New SEC Cybersecurity Rules: A Guide for Commercial Real Estate

On July 26, 2023, the SEC rolled out new cybersecurity rules. Starting December 18, 2023, public companies will need to report cybersecurity issues quickly. And from December 15, 2023, they’ll also need to report annually on how the leadership teams manage cybersecurity.

These rules impact real estate trusts (REITs), especially the teams responsible for operational technology (OT). Private Real Estate owners and operators are vendors to public company tenants, so these regulations carry significant implications for them too.

Quick Reporting of Cyber Issues

REITs will need to report material cybersecurity incidents in just four days. In Europe, the current rule is three days, for reference on feasibility. Reports should include:

  • When
  • What type of attack 
  • How extensive
  • What information affected
  • What measures were taken in response
  • Was Law Enforcement notified
  • What ongoing legal or regulatory actions

While reporting is not itself cyber defense, more openness should improve cybersecurity for everyone. More scrutiny will make avoiding cybersecurity incidents a higher priority. Improvement means stronger defenses, quicker detection of issues, and more robust follow-up.

Continuous threat detection, safe remote access, and detailed logging are essential. Systems should record every cybersecurity incident and remote OT access event. This helps find issues quickly and report them accurately.

Tagging and Organizing Data

From December 18, 2024, the SEC wants companies to use Inline XBRL tagging. This puts more pressure on some legacy systems. Even if every OT system can’t support this tagging, OT data should still be organized and ready to integrate with cybersecurity systems that do. An example is implementing a centralized system for remote access that logs all activity and supports XBRL tagging.

Managing Vendors

Many OT cybersecurity incidents come through third-party vendors. REITs should do regular checks of their vendors’ cybersecurity measures to ensure a robust chain across companies.

Sharing How You Manage Risks

REITs need to share their cybersecurity plans yearly. They need to explain:

  • Who on their board handles cybersecurity strategy
  • How often do they review cybersecurity risks
  • How the board is involved in cybersecurity planning.

A unified cybersecurity system should simplify understanding and managing risk by providing clear insights for strategy setting and action planning.

Board’s Role in Cybersecurity

The rules stress that cybersecurity issues aren’t just IT problems. The entire organization, from top to bottom, needs to be involved. Many boards might need more cyber expertise. Hiring managed cyber services could be an astute way to fill gaps in expertise quickly.

Working with Legal Teams

The SEC suggests cybersecurity teams work closely with their legal teams. They will be a REIT’s interface to law enforcement and regulatory agencies.  Keep them current on all cybersecurity and data protection policies, agreements, and major post-incident follow-up items.

Getting Ready for Public Attention

More open reporting means more public and investor attention. REITs should be ready for this. The SEC encourages a balance between disclosure and potential harm from disclosing too much information that creates new cybersecurity exposures.


With these new rules, REITs need to take action now on management processes and technology. The right technology solutions will mix the best of cloud and on-site solutions. Edge cloud tech is a game-changer here. It combines the cloud’s resiliency and data aggregation benefits with the need for responsive on-site technology and data privacy. REITs should work with partners who are well-versed in cybersecurity, edge cloud, and the unique challenges these new rules create for OT teams. 

For those looking for a strong partner to adapt to these new requirements, learn more about how View Secure Edge can securely modernize OT operations.