How CRE Companies Are Protecting Themselves From Cyberthreats
The commercial real estate industry could soon fall victim to cybersecurity threats.
As more people rely on digital platforms to pay bills, do taxes and purchase products, large-scale cyber breaches have impacted the financial, retail and healthcare sectors.
The commercial real estate industry is just as vulnerable to these risks. If CRE companies do not monitor their data, employee and tenant personally identifiable information can go from private to public. Leases, corporate financial data, vendor contracts and employee applications can be released to anyone.
We sat down with CBIZ Vice President of Risk Services Damian Caracciolo to discuss how these cybersecurity threats are impacting the industry, and what CRE professionals can do to protect their data.
CBIZ: At the end of 2017, the data breach at credit reporting agency Equifax exposed sensitive personal information of at least 143 million Americans. This is just another reminder that cybersecurity threats are real and pose significant risks. Is every industry at risk of similar breaches?
Damian Caracciolo: The majority of cyberattacks are motivated by financial gain, which increases the exposure of all companies and organizations holding data that cybercriminals can sell. Every industry is at risk because every company has something of value, and therefore something to target. Over 70% of breaches occur due to preventable vulnerabilities, and the top four patterns of security incidents involve human error or misuse, accounting for 31% of all data loss.
CBIZ: There are several ways to quantify the cost of a breach. What should companies consider as a potential cost of a breach?
Caracciolo: Industry figures vary. On average, direct costs run between $158 and $355 per compromised record. Potential breach costs include investigative costs, breach disclosure costs, legal and regulatory fees, identification of theft monitoring and customer or shareholder lawsuits. When you add those figures, the financial cost can be very high, and the breach itself can impact brand image and reputation. Breaches can easily cost some companies millions of dollars.
CBIZ: What factors should a company consider to determine their level of risk exposure?
Caracciolo: A risk consultant can help a company develop a full risk profile, but here are some common issues to consider:
- Does the company gather, maintain, disseminate or store private information?
- Does the company have a high dependence on electronic processes or computer networks?
- Does the company engage vendors, independent contractors or additional service providers?
- Are employees required to comply with PCI Security Standards or Plastic Card Security statutes?
- Are there employees that may have reason to jeopardize any internal systems?
- Is there a record retention policy in place?
CBIZ: What are some best practices for reducing cyber risk?
Caracciolo: First, companies should document their risk exposure, then regularly reassess the level of vulnerability. A company’s leadership must put processes and procedures in place to manage data retention and data destruction, and monitor compliance regularly.
It is also important to assess the physical security controls at all company and employee sites, including data centers, home offices, field offices and temporary or remote sites. To reduce human error, educate staff on the cyber risks associated with specific job functions.
When it comes to engaging third-party vendors or suppliers, it is important to write language about cyber risk into contracts.
CBIZ: What role does insurance play in cybercrime?
Caracciolo: Even with well-documented and tested procedures and a team of highly trained users, any company can fall victim to cybercrime. Most traditional commercial general liability policies will not cover business interruption losses due to a cyber event. Financial, legal and reputational damage can be limited by the coverage of a cyber liability insurance policy.
Cyber liability insurance continues to evolve in the marketplace. Understanding which cyber risks are most relevant to the company is essential to securing the best coverage.
The insurance must address two critical risks: the liability risk to business if sensitive client or employee information is compromised and the substantial cost of notifying clients that their information has been compromised. This includes credit monitoring, fines, legal fees and forensics.
Cyber liability coverage helps protect businesses from the following:
- Data breaches, including costs for customer notification, some legal costs and credit monitoring for those affected.
- Damages to third-party systems, if, for example, an infected email from one of the servers crashes the system of a customer or vendor.
- Data or code loss due to a natural disaster or malicious activity. Physical destruction of equipment is covered under a different policy.
CBIZ: What is an example of how cyber liability insurance responded to a real estate company breach?
Caracciolo: A real estate company discovered malicious software had been uploaded to its servers by an unidentified third party, which resulted in corrupted files. The hacker had accessed files containing personal information. Subsequent to the data breach, fraudulent charges were made on various credit cards in multiple countries. Lawyers advised the company to notify all affected individuals, and as a result of the fraudulent credit card transactions, the company offered affected individuals credit monitoring services. These expenses were covered under the Customer Support and Reputational Expenses section of the insurance policy.
The company also hired a public relations professional to manage reputational repercussions from the breach, which was covered under Crisis Management Costs. The breach also resulted in IT forensic investigation fees of approximately $250K. The insurance policy covered the cost of identifying and notifying affected individuals and setting up and staffing a call center to respond to inquiries. Additionally, $150K was paid in legal fees to determine reporting requirements and respond to regulatory authorities.
No business is immune to cyber risk, and it is no longer solely the responsibility of a company’s IT department to manage these risks. It is critical that a company's leadership is 100% on board. A coordinated program of risk assessment, cybersecurity procedures and controls along with risk transference through insurance make a strong defense. All employees play a role in protecting their company from a potential cyber breach.
To learn more about this Bisnow content partner, click here.