The threat of cyber attacks is growing, particularly as more commercial real estate companies move into increasingly sophisticated buildings with high-tech systems.
“More technology means more data will be shared across different systems, so companies have to think of developing more risk-management platforms,” said Deloitte Center for Financial Services real estate research leader Surabhi Sheth, who authored a recent Deloitte report on evolving CRE cyber risk.
Building owners and managers are increasingly connected with tenants and vendors through integrated building management, communication technology and business systems. This new approach to property management allows a comprehensive and real-time view of various facilities and enables better adaptability to the requirements of specific tenants and buildings.
Intelligent buildings at higher risk
Intelligent buildings tend to be interlinked with tenant systems, creating exposure to tenants where their systems and data can be accessed through building owners’ information technology network.
These systems can act as an entry point for hackers to access tenant data, which can leave building occupants vulnerable to information theft, reduced productivity and threats to personal safety as well as disruption of critical infrastructure and revenue loss that could result in a decline in shareholder value and damage to a company’s reputation.
Meanwhile, web-based transactions by tenants and vendors and the growing use of cloud services, personal smartphones, tablets and social media create multiple access points for personally identifiable information stored by companies.
According to Deloitte’s analysis, the most visible objective for cyber attacks on commercial real estate companies has been the theft of personal and other sensitive information, strategic plans, engineering drawings and tenant information.
Strategies for managing cyber risk
Commercial real estate companies may also be susceptible to treasury management cyber risk, given the significant amounts of money such firms have on their balance sheets and large dollar transactions related to acquisitions, dispositions and financing of properties.
The report suggests organized criminals and/or insiders are the most likely perpetrators of such threats, and a recent SpectorSoft study found 37 per cent of data attacks in the real estate sector are carried out by insiders.
“Owners and tenants need to manage cyber risk by incorporating clauses into leases to define what duties facility owners and operators are required to execute versus the obligations of the building tenants,” said Sheth, who doesn’t think such duties are being sufficiently performed.
According to a 2014 Deloitte business confidence report, one-third of business leaders rated cyber risk as the second-highest obstacle to company growth in the next one to three years. But nearly three-quarters of those leaders weren’t investing in technology to address cyber risks.
“They need to pay attention to data protection and security and have a wholistic cyber risk management strategy that incorporate plans for how a company can make its IT systems secure, vigilant and resilient,” said Sheth.
A good understanding of known threats and controls, industry standards and regulations can help organizations secure their systems. The design and implementation of preventative, risk-intelligent controls involving a number of mutually reinforcing security layers can potentially slow down the progression of attacks in progress, if not totally prevent them.
Dina Kamal, cyber risk service partner for Deloitte, supports companies performing a cost-benefit analysis of the potential damage they may suffer as a result of a cyber attack versus putting a cyber risk management practice in place.
“There are lessons to be learned from the banking industry, but it doesn’t mean we have to spend as much as it does,” she said.
Kamal believes companies should consider outsourcing cyber risk security functions, claiming it might cost them a few hundred thousand dollars versus a few million by doing things in-house because of high-capital investments.
Specialist companies can also take advantage of economies of scale, where they can implement systems in a variety of buildings at once.