Real estate professionals regularly practice risk management in dealing with property, but as technology evolves and the industry relies on big data to gain more information, a new threat looms — data thievery.
As real estate companies increase their use of cloud technology, they’re putting their own data (as well as tenants’ data) at risk. Cyber risk management has become a greater focus in the industry today, in light of an increasing number of data attacks targeting real estate companies.
According to Deloitte, some of the biggest cyber risks for real estate companies include theft of significant amounts of cash via wire transfers and theft of personal information.
Organizations can’t afford to slow innovation because it’s not 100% safe and secure. Addressing these risks has to be a fundamental component of today’s business practices. The amount of data regarding buyer behavior and tenant history is larger than ever, but companies much practice cybersecurity risk management to make sure that growth doesn’t come at the cost of clients’ sensitive information.
The estimated size of the U.S. commercial real estate market is $16 trillion. That kind of money will obviously attract a swarm of data thieves. Last year, the FBI reported 11,300 victims of data breaches in the real estate/rental industry, totaling roughly $150 million loss. The FBI pointed to attacks on real estate firms as one of the most alarming trends of 2018. Much like how real estate companies have a risk management structure in the event of litigation, there has to be a cybersecurity risk management plan in place.
What is Risk Management?
To protect themselves from catastrophic losses, real estate firms have to establish risk management strategies. Even the smallest mistake in a real estate deal could wind up in court, costing the business big bucks. Risk management identifies key risks — as well as a plan to mitigate them. Through risk management and insurance, real estate firms can protect themselves from financial ruin due to lawsuits.
Most times, the main complaint for real estate firms pertains to property management. While a single real estate agent may be involved in a handful of transactions per year, property managers are involved in hundreds of smaller transactions. Each transaction adds a varied amount of risk.
Once a risk is identified (say, selling a property with a swimming pool or older fixtures), there are three main ways that risk can be addressed:
- Avoidance — find ways to negate the risk upfront, such as filling in the swimming pool or upgrading the property
- Control — do what you can to reduce the risk; if the decision is made to keep the pool intact, installing a fence or providing some kind of safeguard against incidents
- Transfer — accept the risk, and transfer liability to the tenant, such as mandating the tenant purchases insurance prior to moving in
As more real estate firms are discovering, you need these types of strategies when it comes to cybersecurity, as well.
Why Do You Need This For Cybersecurity?
A lawsuit isn’t the only thing that can raid a real estate firm’s coffers — or reputation. Data thieves and hackers are targeting the industry with reckless abandon. Technology almost always evolves ahead of security; the evolution of cloud computing, WiFi and other web-based, paperless methods of operation means that there are significantly more avenues for a bad actor to do damage.
As a Deloitte report stated, many real estate companies are “inadequately prepared for cyberattacks.”
Earlier this fall, New York-based The Corcoran Group was hit with a major data breach, compromising sensitive information. Someone hacked into an executive’s email account, sending agent splits, marketing budgets and gross commission income to the entire company.
This intrusion sent shockwaves across the real estate industry landscape, as many firms took the occasion for a teachable moment, educating employees on proper cybersecurity and examining their own risk management strategies. Many firms have reported fending off hackers on a daily basis. Even if money isn’t lost directly through cyber hacks, it can still cost firms $10,000 per device to do a thorough hardware security scan.
Two of the prominent risk management strategies that companies use when managing properties come into play when it comes to cybersecurity.
- Avoidance — don’t expand into new technology until you have the capability to secure your data on that platform
- Control — invest in monitoring or greater cybersecurity measures, relieving the burden of your IT staff and stonewalling hackers before they can access sensitive data
Advocate for it at the highest levels and make sure that C-level executives know just how dire of a threat this is. Cyber risk must be taken seriously a structural issue, not as a one-off failing of your IT department or the success of an opportunistic hacker.
Next, it’s time to determine responsibility for cyber risk management. It’s important that real estate companies create a governance model for cyberattacks across the board, led by at least one senior executive who can take over in a crisis.
From there, develop and implement policies so there’s a plan if there is an attack. Smaller real estate firms can look to the U.S. Department of Commerce’s Cybersecurity Framework to get the ball rolling. With this in place, real estate companies can make informed choices and identify what steps are needed to reduce threat and achieve cyber risk management goals.
Once plans are in place, real estate companies can continue to educate themselves on the latest cybersecurity tactics, helping employees understand the day-to-day threats that come with transactions. Enacting behavioral change within the company (through education and rewards for safe practices) will greatly reduce the risk of preventable breaches, like compromised passwords.
Business leaders understand that cybersecurity has to be at the forefront, but investment in this kind of protection in the real estate community has lagged behind adoption. With the significant amount of money and data involved in property transactions, cyber risk management is an absolute must.