Cyber Risk – Another “Real” in Commercial Real Estate (article)
Imagine . . . your company’s network has been hacked. Leases, corporate financial data, vender contracts and employee applications are all an open book. Employee and tenant personally identifiable information (PII) is now in someone else’s hands. A few years ago, this would have been someone else’s worry. Today, it’s yours.
While large-scale cyber breaches in the financial, retail and healthcare sectors have captured the media’s attention, the commercial real estate industry is no less vulnerable to these risks and is “rich with valuable information that bad actors want.” (See NMHC/NAA White Paper – Multifamily and Cybersecurity: The Threat Landscape and Best Practices.)
In the wake of the Equifax hack, we asked Damian Caracciolo, Vice President, CBIZ Risk Services, to share his professional insights with you in this Q&A with our editorial staff.
Q: The recent news of the massive data breach at the credit reporting agency Equifax, which exposed the sensitive personal information of at least 143 million Americans, is yet another reminder that cybersecurity threats are real and pose significant risks. Is virtually every industry at risk?
A: The majority of cyber-attacks are motivated by financial gain, which increases the exposure of all companies and organizations holding data that cyber criminals can sell. So basically the answer is yes because:
- Every company has something of value, something to target.
- More than 70 percent of breaches occur due to preventable vulnerabilities.
- The top four patterns of security incidents involve human error or misuse, accounting for 31 percent of all data loss.
Q: We understand that commercial real estate has several sectors, one of which is “multifamily” housing, which the NMHC and NAA whitepaper speaks to. Are all sectors as “rich with valuable information”?
A: Yes, the lease and tenant information maintained by the “habitational” sector certainly is a prime target, but virtually all commercial real estate has a rich trove of confidential employee, third-party and corporate information, rental applications and agreements, leases, tax records, federal ID numbers, and social security numbers.
Q: We’ve seen many ways to quantify the cost of a breach. Obviously, not every business has the same size exposure. What should be considered as a potential cost of breach?
A: Industry figures vary; on average, direct costs run between $158 and $355 per compromised record. Potential breach costs include investigative costs, breach disclosure costs, legal and regulatory fees, identity theft monitoring, and customer or shareholder lawsuits. When you add those up, the cost can be astronomical in dollars and debilitating in terms of brand image and reputation. You can very quickly get up into the millions.
Q: Are there specific factors that that a company can tick through to get a feel for their level of risk exposure?
A: Your risk consultant will help you develop your full risk profile, but here are some of the most common issues to consider.
- Do you gather, maintain, disseminate or store private information?
- Do you have a high degree of dependency on electronic processes or computer networks?
- Do you engage vendors, independent contractors or additional service providers?
- Are you required to comply with PCI Security Standards/Plastic Card Security statutes?
- Are you concerned about intentional acts by rogue employees?
- Do you have a record retention policy in place and do you follow it?
Q: Can you describe some best practices for reducing risk in layman’s terms?
A: Absolutely, because we are way past cyber risk being primarily an IT issue. (See Cyber Risk – No Longer Simply an “IT” Issue.) You may require the aid of a risk consultant to put together a unified plan, but these points are certainly understandable by any lay person.
- Fully document your risk exposure; then regularly reassess vulnerability to cyber-attack.
- Put processes and procedures in place to manage data retention and data destruction.
- Track and monitor compliance on a regular and ongoing basis.
- Fully assess the physical security controls at each of your sites (e.g., IT data center, home office, field offices, temporary and remote sites).
- Educate your staff on the cyber risks associated with their job functions.
- Protect your company via contracts with third-party vendors/suppliers. (This is very important yet often missed.)
Q: Verizon reported that 78 percent of breaches are “low difficulty” – what exactly does that mean?
