Cybersecurity’s Role In Commercial Real Estate

The standard cybersecurity best practices that apply to any industry also apply to commercial real estate, Ten-X’s VP of data products Sheridan Hitchens tells We spoke exclusively with Hitchens, along with Manly, Stewart & Finaldipartner Morgan Stewart; Joe Derhake, CEO of Partner Engineering & Science; Elliot Vermes, CEO of ResiModel; Norm Miller,Hahn Chair of real estate finance at theBurnham-Moores Center for Real Estatewithin the School of Business at theUniversity of San Diego; David Tobin, founder of Mission Capital Advisors; Charles Clinton, CEO of EquityMultiple; Michelle Schaap, a member of Chiesa Shahinian and Giantomasi’s media and technology, construction and corporate and security practices; and Jorge Rey, director of information security and compliance for CPA firm Kaufman Rossin, about cybersecurity’s role in commercial real estate and how it is likely to change in the future. Stay tuned for a more in-depth treatment of cybersecurity and big data in real estate in the July/August issue of Real Estate Forum. What role does cybersecurity currently play in the commercial real estate industry, and how do you see this role changing over time?

Hitchens: The standard cybersecurity best practices that apply to any industry also apply to commercial real estate. The rise of blockchain—a distributed database that maintains a continuously growing list of data records secured from tampering and revision—is also likely to affect several of the fundamental real estate processes. Blockchain can effectively act as a third-party verification service for buyers and sellers, which can drastically reduce fraud and reduce escrow periods.

Stewart: Cyber-attacks aimed at hacking into networks that contain personal information about consumers, employees and businesses are on the rise. In fact, a survey by Deloitte found that cyber-attacks is a top concern among 74% of corporate executives. As technology becomes smarter, so will hackers. Any business, nonprofit, and government agency with exposure to or doing business on the Internet is at risk of cyber-attack. Some example in recent years are breaches to Target and Home Depot networks that affected millions of credit-card customers, the Internal Revenue Service breach that affected 100,000 taxpayers, and the Office of Personnel Management breach that affected four million federal employees.

A case that brings the damage caused by modern-day hacker-pirates closer to home was an attack to the computer networks at Essex Property Trust, a major apartment investor and manager in Palo Alto, CA. At the time of the breach, Essex, a respected, sophisticated, publicly traded apartment operator with more than 33,000 units in the Western US, publicly stated that it did not have any evidence that information belonging to the company had been used improperly, but data systems impacted were being fully analyzed by independent forensic computer experts retained by the company. Essex president/CEO Michael Schall said in a press statement following the breach that his team was working around the clock to assess the situation and determine if personal information about tenants and employees was at risk. “Protecting the personal information of our tenants and employees—and maintaining their trust—is of critical importance to Essex,” he emphasized. “Unfortunately, cyber-criminals are finding new ways to infiltrate data systems every day, leaving companies increasingly vulnerable to these kinds of events.”

Derhake: Cyber risks should be taken seriously across the commercial real estate industry. I think our clients should make this a priority when selecting any vendor, even a due-diligence provider like me. That’s because cyber risks can be derived from third parties with whom you interact, and a vulnerability in your vendors’ systems create very painful consequences for you. We spend a lot ensuring we have appropriate measures in place to ensure cybersecurity, but I still worry. If you are an institutional real estate investor or a regulated lender you should be asking all of your vendors about their overall cybersecurity posture. There is no one of piece of equipment or application that would fully protect your proprietary information. A proactive defense needs to include employee awareness training, strong firewall and intrusion-detection system, mobile and Wi-Fi device plans, end-user security monitoring, password and access control, backup, physical security and regular review of the policies and procedures which should include penetration and vulnerability testing by a trusted security partner.

Vermes: Whether a platform performs financial analysis or tenant management, the more firms move to web-based platforms, the more they are at the mercy of hackers who can disrupt their operations and potentially expose sensitive data. This means that the security infrastructure is a critical criterion when evaluating different SaaS applications. At ResiModel, we recognize the value of our clients’ data, and we have always put a paramount emphasis on safeguarding the data we handle.

