No matter how you look at it, cybersecurity risk continues to climb. Eight in 10 organizations experienced more than one data breach during 2022. Publicly reported ransomware attacks were down slightly, but the amount of stolen data more than doubled from 2021.
As the commercial real estate (CRE) industry becomes more reliant on digital technology and automation, the threat of cyberattacks grows. So, what are the appropriate steps to mitigate the risk? How do you keep up with ever-evolving threats? Is your business in compliance with the latest regulatory requirements? Consider making these five crucial shifts in your approach to cybersecurity responsibilities in real estate.
Shift 1: Redefine cybersecurity responsibility.
The average cost of a data breach in the U.S. was $4.35 million in 2022. The long-term impact on a company’s bottom line can push the costs much higher. CRE firms without appropriate cybersecurity processes and protocols can be liable for damages. For public companies, not having adequate preventive measures can be considered a breach of fiduciary responsibility, opening executives and board members up to litigation.
CEOs and boards of directors can’t afford to simply delegate cybersecurity responsibilities to the Information Technology (IT) team. Cyberattacks and data breaches affect every facet of operations, racking up substantial financial damages and harming a company’s reputation. As a result, executives must view cybersecurity as an enterprise risk and include it in regular risk assessments, strategic planning and testing. As a foundation for your risk assessment, start by answering two basic questions:
- What data is critical for operating your business?
- If a cyberattack took out your servers, would your business be able to function?
Shift 2: Broaden the scope of cybersecurity efforts.
Digital transformation, artificial intelligence (AI), cloud computing and remote work put your firm’s networks and systems – and the data they contain – at risk for cyberattacks. Protecting data, customer privacy and your business’ intellectual property doesn’t end with internal efforts. A recent survey found that companies work with an average of 88 third-party vendors, such as software vendors, service providers, subcontractors and resellers. In the past two years, 57% of executives responding to the survey said their firm experienced a breach or attack tied to a third-party partner.
View vendors and suppliers as part of your overall cybersecurity strategy. In other words, if a vendor or supplier has gaps in their processes, you have gaps, too. One consistent way to evaluate a partner’s (and your own) data privacy and security practices is through an independent assessment called a System and Organization Controls (SOC 2) report. While SOC 2 compliance isn’t mandated for CRE firms, it is an expected standard for any business handling customer data.
Shift 3: Invest beyond insurance.
Cyber insurance is a vital piece of a comprehensive cybersecurity strategy. However, as threats expand and evolve, cyber insurance premiums are increasing even as insurers add coverage limitations and exclusions.
Consider cyber insurance backstop protection that complements other elements of an integrated cybersecurity strategy. Then, strategically invest in the tools, processes and people you need to reduce risk and prevent attacks. Today, 71% of businesses overall and 64% of small companies see cybersecurity as a significant risk. Yet only 30% of smaller firms make it an investment priority.
Shift 4: Build awareness through education.
Constantly evolving threats, including those using AI and sophisticated deep fake technology, require a comprehensive and ongoing education program for employees at all levels. Employees are the first line of defense against data breaches and cyberattacks, and they’re often an easy target for cybercriminals. A Stanford study found that 88% of data breaches involved human error.
The objectives of cybersecurity training and education for employees are two-fold. First, creating increased awareness helps employees understand potential threats. Second, educational programs give employees the knowledge they need to identify threats, prevent attacks and respond to incidents.
Shift 5: Take action beyond what’s required.
Proposed 2023 regulations by the Securities and Exchange Commission (SEC) focus on new requirements for how firms, including Real Estate Investment Trusts (REITs), disclose information about cybersecurity risk, strategies and governance to investors. In addition, the proposed regulations would implement communication requirements in the event of a cyberattack.
While regulatory compliance is essential, keeping your business ahead of rapidly evolving threats often means not waiting for mandates. Today’s proactive prevention and protection strategies require the involvement of cybersecurity experts — as part of your internal team, as outside consultants or both. Lean on experts to conduct regular security audits, including independent assessments, to address gaps and manage day-to-day operations. Cybersecurity experts will also help you establish and adapt a strategy tailored to your business across four critical steps: identification, protection, response and recovery.
The cybersecurity and commercial real estate industry experts at CBIZ can help you evaluate your company’s cybersecurity needs and ensure you have the appropriate processes in place to reduce your risk. Connect with a member of our team and gain access to more resources on cybersecurity responsibilities in real estate.
This article includes input from Ray Gandy, Director and Leader of the IT Risk & Assurance Practice at CBIZ, and Samuel Carucci, Senior Vice President and Claims Service Leader of CBIZ Insurance Services, Inc. From Ray’s vast IT leadership and strategy to Sam’s expertise in national claims management, our teams at CBIZ can create a reliable and knowledgeable partnership to ensure your company’s safety is at the forefront.
© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.
“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.