6 Ways REITs Can Mitigate Cyber Risks

As real estate investment trusts rapidly embrace digital transformation to improve tenant engagement, streamline financial operations and strengthen property management, they can unlock valuable opportunities. According to Morgan Stanley Research, artificial intelligence innovations could lead to $34 billion in efficiency gains for the real estate industry by 2030.

However, new and evolving technologies also expose REITs to an increasingly complex cyber risk landscape. Cyberattacks targeting AI systems or manipulating data inputs can amplify the impact of security breaches, posing threats to operational and financial stability.

IBM’s Cost of a Data Breach Report 2025 found that the global average cost of a data breach is $4.44 million, with 97 percent of organizations experiencing AI‑related security incidents and lacking adequate AI access controls. Below are six actionable steps commercial real estate professionals can take to balance innovation with cybersecurity in this evolving environment.

Property management systems, tenant portals, leasing platforms and financial reporting tools are increasingly interconnected and reliant on cloud-based technologies. While these innovations can enhance operational efficiency and tenant experience, they can also create multiple attack surfaces for cybercriminals.

To safeguard your organization’s assets and operations, it is important to adopt a proactive, multilayered approach to cybersecurity. Below are key strategies that can help you build resilience against cyber threats:

1. Implement cyber-specific risk management

Cyber risk management should be integrated into your overall enterprise risk management framework. Best practices include conducting regular cyber risk assessments tailored to your unique operational and technological environment. Mapping critical assets, understanding threat vectors and quantifying potential impacts can also allow for more informed decision-making and resource allocation.

2. Train employees effectively

Human error remains a significant cause of cyber incidents. Regular, mandatory cybersecurity training for all employees—from executives to frontline staff—is essential. Training should cover recognizing phishing attempts, safe handling of sensitive data, password hygiene and incident reporting protocols. Cultivating a security-conscious culture can reduce the likelihood of breaches caused by negligence or social engineering.

3. Develop and test incident response plans

Despite best efforts, no organization is immune to cyber incidents. REITs should develop detailed incident response plans that outline roles, communication protocols and recovery procedures in the event of an incident. Conducting tabletop exercises and simulations can help prepare staff for their roles and responsibilities and minimize downtime in the event of an attack.

4. Secure tenant and vendor ecosystems

REITs often rely on third-party vendors for property management, maintenance and IT services. It is critical to assess the cybersecurity posture of these collaborators and include security requirements in contracts. Additionally, tenant-facing platforms should be designed with security in mind, protecting personal and payment information through encryption and secure authentication methods.

5. Stay ahead of regulatory compliance

Remaining attentive to changing data privacy and cybersecurity regulations is vital. Your organization may consider engaging legal and compliance experts to verify that policies and practices meet current requirements. Transparent reporting and documentation can also enhance stakeholder trust.

6. Prioritize industry collaboration

Sharing threat intelligence and best practices with peers, industry groups and government agencies can enhance collective defense. Transparency about cyber risk management efforts can build confidence among investors and tenants alike.

Positioning REITs for growth in the digital era

REITs cannot choose between innovation and cybersecurity. Both are key ingredients for sustainable growth and long-term success.

By embedding cyber risk controls into enterprise risk management, training employees, securing tenant and vendor ecosystems, maintaining regulatory compliance and actively collaborating with industry experts, you can better protect your assets and operations. Ultimately, REITs that prioritize cybersecurity and foster a culture of resilience may be better positioned to capitalize on the opportunities ahead in the rapidly evolving real estate landscape.

Duncan C. Ellis is managing director and U.S. & Canada Real Estate and Hospitality Industry Practice leader at Marsh.