Securing the enterprise: Assessing cyber risk in commercial real estate


Securing the enterprise: Assessing cyber risk in commercial real estate

Real Estate Predictions 2019

Written by: Surabhi Kejriwal Lauren Hampton (US)

Evolving technologies, business models, and risks

As extensive technology advancements reshape the traditional commercial real estate (CRE) business model, owners and operators must contend with new forms of risk, including cyberattacks information security, and data privacy. For example, the growing use of IoT technologies such as sensor-enabled building management systems could broaden the attack surface for CRE firms, increasing access to sensitive data that can cause financial and reputational damage to owners/operators and tenants. The question is, then, are CRE companies ready to handle cyber risks?

To better answer this, Deloitte conducted a global survey in 2018 of 500 institutional investors. The survey revealed that only 25 percent of respondents are very satisfied with CRE companies’ cyber risk preparedness, though the rates do vary by geography (see figure 1). Given this assessment, CRE companies should probably consider how to better balance their investments in technology with their ability to manage growing cyber risks.

Navigating cyber risks With the heightened threat from cyber risks, surveyed investors expect investee companies to make cyber security a leadership-driven business priority, perform regular cyber risk assessments, and conduct awareness campaigns to evaluate susceptibility to potential attacks. It is imperative that CRE companies take a proactive approach to determine appropriate responses to cyber risks and be more secure, vigilant, and resilient. 

Make cybersecurity a leadership-driven business priority

Involvement and engagement of senior management and the board is crucial to making cybersecurity a strategic business priority and maintaining it. The SEC’s updated cybersecurity disclosure guidelines emphasize that the board of directors take ownership and responsibility for developing and supervising cyber risk mitigation controls and procedures.1 As such, CRE senior management and boards should be deeply involved in developing policies; framing the cybersecurity policy, roles, and responsibilities; assigning budgets; and tracking overall progress to establish and maintain accountability. The board and senior management should strongly consider appointing a cybersecurity officer—who should be an accountable cyber risk strategist and advisor along with senior management—to design, execute, and align their cyber risk strategy with a central mandate. To do this, the CRE board and senior management must work together rather than in silos.

Perform regular cyber risk assessments

A detailed scenario planning and cyber risk assessment would allow companies to evaluate susceptibility to cyberattacks and identify appropriate responses. Companies should develop a cyber risk assessment framework that offers guidelines to evaluate the threat landscape and align appropriate resources to manage the risk.2 Bearing in mind that it is not possible to eliminate risk, CRE companies should deploy advanced detection technologies such as artificial intelligence to sense potential threats and use analytics to devise appropriate response management tactics.3 It is important to not treat cyber risk assessment as a singular activity but rather a regular and ongoing part of the company’s cybersecurity policy and framework.

Moving materials value forward

In the Netherlands, research into the financial activation of materials and its impact on the balance sheet and financial reporting is being spearheaded by well-known architect Thomas Rau and the “Circular Seven” (C7)—a group of seven of the most prominent organizations in different segments of the real estate and construction industry that is seeking to be a frontrunner in the transition to circularity. The reasoning for the C7’s range of stakeholders is two-fold. First, the financial activation of materials will differ per segment based on regulations, such as the different rules for real estate valuation and depreciation. Secondly, the C7 can each share segment-specific insights and best practices, providing a more comprehensive view of materials valuation within real estate.

The C7 research will be published in Q2 2019 and available worldwide. The first of many steps toward a resource-efficient, low-carbon economy with sustainable growth, it is research that may very well change the potential for circularity in real estate and construction.

Conduct awareness campaigns

CRE companies should evaluate employees for their exposure to cyber risks. They should conduct trainings to help employees understand the potential threat and implications of various types of risks, especially cybercrimes, to themselves and to the company. CRE companies may also need to train or hire appropriate cyber risk talent in their organization. Finally, companies should drive behavioral change to instill the responsibility and mutual accountability for risk management among all employees.

The bottom line: Change the mindset

Clearly, CRE boards and senior managements need to reassess their current risk prioritization. Some of the key questions they should consider are:

  • Are you broadening the risk management agenda to include newer ones such as cyber risk? 
  • Is the CRE board and senior management ready to assume responsibility and accountability for managing these new risks? 
  • Are you considering a centralized or decentralized approach to risk management?

To learn more about other factors that are likely to influence institutional investors’ CRE investment decisions over the next 18 months, see the Deloitte report, 2019 Commercial Real Estate Outlook: Agility is key to winning in the digital era.

1 “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”, Securities and Exchange Commission, February 26, 2018.

2 “3 types of cybersecurity assessments,”, May 16, 2018.

3 Carlos Molina, “Next-generation cyber attacks call for next-generation solutions,” CUNA Mutual Group, accessed on September 3, 2018.

Did you find this useful?