Commercial real estate companies and investors, especially small-to-medium sized organizations, are increasingly at risk for cybersecurity, social engineering hacks and other cyberattacks. A social engineering attack occurs when hackers exploit a human interaction to obtain sensitive user information or infect computers with malware.
In the recent Seyfarth Real Estate Market Sentiment Survey, real estate executives reported that 69% of them were concerned about a cyberattack striking in 2019. This compares with 46% in 2018, a significant increase. While the media focuses on hacks in the financial, retail and healthcare sectors, the commercial real estate sector is no stranger to unwarranted cyberattacks. According to Bisnow Real Estate News in June 2018, a cybersecurity event hit over one-third of real estate firms in the past two years.
Half of those respondents to the Bisnow survey felt inadequately prepared for an attack. Because financial gain motivates most incursions, the real estate industry is a key target since it is loaded with information hackers seek, including credit card numbers, payroll data and wire-transfer information.
Cyber Insurance Coverage for Small-to-Midsize Businesses Owners
While many business owners simply endorse cyber coverage onto their businessowners policy (BOP), this approach can fail. When it does, remediation expenses and first-and third-party damages can cripple a smaller business owner. Public relations coverage, business interruption and sometimes third-party losses that can occur after fraudulent wire transfers may leave the business owner with inadequate coverage limits or with no coverage at all. Cyber coverage under the BOP can mislead business owners into thinking they are adequeately covered when they are in fact far from it. Today’s risks require specialized coverage. Work with a broker that understands your exposure and has built deep relationships with underwriters at the carriers who specialize in this critical coverage. These relationships and depth of experience can help ensure that if a hack occurs, your cyber insurance will respond quickly to protect your business.
Best Practices for Real Estate Firms
A Google search will list many cyber response plans. However, a response plan developed for a health organization, for example, may not fit the needs of a commercial real estate company. Begin with your cyber insurer, which may offer a plan and even cyber assessments and training tools. Trade associations like the Institute of Real Estate Management may offer templates that can help smaller real estate firms tackle the complicated task of developing a cyber plan.
According to Lewis and Brisbois, a provider of cyber legal training and cyber-response teams, here are some best practices in cyber planning for small-to-medium sized multi-family real estate investors.
Create a cyber response team. A senior officer of your company should lead an incident response team. The team should hold occasional dry runs to ensure each team member knows how to respond. Build your team with an executive who can make rapid decisions, a team leader who will coordinate responses and contact outside sources and security, and information technology (IT) first-responders. In planning, be sure to include representatives from key departments including legal, public relations, risk management and finance. When you hear the phrase “enterprise risk management (ERM),” an integrated approach to protecting your organization, your cyber response plan should be at the forefront of your organization’s ERM efforts.
Create a cyber response plan. Do not wait until a hacker strikes your organization to plan. Keep the plan simple but detailed. List the people responsible for each task. Update the list as names change or employees change positions. Your response team will develop a detailed plan that addresses key “what if” scenarios. For example, your team will handle a social engineering hack involving a fraudulent wire transfer differently from a cyber hijacking that locks down your system. Your organization must prepare for different types of cyber intrusions. They must also stay at the forefront of emerging cyber threats.
Develop a list of contact information for outside subject matter experts who will help you respond to a breach or attempted breach. This will include your cyber insurance carrier, local law enforcement, your legal counsel, your public relations firm and any vendors who help you with your systems. All team members should have paper backups. You do not want to be scrambling for contact information if a hacker has shut down your system.
Develop a robust, ongoing training program. Today’s attacks often focus on social engineering hacks, which involve phishing emails that trick your employees into disclosing log-in information, compromise their social media logins, or hack other security data. In addition to a monthly mini-training, consider posters, frequent email reminders and even paycheck stuffers reminding employees of cyber-attack dangers.
Embed cybersecurity at the top levels of your organization. Because risk management, including the management of cyber threats, is so deeply aligned with your organization’s business objectives, top managers must commit and consider cyber risk prevention at every level of the organization. Take the ERM approach, not the silo approach to cyber risk.
Stay current on the emergent risks. Historically, cyber risk consisted of hackers infiltrating systems with viruses or malicious programs that eluded virus protection and other security measures. However, as our business models evolved to increasingly interconnected systems, hackers evolved to develop new methods to infiltrate our IT systems. In other words, as business models change, so do hacking tactics. Today’s hackers continue to grow in sophistication. Current risks include payroll transfer risks, fraudulent wire transfer, domain name systems tampering and other sophisticated social engineering hacks. These types of risks mean insurance coverage must protect appropriately against the current threats.
Sophisticated cyber adversaries seek opportunities to exploit real estate investment firms
Real estate investment firms, like many other businesses, are now so interrelated with other organizations and vendors that cyber incursions can arise from almost any business relationship or from new, sophisticated social engineering hacks. Because of the pervasiveness of cyber risks, Lewis Brisbois recommends firms focus on protecting their “crown jewels,”— business assets “critical to future cash flows.” This can include payroll data, wire transfer or other critical financial information, trade secrets, domain names and information that could tarnish a business’s reputation. Hackers may not seek just monetary gain; they may pursue data for purposes of political or other reputational damage.
Cyber insurance is one of the fastest growing segments in commercial insurance today. Scores of insurers offer coverage and each cyber coverage form can differ widely.
Commercial real estate investors and owners are at risk. Work with your insurer to improve cybersecurity because one cyber hack can seriously damage your company’s reputation, or in the worst case, put you out of business. At ReShield we pride ourselves on expertise in cyber and commercial real estate insurance. Reach out to us here for more info!