Cyber Security Move to the Forefront for CRE

Deloitte’s 2020 Commercial Real Estate Outlook predicts that commercial real estate companies will continue to invest in technology.

As companies spend on these technologies, such as Artificial Intelligence (AI), apps and the internet of things [IoT], they need to be cognizant of digital security, specifically their customers’ data. Jim Berry, Deloitte’s US Real Estate sector lead, says 45% of survey respondents stated they have developed in-house cyber resilience capabilities to limit the exposure of private data and the potential impact of a data breach.

“Recognition of the fact that these risks are very real and increasing in complexity requires a company to continue to focus on and challenge themselves to make cybersecurity an upfront part of all they do currently and in the future,” Berry tells GlobeSt.com. “Access to data, while presenting a real opportunity for CRE companies, also increases the need to strengthen and continue to enhance their cyber strategies.”

Berry says incorporating privacy by design, whereby upfront design of new technologies and processes, will allow a better hold over the places that create the biggest data security risks. As an example, he points to CRE organizations’ response to EU General Data Protection Regulation (GDPR) regulations. “The regulation mandates all organizations—including CRE companies—to obtain express opt-in consent from citizens to collect their data and promptly notify them of data breaches or risk paying steep fines,” Berry says. “Citizens also have additional privileges, such as the ‘right to access’ and the ‘right to be forgotten,’ which enables them to know if and how their personal data is being used and to demand the erasure of all personal data.”

Berry says that monitoring third-party risks should continue to be a real focus for CRE firms, as partnerships with other organizations and technologies continue to expand. Before engaging with third-parties, companies should evaluate the diligence of their data governance model, the robustness of their IT systems, their financial health, the performance of prior service level agreements (SLAs) and compliance with regulations.

Those SLAs should have information security clauses. “The SLAs could specifically include clauses around the expected levels of security, rules on sharing information and conducting random audits, and penalties on breaches of any SLA clauses,” Berry says. “[They need to] evaluate susceptibility to cyber-attacks through the suppliers’ systems and gain an understanding of cyber security awareness among suppliers’ employees.”

SLAs should also include the expected levels of security, rules on sharing information and conducting random audits, as well as penalties on breaches of the agreement, according to Berry.

“CRE firms would have to assess their risk exposure, potential threat vectors and vulnerabilities,” Berry says. “A detailed scenario planning and cyber risk assessment would allow companies to evaluate susceptibility to cyberattacks and identify appropriate responses. As such, there is no cookie cutter approach to developing cyber security programs. It needs to be tailored for every organization.”