In September 2014, a large U.S. real estate investment trust discovered that systems containing key company information and data that could identify a specific individual had been compromised by cyber attack.
Interestingly, said Surabhi Sheth, executive manager and research leader for Deloitte’s real estate services practice, the actual breach happened before April 2014—leaving it unnoticed for more than five months.
“The company recorded a $2.8 million cyber intrusion expense, including investigative fees and identity protection services,” Ms. Sheth said. “However, the company has yet to fully understand the modus operandi, the exact data that was compromised and the full amount of damage.”
As commercial real estate firms step up their use of technology, they are as vulnerable as anyone to cyber attack. Yet many are unaware of the threat. Fortunately, accounting firms are here to offer protection, or at least awareness.
Because the real estate industry has less identifiable consumer information, said Eric Steiner, the chief information officer at Berdon, there’s been less attention paid to the issue of cyber security. “In the last 18 months, cyber security has become more and more a hot topic,” Mr. Steiner said. Other industries have long been aware of the problem—but commercial real estate is somewhat late to the party.
The concerns, he said, are both financial and physical. “It’s not like people go after one type of company or data. It’s not about your 1099s being a target,” said Mr. Steiner. “It’s no longer will you be attacked—but when.”
Ms. Sheth, who, with Bob O’Brien, co-authored Evolving Cyber Risk in Commercial Real Estate: What You Don’t Know Can Hurt You, a report released by the Deloitte Center for Financial Services this May, said the tenants’ and vendors’ increase in connectivity through integration of building management, communication technology and business systems allows hackers to access data through multiple entry points.
Client conversations, the observations of senior partners and the spring 2014 Urban Land Institute (ULI) event were the genesis of the report.
“Interconnectedness through Internet protocol-based networks, HVAC and other industrial control systems and open Wi-Fi networks increase data vulnerability,” Ms. Sheth said.
That’s what happened at Target in December of 2013. A hacker got to them by first hacking an HVAC vendor who had access to their financial systems and the hack wound up compromising the credit and debit card information of some 40 million Target customers, and the email and mailing addresses of 70 million customers. “You see a lot of these connections between various players and either by design or by accident hackers will get in, targeting low-hanging fruit then seeing where it leads,” Mr. Steiner said.
“A firm’s entire accounting system could be infiltrated and records with personally identifiable information such as tenant names, addresses and even ACH [or Automated Clearing House] routing numbers if stored for an in-house ACH debit program could be exposed,” said Emily Kramer, a vice president at ClickPay, a provider of SaaS (software-as-a-service, a.k.a. electronic, over a network) payment and billing services for multifamily and commercial real estate property managers.
A cyber attack on a commercial real estate firm’s accounting system could also wipe out historical payment data, said Ms. Kramer, which would be detrimental to any tenant disputing payments or in a court file.
“The key is being more diligent and using professionals out there to take a look at your systems and see where landlords may be at risk,” said Nicholas Loguercio, a certified public accountant and an audit partner at Berdon, who believes awareness must start at the top.
Tenant information (personal and institutional), financial information (ditto) and even schematic information, if leaked, can be devastating to a firm.
“After 9/11, most landlords strengthened their building access policies. Going forward everyone has to be more diligent,” said Mr. Loguercio, who has worked in commercial real estate for 25 years.
Mr. Steiner, a 20-year tech veteran, told the story of a chief financial officer whose password was obtained. The hacker used it to access the CFO’s email and calendar. When the hacker knew the CFO was on vacation, an email saying ‘I’m away and forgot to send a new vendor a payment’ was sent from the CFO’s account to accounts payable. Knowing the CFO was indeed out, a wire transfer for $50,000 was sent to, yes, the hacker.
“Passwords are a big problem,” Mr. Steiner said. “People don’t like passwords. People use common words and dates, and reuse the same passwords.” Hackers know to test one password across multiple accounts. They can buy lists from the black market for a few thousand dollars.
And it’s not just large firms or large buildings. Operationally, Mr. Steiner said, 20- to 50-person companies are equally at risk, and maybe more so if the IT team is on retainer, not full-time engaged in protection.
“The commercial real estate sector may be uniquely vulnerable to treasury management cyber risk given significant amounts of cash maintained on the balance sheet, as well as large-dollar transactions related to acquisitions, dispositions and financing of real estate properties,” Ms. Sheth said.
From a cyber security perspective, she said, “Players in commercial real estate need to understand that a cyber attack is an inevitable and imminent threat, the intensity of which may vary based on automation level and tenants’ IT exposure, but one that will undoubtedly increase over time.”
Companies should consider developing a cyber risk management strategy that improves their ability to be secure, vigilant and resilient, Ms. Sheth said.
And change and vary your dang passwords. (I did.) It could stop an attack in progress, if not prevent one altogether.