There’s an ever-growing volume of commercial real estate industry business being conducted online. Terrabytes of documents and data get swapped and more sensitive information than ever is archived in cloud storage. Such information provides juicy targets for hackers and identity thieves, making data security a growing issue for the sector.
“There is a thriving, active criminal market for data, for systems, and to ransom and control and extort from companies,” says Jonathan Fairtlough, managing director with Kroll’s cyber risk practice, based in Los Angeles. “Property systems, property groups, malls and real estate [are] no exception to this growing trend. And with the ongoing investment [into proptech], it is in our belief that it will become an even more attractive target.”
Global proptech investments reached record levels in 2019, according to data from CRETech. Unlike 2018, where the industry tightened investments in real estate tech companies, 2019 saw a surge in both deal and dollar volume. But that surge in investment only garnered more attention to the space from hackers.
“For the last few years, the amount [hackers] have been asking for has been going up,” says Aloke Chakravarty, co-chair of Snell & Wilmer's Investigations, government enforcement and white-collar protection practice group focusing on cybersecurity, data protection and privacy. “More recently, the demands have gone up, and I think it’s more than just inflation. There are many more threat actors out there. That has led to a proliferation of ransomware attacks.”
Because of the nature of the real estate business, there’s an abundance of personal information being kept during the process of buyers and sellers. That information can create privacy breach issues if exposed, says Fairtlough. Attackers can access this information through devices connected to the internet, controlled by the internet or accessible via the internet.
This includes anything from HVAC systems, security systems, alarm systems, air temperature monitors to even elevator and escalator systems. By breaking into these networks, hackers can steal valuable data such as asset income, bank account information, social security information and tax information.
“Once the attacker gains access to the network, they have a look around, because what they’re looking for are the systems they think are going to be the most critical. What they’re going to target are financial systems, payment systems, email systems, communication systems and if there happens to be a portal or something that is part of the business, that will be targeted as well,” says Fairtlough. “Once they’re in the system and they identify what’s there, first thing they’ll do is turn off the backups. Most of us are now using electronic backups that are run through the network, so if they have the right credentials, they simply turn them off, and then they will zero them out, meaning they will erase them but leave indications that data is still there, basically turn the backup into a bunch of nothing.”
Along with implementing smart data privacy education to employees and software and hardware tools, Fairlough and Chakravarty also recommend cyber insurance. Around 86 percent of firms already have cyber insurance, while 14 percent do not, according to Draper and Kramer research. But not all cyber insurance covers the same threats.
“I think it’s absolutely critical to have robust cyber security insurance. A typical insurance does not cover the types of cyber-attacks that we’re seeing. There can be a lot of variants of cyber insurance,” says Chakravarty. “Unlike other insurance though, there is less transparency. So, it’s important to [find] what those policies are protecting against compared to that assessment of your own vulnerabilities and risks and where your valuable data is. One of the things you want to look for, particularly in this industry, is first-party liability and third-party liability because of the various vendors or customers who may have access to your data. It is likely you want to have that third-party insurance.”
Fairtlough says this discussion of data privacy needs to “become a conversation at the executive level.” He says firms should identify where their vulnerabilities are, and where they are most susceptible to cyber attacks.
“This concept of this risk discussion, the data map, understanding what you have, it’s going to move from a good idea to a requirement,” says Fairtlough. “There’s a change coming in what data you can keep, how you can use it and how you have to account for it. A smart firm will start by understanding what they’re keeping, and why they need it. And if you don’t need data, don’t keep it. Limit your exposure by controlling the information. Don’t give things out of a ‘what if’ or a potential or a ‘I might need to go back to it someday.’”