Is The CRE Industry Prepared for Cyber Threats? 
Jason Gordon
Click Here to Download for Easy Reading

Passwords, usernames, and personal identification questions have become a routine part of our connected lives, whether we are tending to personal finances, social media, or communications with friends, clients, or business associates. We’ve all had to choose our favorite sports team, or movie. Heaven forbid your preferences should change! While these codes may be an annoyance, we understand that they are a banal but necessary aspect of our online experience, serving to prevent hackers and cybercriminals from doing us harm, financial or otherwise. 

But, as we’ve learned from a seemingly endless litany of news reports, cyber breaches pose serious dangers to the business world, as well. Major data breaches of recent years have impacted virtually every American industry, resulting in billions of dollars in losses, lawsuits, and accompanying reputational damage. From retail to banks, from Hollywood studios to software companies, from hotel chains to web service providers – the list seems endless, and quite frankly, frightening.

So, let’s take a deep breath and proceed with an unbiased look at the preparedness of the CRE industry, in an attempt to determine whether the level of our engagement is commensurate to the magnitude of the threat.  

While commercial real estate firms have indeed suffered multiple cyberattacks, overall the industry has been fortunate in that it hasn’t yet experienced the same level of data breaches as most of the business sectors listed above. “This has probably given many people a false sense of security,” said Baker Tilly IT Risk Senior Manager Mike Cullen in a statement to BISNOW. “As other business get better at security, criminals are looking for easier targets. Construction and real estate could be such targets because they have historically not always taken the necessary precautions.”

While many CRE firms are implementing procedures now, one reason for the slow start in the industry likely stems from a lack of guidelines. Unlike hospitals and the banking sector, for example, there is no federal law (various state laws exist) mandating real estate businesses implement stringent security systems to protect information.
Industry Awareness of the Threat is on the Rise

But the government, in recent years, has been supplying some of the impetus that may be necessary. According to a study and survey by KPMG (one of the big four accounting firms), “All industries, including real estate, are under pressure to step up cybersecurity due to both the business and regulatory risk it presents.” The report emphasizes that “Real estate investment advisors are especially in the spotlight, as the Securities and Exchange Commission included investment advisors and [their] companies in its list of 2017 examination priorities.”

Among the report’s other pertinent findings are that 30% of executives said their firm, or one or more of their properties, had encountered a cybersecurity event during the past two years. And, even more sobering, a full 50% stated, “Their organizations are not adequately prepared to prevent or mitigate a cyberattack.”

A more recent 2019 survey of 140 real estate executives by the law firm, Sefarth Shaw, indicates that anxiety within the industry is growing.  “As news outlets continue to publish stories about large cyberattacks on notable brand companies, the real estate industry has taken notice of its vulnerability.” Overall, concern for cyberattacks grew by over 20% since the 2018 survey. And when respondents were asked specifically whether they are concerned about a cyberattack in on their firm in 2019, fully 69% answered in the affirmative, a major increase from last year’s 46%.

A 2019 survey by Deloitte of 500 CRE investment professionals confirms the industry’s growing awareness of the threat. The respondents cited reputational damage (41%), financial theft/fraud (37%), and theft of personally identifiable information (35%) as the top three impacts of cybersecurity breaches. Others include business disruption (34%), theft of intellectual property (33%), and destruction of critical infrastructure (30%). Clearly, the concerns are multiple and varied.
CRE Industry Specific Threats

Although cyberattacks, such as hacks that can misdirect wire transfers through business email compromise (BEC), malware (and its more virulent offspring ransomware), are dangers across all industries, CRE may present a particularly tempting target for cyber criminals. In fact the FBI has specifically alerted the real estate industry in that they are specifically targeted in BEC attacks: “Every participant in a real estate transaction is a possible victim.”
  1. As more CRE professionals and developers broaden their services, utilizing online platforms, they become increasingly exposed to cyberattacks. Simply stated: there are more points of entry.
  2. Like other industries, CRE is heavily reliant on cloud computing applications. But as the National Real Estate Investor warns, “A criminal does not need to hack a business [to obtain sensitive data]: it can target … cloud providers.” Although it may seem that by using a cloud provider, a  real estate business is outsourcing the risk, this is usually not he case. “Provisions in cloud computing agreements often provide minimal protection … in the event of a cyberattack.”
  3. While “smart” systems have made buildings more efficient, tenants of both residential and office buildings could be vulnerable to breaches through connected technologies, such as HVACs, keycards, smart alarms, locks, voice assisted devices, etc.
  4. Property managers, REITS, and brokers often have extensive amounts of data about tenants and clients which may be contained in rental applications, bank statements, leases, and credit reports. This is exactly the type of information most coveted by hackers.
Also, it’s important to remember that cyberattacks can impact a company’s bottom line in other than the obvious ways. As alluded to earlier, frequent attacks could damage a property owner’s reputation, which in turn could adversely affect the ability to secure leases.
Parting Thoughts

Understanding that cyberattacks are both inevitable and bound to increase over time is probably a good starting point. As CRE firms become more automated and buildings become “smart,” efficiency is improved, but at the same time, the attendant cybersecurity risks grow.

Secondly, securing your own company does not guarantee cybersecurity. Any business or individual with a connection to yours (partners, clients, vendors, etc.), can be a source of risk.

Thirdly, be aware that a cloud computing company does not absolve a real estate firm from liability in the event of a loss to the firm itself or to the company’s clients.

Fourthly, outside of a relative handful of large, multinational real estate firms, most small agencies, brokerages, etc. cannot afford an internal cybersecurity team. Smaller firms should invest in an outsourced service with demonstrated competence and experience serving the real estate industry.

Although some smaller firms will hesitate due to the costs of an outsourced cybersecurity service, the real question that should be considered is not whether it’s affordable to take such a step, but rather, whether it’s affordable not to make the investment.