By Michael Mullin, IBSRE, Inc. (ProtectMyIT)

A growing number of commercial real estate firms may be unknowingly out of compliance with evolving federal cybersecurity expectations—despite having what appear to be adequate protections in place.

For years, property owners and operators have treated cybersecurity as a technical issue, relying on firewalls, antivirus software, and third-party vendors to safeguard sensitive data. But a quiet shift in federal oversight—led by the Federal Trade Commission (FTC)—is changing how organizations are judged when incidents occur.

Cybersecurity is no longer viewed solely as an IT responsibility. Instead, regulators now treat it as a core business practice, placing accountability squarely on leadership.

This change has significant implications for the commercial real estate sector, where firms routinely manage large volumes of personal and financial data. Tenant applications, rent payment systems, access control technologies, surveillance footage, and vendor platforms all contain sensitive information that must be protected.

Under current FTC expectations, gaps such as outdated policies, lack of multi-factor authentication, unencrypted data, or insufficient employee training are not simply operational oversights—they may be considered compliance failures.

What makes this shift particularly challenging is that enforcement is rarely proactive. There are no routine inspections or advance warnings. Instead, scrutiny typically arises after a data breach, when attorneys representing affected tenants, employees, or vendors begin asking questions.

At that point, the focus is less on the technology in place and more on the organization’s decision-making and oversight. Investigators and legal teams want to know whether reasonable safeguards were implemented, whether policies were current, and whether leadership took cybersecurity risks seriously.

In many cases, organizations struggle not because they failed to act, but because they cannot demonstrate that they acted responsibly. Documentation—such as risk assessments, employee training records, and evidence of safeguards—has become a critical factor in determining liability.

The financial stakes are also rising. Cyber insurance policies, often viewed as a safety net, are increasingly tied to compliance with federal standards. If a firm cannot provide adequate documentation after a breach, insurers may deny coverage, leaving the organization to absorb significant costs.

Industry observers note that many of the most common vulnerabilities are not dramatic failures, but everyday oversights: former employees retaining system access, vendors operating without proper security controls, or systems running outdated software. While these issues may seem minor, they can become central points of concern during a breach investigation.

Despite the heightened expectations, experts emphasize that compliance does not require perfection or large-scale investment in enterprise-level security programs. Instead, regulators are looking for “reasonable safeguards”—a standard that includes understanding where data resides, implementing basic protections like multi-factor authentication and encryption, training employees, and maintaining up-to-date policies.

Above all, organizations are expected to document their efforts.

For commercial real estate leaders, the message is clear: cybersecurity is no longer just a technical issue to delegate. It is a governance and risk management responsibility that requires active involvement from executives and financial decision-makers.

As federal expectations continue to evolve, firms that fail to adapt may find themselves exposed—not only to cyber threats, but to legal and financial consequences that extend far beyond the initial breach.

Mike Mullin is the president & CEO of IBSRE, Inc. (ProtectMyIT).