Cyber risk in commercial real estate
Preparedness is key
In today’s phono sapien¹ world, interconnectedness and mobile devices have found a toehold in every aspect of our lives—from financial transactions to entertainment to consumption and lifestyle patterns. But, this ubiquity comes with a rider.
March 28, 2018
A blog post by Surabhi Kejriwal, Real Estate research leader, Deloitte Support Services India Pvt. Ltd.
Organizations across the world are becoming extremely vulnerable to
Perhaps, CRE owners feel less concerned about a potential cyber attack as their primary asset is traditionally more prone to structural damage. However, hackers are widening their attack surface at a fast pace and tapping into the business ecosystem in new and sophisticated ways. As such, CRE owners would be remiss if they continue to ignore cyber risk. The 10th edition of Deloitte’s Global risk management survey findings suggest that 41 percent of the institutional respondents consider cybersecurity among the top three risks that would increase in importance for their institutions over the next two years.2
The three primary reasons for the CRE industry to enhance their
- Increase in connected buildings and cities, and heightened tenant exposure
- Investor pressure
- Regulatory emphasis
CRE owners would be remiss if they continue to ignore cyber risk.
Increase in connected buildings and cities, and heightened tenant exposure
In April 2016, we estimated that sensor deployment in the CRE sector between 2015 and 2020 is likely to grow at a compounded annual rate of 78.8 percent to nearly 1.3 billion.3 More detailed and sensitive data may be captured due to increased interconnectivity between building systems and gadgets such as mobile phones and wearable devices. Further, the growth in smart cities would lead to
This is likely to broaden the attack surface for hackers. The hackers would now have more avenues to cause financial and reputational damage to CRE owners, tenants, and other stakeholders. Perhaps, CRE owners do not realize that hackers can use heating, ventilation, and air conditioning (HVAC) and the more advanced smart building management systems to attack tenants.4 The threats that tenants might face to their businesses are not only limited to data theft—they extend to a hit on efficiency, output, and even life.5 As evidenced by recent data breaches where partially integrated building management systems were compromised and tenants suffered financial and reputational damage.
Our research suggests that among traditional property types, retail and hotel tenants have the highest probability of a
The recent Global Industry Classification Standard (GICS) classification of real estate as a separate sector has increased interest from generalist investors. At the same time, investor activism has been on the rise in the real estate space.6 Many of the investors, and rightly so, are pressurizing corporations to strengthen their cybersecurity measures.
As per Securities & Exchange Commission’s (SEC’s) updated cybersecurity disclosure guidelines, public companies are expected to “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyberattack.”7
In its 2018 examination priorities, the SEC’s Office of Compliance Inspections and Examinations’ (OCIE) has prioritized cybersecurity.8 Compared to 2017, the OCIE has extended the scope of its examination to include “governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.”9 As a result, the OCIE examiners could potentially request related documents,
Additionally, the SEC’s updated cybersecurity disclosure guidelines emphasize that the board of directors take ownership and responsibility for developing and supervising cyber risk mitigation controls and procedures.10 The SEC also mandates periodic reporting and timely disclosure of potential material cyber risks and the controls and procedures.11
Preparing for the growing focus on cyber security
CRE companies need to prepare for OCIE’s and SEC’s growing focus on cyber security.
You will probably agree with me that cyber risk should be a major cause for concern for CRE owners. It has the potential to cause significant damage—to finances, reputations and the environment. In such a scenario, it is imperative that CRE players make cyber security a strategic business priority. They can consider various approaches to be more secure, vigilant, and resilient as highlighted in our report, “Evolving cyber risk in commercial real estate: What you don’t know can hurt you.”
1 Phono sapiens refers to doing everything on the phone; the term was coined by the Economist.
2 Edward Hida, “Global Risk Management Survey, 10th Edition: Heightened Uncertainty Signals New Challenges Ahead”, Deloitte Insights, March 2017.
3 Surabhi Kejriwal, Saurabh Mahajan, “Smart buildings: How IoT technology aims to add value for real estate companies”, Deloitte Insights, April 2016.
4 “BMS and Smart Systems Faced with the Challenges of Industrial Cybersecurity”, Company press release, May 18, 2017.
5 Patrick Tucker, Major Cyber Attack Will Cause Significant Loss of Life By 2025, Experts Predict, Defense One, October 29, 2014.
6 Tom Yeatts, “Activists upping the ante in real estate,” S&P Global Market Intelligence, June 21, 2017, “Growth of REIT Industry Helping Attract Activists, Menna Says,” NAREIT, April 4, 2017.
7 “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”, Securities and Exchange Commission, February 26, 2018.
8 “SEC Office of Compliance Inspections and Examinations Announces 2018 Examination Priorities”, U.S. Securities and Exchange Commission, February 7, 2018.
10 “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”, Securities and Exchange Commission, February 26, 2018.
QuickLook is a weekly blog from the Deloitte Center for Financial Services about technology, innovation, growth, regulation, and other challenges facing the industry. The views expressed in this blog are those of the blogger and not official statements by Deloitte or any of its affiliates or member firms.