Notes from the NMHC Annual Meeting

I attended the National Multifamily Housing Council (NMHC) annual meeting last week in Orlando, FL. Abacode is a cybersecurity leader in U.S. multifamily real estate industry – which encompasses 40 million multifamily units valued at $3 trillion. More than 800,000 people work as employees of the management industry, while tech and service vendor companies employ hundreds of thousands more. And the industry is growing, requiring 4 million more units by 2030 just to keep up with demand. (Source: https://www.forbes.com).

The first thing that struck me about this year’s conference was the number of people attending in person. NMHC said there were some 3,500 registered attendees, and it appeared that, despite COVID fears, most of them showed up. I suppose the lure of Florida sunshine and escaping the sub-zero temperatures and blizzards up north was enough to trump pandemic worries. People are really clamoring to get back together, press the flesh, and exchange ideas. Here are a few of the things I learned from the meeting…

There are a lot of people with money to invest! I saw people holding up “WE HAVE EQUITY” signs like the Progressive Insurance sign-spinning guy. So, if there are pending multifamily real estate projects just awaiting some funding, there is money out there. I spoke to several investors, and some of the key projects were not just in multifamily but also single-family built-to-rent and hotel properties. The amount of money flying around in this industry definitely makes me nervous, because you know that these money people and their builders are largely clueless about cybersecurity. Some had heard the horror stories – about wire transfers going to the wrong accounts and so forth – but they still didn’t know how to deal with these issues.

When I explained that the best way to protect your investments and financial transactions is to have an expert team come in a run a holistic cybersecurity program compliant with best practices, this message certainly resonated with many of the investors. I also explained the concept of cybersecurity due diligence. Just as capital providers will send out a team of accountants to perform financial due diligence prior to lending money, we can deploy a team of cybersecurity analysts to assess the security of a firm’s networks and data infrastructure. We can help make sure investors are not “buying a breach.”

Despite being very savvy about the return on investment (ROI) of their construction spend, these financial folks are unfortunately not very astute when it comes to cybersecurity ROI. They believe that they can’t afford a $100K/year program to lower cyber risk and prevent devastating breaches such as financial fraud and ransomware. But the reality is that without these protections, it’s not a matter of if – but when – they will be breached, and how much it will cost them at that point (research suggests $USD 4.24 million on average).

I love a good underdog story. So, I really enjoyed the expert panel of African-American investors. These preeminent entrepreneurs all had great stories to tell about overcoming adversity to achieve success in the industry. While some may not have experienced outright prejudice, they were certainly underestimated – and used this to their advantage. Buwa Binitie, managing principal of Dantes Partners, spoke of going into a meeting and having the people there wonder when the “real” investor was going to show up. As it turned out, he was the guy, and – surprise! – he had his own money to invest and was not dependent on any other outside equity.

Several of the panelists said they had also benefitted from having a mentor to influence and guide them. This underscores the role of senior experts (or “graybeards,” as we say in tech) taking the time and effort to bring along young, high-potential protégés. This is something I’ve always tried to do, dating back to when we first started the Whitehatters Computer Security Club (WCSC) at the University of South Florida in 2005. It warmed my heart to attend the first WCSC meeting of the semester on Friday and find a standing-room-only crowd of 70+ students there meeting in-person for the time in two years. There is such a shortage of cybersecurity talent right now, I feel that it is especially incumbent on senior industry leaders to help lead this next group of Whitehatters into the future.

At the NMHC meeting, it was also fascinating to hear from Bob Iger, the recently retired executive chairman of Disney, speak about how he negotiated the purchases of Pixar, Marvel Studios, Star Wars, and 20th Century Fox. Talk about win-win! – in every case, both the buyer and seller made huge bucks off the deals.

Iger also made 46 trips to China in support of business development there, especially around Disney World Shanghai. Just like the NBA, however, Iger had little to say about Chinese human rights abuses; although he did complain that the Chinese blackballed Marvel’s “Shang-Chi” – a wholly pro-China movie – saying it was derived from the 1970s era comic books that portrayed Chinese stereotypes. Oh well, you can’t please everyone.

The issue of future tech (e.g., the metaverse, augmented reality, Internet of Things) came up not only in the Iger interview, but also in the NMHC expert panel on construction and development with Julie Smith (Bozzuto), Steve Bancroft (Trammell Crow), and Matthew Bearden (Gables). However, little was said about the security ramifications of leveraging that tech.

That trend continues across all industries, unfortunately. To quote the fictional Dr. Ian Malcolm in Michael Crichton’s Jurassic Park: “Scientists are actually preoccupied with accomplishment. So they are focused on whether they can do something. They never stop to ask if they should do something.”

Just to clarify, I’m not against technological progress. I just think we ought to take a breath sometimes before forging ahead. To be certain, baking in security up front is less costly and more effective than trying to bolt on something after the fact. This lesson has been learned over and over, but the rush for progress and getting product to market quickly often trumps good judgment when it comes to security.

In all, my sense from the NMHC annual meeting was – despite COVID (or maybe due to it) – the industry has been languishing inside like a Jack-in-the-Box. There was this coiled spring and someone turning the crank in anticipation of the moment when Jack would leap unexpectedly out, causing you to gasp momentarily at the shock and force of the expulsion. Then, once released, what will happen? Stay tuned…