A: Verizon’s report supports what industry experts have been warning in recent years, namely that sophisticated cybercrime hits the headlines, but “average” businesses regularly fall victim to relatively unsophisticated criminal efforts. Lately we have seen a rise in using social engineering to trick people into breaking normal security procedures (phishing/cyber fraud). Further, hackers may be able to easily defeat defenses when basic computer security hygiene is not followed. Because it does not take a sophisticated hacker to breach system protocols weakened by human error or misuse, it is important for management to be involved in data security. It can’t all be left to IT to ensure that best practices become enmeshed in company culture.
Q: You have mentioned “third-party risk” – what specifically are we talking about there?
A: Third parties are vendors to whom you outsource certain business functions; payroll and credit card processing are two common examples. They often have access to sensitive data or systems. A survey by the Ponemon Institute found that more than 41 percent of surveyed companies sustained a data breach caused by a third party. You are ultimately responsible for ensuring compliance. We recommend drafting a contract clearly stipulating that the responsible party retains liability for incidents where they are culpable. Insurance solutions exist if the vendor will not take responsibility, but in most cases a merchant must front the direct and indirect expenses, including the possible loss of business.
Q: You have talked about establishing a risk profile by detecting internal and external vulnerabilities and identifying what is at risk. And you have touched on protecting systems, assets and data with structure, internal controls and monitoring. What role does insurance play?
A: Even with well-documented and tested procedures and a team of highly trained users, a company may fall victim to cybercrime. Most traditional commercial general liability (CGL) policies will not cover business interruption losses due to a cyber event. Financial, legal and reputational damage can be limited by the coverage of a cyber liability insurance policy.
Cyber liability insurance is complex and continues to evolve in the marketplace. Understanding what cyber risks are most relevant to the company is absolutely essential to the process of securing the best coverage possible. The insurance must address two critical risks: first, the liability risk to your business if sensitive client or employee information is compromised and second, the substantial cost of notifying clients that their information has been compromised, which includes credit monitoring, fines, legal fees and forensics.
Cyber liability coverage helps protect your business from the following events:
- Data breaches, including costs for customer notification, some legal costs and credit monitoring for those affected.
- Damages to third-party systems, if, for example, an infected email from your servers crashes the system of a customer or vendor.
- Data or code loss due to a natural disaster or malicious activity. Physical destruction of equipment is covered under a different policy.
Cyber extortion, including ransomware, which is malicious code installed into a computer on your network that prevents you from accessing it until a ransom is paid.
Q: Can you provide an actual case to illustrate how cyber liability insurance responded to a real estate company breach?
A: A real estate company discovered malicious software had been uploaded to its servers by an unidentified third party, which resulted in corrupted files. Files containing personal information, including credit card information, had been accessed. Subsequent to the data breach, fraudulent charges were made on various credit cards in multiple countries. Lawyers advised the company to notify all affected individuals. As a result of the fraudulent credit card transactions, the company offered affected individuals credit monitoring services. These expenses were covered under the Customer Support and Reputational Expenses section of the insurance policy.
The company also wanted to manage reputational repercussions due to the breach and employed a public relations expert. The fees for the public relations consultant were covered under Crisis Management Costs. The breach resulted in IT forensic investigation fees of approximately $250,000. Other expenses covered by the insurance policy included the cost of identifying and notifying affected individuals and setting up and staffing a call center to respond to inquiries. Additionally, $150,000 was paid in legal fees to determine reporting requirements and respond to regulatory authorities. Approximately $29,000 was spent on data restoration costs and remediation of IT vulnerabilities, and business income loss of $250,000 was paid. Total expenses covered $675,000.
Q: Could you give a short summary of our discussion today?
A: No business is immune from cyber risk, and the responsibility for managing the risk of a cyber event cannot be assigned solely to your IT department. Cyber risk must be both managed with internal systems and mitigated by risk transfer (insurance). It is now a best practice at the management level. Being unprotected and unprepared for potential cyber events is no longer an option; all stakeholders expect it and depend on it being in place.
Damian Caracciolo is Vice President of CBIZ Insurance Services Executive Protection Practice and Cyber Protection Lead. He can be reached at (443) 472-8096 or firstname.lastname@example.org. You may want to check out some real-life examples that further illustrate the points discussed in this interview.