t cover a breach—they’re not specifically designed to address cyber risk—but standalone coverage can help you get your business back online and cover the expenses from legal fees, damages, and settlements. Your plan may also include:
- A breach coach who will guide you through the legal process of navigating a breach under attorney-client privilege;
- Funds to set up credit monitoring and notifications for affected parties;
- An IT forensics team to help you determine the size and scope of the breach; and,
- PR consulting to help manage your organization’s reputation.
- Consult with a risk advisor that specializes in smart building technology. A licensed broker can help navigate smart and net zero trends and adopt a proactive approach to risk management. A dedicated risk advisor can help you:
- Conduct a robust assessment of your existing insurance policies to detect any coverage gaps;
- Monitor insurance rates and keep you up-to-date on market patterns;
- Determine the risks involved with the ownership and operations of net zero and smart buildings;
- Identify perils, attack scenarios, and potential losses based on your operations and risks;
- Share what steps others in your industry are taking and advise you accordingly;
- Determine the scope of responsibilities for all incident response team members;
- Offer you a specialized solution with clearly defined parameters of coverage.