CRE Needs to Get Real About Cyber Risk

It’s all too dangerous to assume cybersecurity is just an issue for retail and bank tenants. Building owners need to get real about the dangers too.

Cybersecurity is too often dismissed as an issue that only retailers and banks need to pay attention to—not commercial real estate investment managers or property owners.

That attitude, however, is simply too dangerous given the interconnected, digital world we live in and was one of the issues flagged for attention at ULI’s Real Estate Outlook conference in New York recently.RS

Consider the data that real estate investment managers and their property managers hold in a mixed portfolio of multifamily, office, retail, industrial, and hospitality assets: multifamily tenants’ social security numbers, bank account details, building management systems that can provide access to payment card details, even cash on balance sheets.

Indeed, the November 2013 data breach at U.S. retailer Target—in which 40M debit and credit card accounts were exposed—was traced back to stolen credentials from a third party HVAC contractor, which maintained a data connection with Target for electronic billing, contract submission and project management.

Sensitive data is all around us, and as RSM’s Keith Swiat says, it’s all too easy to get your hands on it. “I spend the most time making people aware of how easy these attacks are actually carried out,” the Northeast regional director of security and privacy told Privcap in September 2015.

While focused on financial services, Swiat argues hackers are looking at every way to access pools of data—not least portfolio companies or contractors that may have connections to parent-company networks. “It might be smaller firms or might be, say, a furniture store out in the middle of Pennsylvania who are like, ‘We’ve been doing this work for 200 years. Who is going to hack a furniture company?’

“A place that doesn’t think that they have much to offer is not going to secure their platform, but they may have something to offer attackers without realizing they do… The attackers are looking for just that kind of attitude.” You can download the interview with Swiat here.

What is disappointing is that the ULI discussion gave only a passing nod to the fact that there are cyber risks within CRE investing. With real estate a renowned technology laggard, it’s time to have some serious discussion of the real cyber risks within property portfolios.