Hackers May See Gold in Multifamily REITs' Systems

NEW YORK CITY—REITs have proven incredibly sensitive to expectations of interest rate moves—now we will see if investors can remain sanguine as hackers target these companies.

First, a word about the former: third-quarter performance for REITs was quite disappointing with the FTSE NAREIT All REIT Index posting a decline of slightly more than 2%, compared with the 1.13% increase registered for the Standard & Poor's 500 Total Return Index. The reason, it is believed, is investors are bracing themselves for the Federal Reserve's expected increase in interest rates.

But that is an old story.

A new development for the industry is this week's report by Essex Property Trust that its computer networks were hacked. The REIT said in a security filing that it wasn't clear if personal financial information about its tenants was compromised.

It could be that tenants' information is safe; however as other companies' experiences with malware show, there is also a good chance that at least some information was compromised. It could take days or weeks before the REIT can complete the forensics to determine exactly what happened.

It is not as though REITs are completely unfamiliar with this issue. Some of the highest profile hacks recently have occurred at Target and Home Depot – important tenants of retail REITs.

Essex, though, is the first time a REIT has specifically been targeted – at least that we know about - and it could well be a harbinger for future attacks at other REITs, a Fitch Ratings report says.

It is easy to see why multifamily REITs in particular would attract hackers. As Fitch Ratings pointed out, rental applications may include proof of income, tax returns, bank account information, past addresses and employers, and other data that is valuable to identity theft cyber criminals. Also many of these REITs offer online portals that allow tenants to pay rent online by credit or debit card.

Indeed, this data pool offers far more detailed information than what traditional retailers have in their systems, Fitch says.

For right now, the biggest headache will be the preventative and post-breach costs and future contingent liabilities, Fitch said.

REITs such as Essex have the luxury of not being too tightly associated in renters' minds with their products – that is, the average renter is not likely to avoid all apartments owned by Essex because of this attack, while the average shopper might well think twice before shopping at Home Depot, or at least use cash there.

For that reason Fitch has concluded that the breaches at REITs will not cause a decline in leasing prospects given REIT's lower public profile, versus the temporary sales decline seen at retailers after a breach.

Still, as executives at Home Depot and Target can attest, these breaches are not pretty; they are in fact very distracting and if large enough, can attract attention from the Hill. Which is not exactly what REITs need now as they focus on what another Washington institution is doing—namely, the Federal Reserve Bank.