Miller: This is a huge concern. When everything is connected to the ’net, you leave yourself vulnerable to attacks. Having good back-up systems and cyber-guarding software in place will be essential.

Tobin: In the world of vendor relationships with banks, cybersecurity is a very hot topic. As more and more information is digitized, we face real risks that must be mitigated. Frequently, we read about a lost flash drive or laptop or a hacking, which exposes customer data to risk. It’s a similar concern in the real estate space with property, tenant, borrower or legal data potentially being released into the public domain. Because of their small size, sometimes mobile devices aren’t thought of as security risks, but modern smartphones are as connected to computer systems as desktop or laptop computers and should always be secured as such.

Clinton: For most of the industry, cybersecurity isn’t yet a big priority. As reliance on data grows, the importance and focus on cybersecurity has to increase. For EquityMultiple, a real estate crowdfunding company, we’re already focused on data security because we recognize the value of the personal information we store about investors—and the need to vigilantly protect that data grows every day as new investors sign up. One area where cybersecurity will be particularly important is in building system automation that relies on the “Internet of things.” As systems and operations like temperature control, lighting, security, elevators, cleaning, shades and locks all become centrally automated, it’s essential that control of those systems is protected.

Rey: In some areas of the commercial real estate industry (e.g., multifamily investments), property managers may obtain sensitive information (such as financial accounts, credit reports and government-issued documents) from their tenants or potential tenants. Property managers may store and/or maintain information that could be targeted by cyber criminals (e.g., driver license, bank accounts, address, credit reports). Currently, cybersecurity is a concern in the commercial real estate industry, but is generally not being prioritized as a high risk in the way that some other industries, such as financial services and healthcare, have been managing that risk. As such, commercial real estate companies that have not considered cyber security risk as a top priority may find themselves ill prepared to detect or prevent data security incidents. As the sophistication of cyber criminals continues to increase, the companies within the industry should respond accordingly and consider ways to bolster their defense against cyber threats.

Schaap: Cybersecurity is a critical consideration for any and all transactions that involve the transfer of financial and confidential, proprietary information (as well as other types of information, which may not play a role in a commercial real estate transaction). In some cases, a company’s acquisition, sale or lease of property may be part of a larger transaction—which could have positive or negative connotations for parties beyond the real estate component. And while the ultimate transaction closing may be of public record (by the recording of a deed or lease), keeping this information confidential until the time of the closing may be critical to either or both parties to the transaction—and is likely a requirement in the deal documents.

For example, if a firm is planning to close its operations in a specific location, advanced notice of the pending sale of the offices may create issues for that company. If a company is expanding into a new market, the company may want to keep this information confidential until it is prepared to announce the move publicly. And if the real estate deal is part of larger transaction (e.g., the sale of a company), confidentiality prior to the closing may be paramount.

Were either side of the transaction, or its advisors, to experience a cybersecurity “event”, the use of this confidential information by a third party could materially adversely impact either or both parties to the transaction in a variety of ways – including its stock (if it is publicly traded), its customer relationships, and its employee relationships, where an office closing had not yet been announced. A breach may also reflect a broader security issue which could impact a larger overriding transaction, such as a merger.

Further, where payment instructions are transmitted electronically, cybersecurity is paramount.

There have been several cases involving the loss of closing proceeds due to false wiring instructions after the original electronic transmission of correct wiring instructions.  Using insecure means to transmit or confirm wiring instructions opens the door to a bad actor accessing credentials or information, and then sending new instructions that seem to be authentic.  Too often, people accept such changed information without verifying the source by telephone, thus allowing millions of dollars to be stolen through reliance upon misinformation.

And if the real estate transaction is, in fact, part of larger transaction, and one of the parties has a security breach, the same would likely need to be disclosed to the other party, which could significantly impact the deal terms and purchase price.

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.