Smart buildings are getting smarter. They’re also becoming more exposed. WiredScore’s John Meko on why the gap between cyber policy and verified building practice is the underwriting challenge insurers can no longer defer.
Buildings are getting smarter—and more exposed.
Digital investment across US commercial real estate has accelerated sharply. Automated access, AI-driven building management, and interconnected sensor networks are now baseline occupier expectations.
With this growing exposure to technology, buildings are becoming increasingly vulnerable to a number of invisible threats; cyber attacks, to name one. The buildings that are best equipped to manage this exposure – and the associated risks – are those where technology investment is something considerately baked into an operational strategy, rather than tacked on as an afterthought.
Independent certification standards, such as WiredScore’s SmartScore, are increasingly being used to identify and close that gap. But investment and certification are not moving in lockstep.
The result: a widening distance between what is documented and what is actually implemented, tested, and maintained.
How real estate resilience matters to insurers in 2026
WiredScore’s inaugural Global Cities Resilience Index 2026, benchmarks commercial real estate resilience across the world’s major urban centres across three pillars: physical, digital, and cyber resilience. Of the three, cyber resilience registers the single largest performance gap in smart buildings globally.
The data makes the underwriting problem concrete. Eighty-seven percent of buildings carry a cyber policy, but only 57% conduct annual on-site assessments. That 30-point gap is the distance between intent and reality—between documented governance and whether controls are actually running in live buildings.
A policy alone is not a reliable indicator of resilience. Its effectiveness depends on whether it covers the full technical scope of the building—BMS, HVAC, access control, IoT—and whether controls are continuously tested.
Chicago topped the overall rankings, with Singapore, Dubai, and Madrid also performing at the highest level, reflecting that top-tier resilience is driven by intentional design and regulatory discipline rather than historical market maturity.
The attack surface has a lobby
The modern smart building is not a single technology system. It comprises dozens of interconnected components—BMS, HVAC, access control, elevators, fire suppression, lighting, IoT sensors—that share data, share networks and, increasingly, share vulnerabilities.
The Index found that 75% of organisations are operating building management systems with known exploited vulnerabilities. These are live systems, running in occupied buildings, accessible from the internet. That is what makes the building-level cyber risk conversation fundamentally different from a conventional enterprise IT discussion.
A compromised corporate server is a data problem. A compromised physical system can disrupt building operations and, in some cases, threaten human life—taking down access control, vertical transport, fire safety, or HVAC.
The IT/OT convergence that smart building technology represents has created a new class of risk sitting at the intersection of digital threat and physical harm. The Index found that 50% of cyber incidents now occur in operational technology environments, yet only half of smart buildings conduct the annual assessments needed to mitigate those risks.
AI is accelerating exposure
The urgency of this exposure is being compounded by the pace of AI adoption. Cybercrime is projected to cost the global economy $23 trillion by 2027, and the built environment is not insulated from that trajectory.
Facilities managers and property owners are under pressure to integrate AI-driven automation—occupancy optimisation, predictive maintenance, security monitoring—and uptake is only increasing.
The Index shows that 92% of occupiers are piloting AI applications, but only 5% have deployed them successfully at scale, frequently because the underlying infrastructure cannot support it.
Yet for every organisation that does integrate AI into building systems, the attack surface grows. AI requires persistent connectivity and ingests real-time data from sensors, access points, and operational systems. Each integration is a potential entry vector.
The policy-practice gap
Most buildings have a cybersecurity policy. Far fewer can demonstrate it is fully implemented, tested, and maintained. Many policies are adapted from corporate IT frameworks and do not account for operational technology, leaving BMS, HVAC, and access control outside scope.
Effective cyber resilience requires three things: policy, implementation, and ongoing assurance. Buildings that cannot demonstrate all three are more exposed than their paperwork suggests.
The Index also identified an 18-point cyber maturity gap between smaller and larger portfolios. Larger institutional landlords — subject to more rigorous ESG and risk governance requirements—invest more consistently in cyber resilience.
Mid-market landlords, who make up a substantial proportion of US commercial real estate, often operate with similar policy frameworks but with materially less maturity behind them.
Resilience as a risk signal
The trajectory is predictable. As cyber incidents affecting physical building systems become more frequent and more costly, insurers will need better visibility into building-level resilience.
The same evolution happened with fire safety—certification and independent inspection became prerequisites for cover, not optional extras.
In the US, WiredScore-certified properties already command rents approximately $6.50 higher than non-certified counterparts and outperform on vacancy at 3.8% against uncertified buildings. The market is already pricing resilience. Insurance will follow.
The question for underwriters is not whether smart building cyber risk constitutes a material line of exposure—it does. The question is whether they move ahead of the claims curve or behind it.
Buildings with independently verified cyber resilience credentials offer a measurable basis for differentiated pricing. Buildings without them represent the kind of opaque, self-reported exposure that tends to produce unwelcome surprises at the claims stage.
The building is more than just a physical asset, but a digital system wrapped in a physical structure—and in a market where AI investment is expanding the attack surface faster than resilience frameworks are being adopted, the gap between a smart building and a secure one is where the risk lives.
Be the first to comment