Is Your Commercial Real Estate Company Prepared for a Cyberattack?

October 30, 2017
Written by: Amanda Marsh, CREW New York

Last month, Equifax announced as many as 145 million people may have had personal information stolen from the consumer credit reporting agency.


It was only one of many major hacks, leaks, and data breaches that have impacted people globally this year.

Commercial real estate is certainly not immune from attacks. According to KPMG's 2017 Real Estate Industry Outlook Survey, 30% of real estate leaders have reported their company had experienced a cybersecurity event in the previous 24 months. Additionally, only 50% of respondents are adequately prepared to prevent or mitigate such an event.

A 2017 report from IBM and the Ponemon Institute notes the probability an organization will experience a material data breach (meaning 10,000 or more lost or stolen records) over the next two years is nearly 28%. The cost incurred for each lost or stolen record was $141, while the average cost of a breach was $3.6 million.

Hunton & Williams partner Walter Andrews and associate Jennifer White recently wrote in the Commercial Observer that commercial real estate was once considered less at risk for cyberattacks, given the relatively small amount of personal and intellectual data it maintains compared to financial, healthcare, and retail companies. As a result, our industry has been slower in cybersecurity and insurance investment that would mitigate some of the risks of these technology crimes.

But that has only made it a growing target for cybercriminals. According to KPMG, these factors make commercial real estate particularly attractive:

  • Systems contain leases, rental applications, credit reports, and deal financing terms that have payment card data and personally identifiable information on tenants and clients

  • Confidential data is often exchanged through email, mobile devices, and the cloud

  • Smart building technologies create potential intrusion vulnerabilities

  • REITs manage huge sums of money that can be targeted online

  • Owners and operators of properties with high-profile tenants can be targeted to steal secrets or financial information from those tenants

  • Vulnerabilities in real estate service providers’ cybersecurity could expose an extended network

Newmark Knight Frank executive managing director Geoffrey Kasselman told Bisnow there are two types of businesses: ones that have been hacked and those that will be. One of his clients was the latter: It rejected a $10,000 to $15,000 cost to improve the security of its data, and then hackers later accessed its customer list, sending out phishing emails under the company’s name. It cost the client $120,000 to fix the problem and lost sales.

Kristy Simonette, a CREW Houston member, is senior vice president of strategic services for Camden Property Trust, a REIT that owns over 52,000 apartment communities across the United States. Cybersecurity is something that her company has been heavily focused on over the last five years, she said, as it recognizes its responsibility to protects its employees’ and customers’ data.

One of her biggest concerns is that an employee might click on an innocent-looking link or open an email that infects the Camden network. She said the company has invested in all the latest technologies to prevent intrusions of bad actors, protect against advanced malware threats, and provide extensive and mandatory sensitive data and general cyberthreat awareness training for all employees. It also has cybersecurity insurance that includes a team of lawyers and professionals—known as a “breach coach”—that can help the REIT react accurately and quickly in the event of a breach.

Luckily, Camden has not been victim of a major breach—but Simonette has heard stories about personally identifiable information compromised, files held for ransom, and spoofed money wiring requests at other commercial real estate companies.

“Be prepared,” she said. “It is no longer if—it is when.”

Her recommendations: Make sure to educate employees as to what sensitive data is, how it can be compromised, and how they must be diligent in protecting the company’s sensitive data and digital assets. Also invest in technology tools to protect your company and partner with a security firm to help guide you through the swiftly changing conditions. A good first step is contacting the insurance company that covers your assets.

Andrews and White said the right cyber insurance policy makes all the difference, covering lost business income, extra expenses, forensics, and notification costs associated with investigating and resolving a breach. But for other losses, they recommend revising traditional insurance policies, particularly crime coverage.

The National Association of Realtors has released a checklist for the real estate industry offering best practices in curbing the risk of cybercrime, including email and password hygiene, IT-based security measures, and law, policy, and insurance considerations. Because data protection and cybersecurity laws differ across the country, it recommends working with an attorney licensed in your state to develop cybersecurity-related programs, policies, and materials.


Amanda Marsh is the founder of Buzzmaestro, which provides business writing, editing, and consulting services to real estate and other industries. Previously, she was a commercial real estate journalist with Bisnow and Commercial Property News. She has been a member of CREW New York since 2015, and serves on CREW Network’s Communications and Editorial Committee.