stack of journals on suitcase


Cyber risk in commercial real estate

Preparedness is key

In today’s phono sapien¹ world, interconnectedness and mobile devices have found a toehold in every aspect of our lives—from financial transactions to entertainment to consumption and lifestyle patterns. But, this ubiquity comes with a rider.

March 28, 2018

A blog post by Surabhi Kejriwal, Real Estate research leader, Deloitte Support Services India Pvt. Ltd.

Organizations across the world are becoming extremely vulnerable to cyberattacks. The commercial real estate (CRE) industry is perhaps one such industry that is sitting on the fence from a cyber-preparedness perspective.

Perhaps, CRE owners feel less concerned about a potential cyber attack as their primary asset is traditionally more prone to structural damage. However, hackers are widening their attack surface at a fast pace and tapping into the business ecosystem in new and sophisticated ways. As such, CRE owners would be remiss if they continue to ignore cyber risk. The 10th edition of Deloitte’s Global risk management survey findings suggest that 41 percent of the institutional respondents consider cybersecurity among the top three risks that would increase in importance for their institutions over the next two years.2

The three primary reasons for the CRE industry to enhance their cyberattack preparedness include:

  1. Increase in connected buildings and cities, and heightened tenant exposure
  2. Investor pressure
  3. Regulatory emphasis

CRE owners would be remiss if they continue to ignore cyber risk.

–Surabhi Kejriwal

Increase in connected buildings and cities, and heightened tenant exposure

In April 2016, we estimated that sensor deployment in the CRE sector between 2015 and 2020 is likely to grow at a compounded annual rate of 78.8 percent to nearly 1.3 billion.3 More detailed and sensitive data may be captured due to increased interconnectivity between building systems and gadgets such as mobile phones and wearable devices. Further, the growth in smart cities would lead to interconnection between information collected by building sensors and the wider network, such as county/state level electric grids etc.

This is likely to broaden the attack surface for hackers. The hackers would now have more avenues to cause financial and reputational damage to CRE owners, tenants, and other stakeholders. Perhaps, CRE owners do not realize that hackers can use heating, ventilation, and air conditioning (HVAC) and the more advanced smart building management systems to attack tenants.4 The threats that tenants might face to their businesses are not only limited to data theft—they extend to a hit on efficiency, output, and even life.5 As evidenced by recent data breaches where partially integrated building management systems were compromised and tenants suffered financial and reputational damage.

Our research suggests that among traditional property types, retail and hotel tenants have the highest probability of a cyberattack through their physical real estate space. In fact, the 2017 Deloitte Holiday Survey findings suggest that 43.5 percent consumers are concerned about shopping at stores that have experienced data breaches in the past year. Among the non-traditional property types, tower and data center owners face significant cyber risk, due to their tenant’s nature of business.

Investor pressure

The recent Global Industry Classification Standard (GICS) classification of real estate as a separate sector has increased interest from generalist investors. At the same time, investor activism has been on the rise in the real estate space.6 Many of the investors, and rightly so, are pressurizing corporations to strengthen their cybersecurity measures.

As per Securities & Exchange Commission’s (SEC’s) updated cybersecurity disclosure guidelines, public companies are expected to “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyberattack.”7

Regulatory emphasis

In its 2018 examination priorities, the SEC’s Office of Compliance Inspections and Examinations’ (OCIE) has prioritized cybersecurity.8 Compared to 2017, the OCIE has extended the scope of its examination to include “governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.”9 As a result, the OCIE examiners could potentially request related documents, particularly ownership of third-party risks as it relates to tenants and vendors.

Additionally, the SEC’s updated cybersecurity disclosure guidelines emphasize that the board of directors take ownership and responsibility for developing and supervising cyber risk mitigation controls and procedures.10 The SEC also mandates periodic reporting and timely disclosure of potential material cyber risks and the controls and procedures.11

Preparing for the growing focus on cyber security

CRE companies need to prepare for OCIE’s and SEC’s growing focus on cyber security.

You will probably agree with me that cyber risk should be a major cause for concern for CRE owners. It has the potential to cause significant damage—to finances, reputations and the environment. In such a scenario, it is imperative that CRE players make cyber security a strategic business priority. They can consider various approaches to be more secure, vigilant, and resilient as highlighted in our report, “Evolving cyber risk in commercial real estate: What you don’t know can hurt you.”

Phono sapiens refers to doing everything on the phone; the term was coined by the Economist.
Edward Hida, “Global Risk Management Survey, 10th Edition: Heightened Uncertainty Signals New Challenges Ahead”, Deloitte Insights, March 2017.
Surabhi Kejriwal, Saurabh Mahajan, “Smart buildings: How IoT technology aims to add value for real estate companies”, Deloitte Insights, April 2016.
“BMS and Smart Systems Faced with the Challenges of Industrial Cybersecurity”, Company press release, May 18, 2017.
Patrick Tucker, Major Cyber Attack Will Cause Significant Loss of Life By 2025, Experts Predict, Defense One, October 29, 2014.
Tom Yeatts, “Activists upping the ante in real estate,” S&P Global Market Intelligence, June 21, 2017, “Growth of REIT Industry Helping Attract Activists, Menna Says,” NAREIT, April 4, 2017.
“Commission Statement and Guidance on Public Company Cybersecurity Disclosures”, Securities and Exchange Commission, February 26, 2018.
“SEC Office of Compliance Inspections and Examinations Announces 2018 Examination Priorities”, U.S. Securities and Exchange Commission, February 7, 2018.
10 “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”, Securities and Exchange Commission, February 26, 2018.
11 Ibid.

QuickLook is a weekly blog from the Deloitte Center for Financial Services about technology, innovation, growth, regulation, and other challenges facing the industry. The views expressed in this blog are those of the blogger and not official statements by Deloitte or any of its affiliates or member firms.

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Insert Custom CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.

Did you find this useful?