“Cybersecurity has always been a never-ending race, but the rate of change is accelerating,” says McKinsey & Company in a recent study of cybersecurity trends and their implications for organizations.
The report indicates that the rate of cyberattacks is rising with market indicators reflecting a fear of further increases. As a result, cyber security projections include $101.5 billion in service provider spending by 2025, a 15 percent annual increase in cybercrime-related costs, and a 21 percent forecast of compound annual growth for direct cyber insurance premiums until 2025.
Those involved in commercial real estate finance have come to not only understand the critical importance of protecting data and preventing breaches but also the complexity and cost associated with keeping ahead with cyber security measures. Notably, the industry was late to embrace technology but has experienced increased adoption of automation-based technologies over the past several years, with advancement accelerating even more rapidly during the pandemic. As a result, three current security-related trends identified by McKinsey directly impact the commercial real estate finance sector (just as they do other businesses) and must be addressed to ensure borrower data is protected.
The first trend is the growing on-demand access to ubiquitous data and information platforms. The second is the increased use by attackers of sophisticated tools like artificial intelligence, machine learning and automation to launch advanced offensives. The third trend is the ever-growing regulatory landscape and the gaps in resources, knowledge and talent that are outpacing cybersecurity. All three increase the likelihood of a breach and make cybersecurity crucial.
To overcome the likelihood of attack or breach, agencies Fannie Mae and Freddie Mac have begun to address lending security concerns in a multitude of ways. Their key areas of focus today include data control, compliance management, SOC-2 compliance, appraisal processes, apps, and more. Because the agencies partner with third-party lenders to facilitate multifamily and commercial real estate loan transactions, these lender partners are required to meet all agency cybersecurity mandates. While agency lender partners obviously understand the necessity of heightened security measures, the audits and infrastructure associated with them can be costly, from both manpower and monetary standpoints. Non-agency lenders face similar cybersecurity challenges, however must drive enhancements and protections of their own volition.
What’s a CRE Lender To Do?
Some commercial real estate lenders have architected and built their own technology platforms to power and enable speed and efficiency throughout their loan application and servicing processes. In many instances, however, lenders also engage third-party vendors who provide and integrate specific portions of their end-to-end systems, simply because certain off-the-shelf applications are better designed, more cost effective, or both. This, however, puts the onus on the lender to ensure all vendors, and the technologies they are providing are also compliant with any security mandates. Vendor management, no matter how important to overall security, can easily turn into an administrative challenge.
While well-intentioned, expanded security measures can also be invasive, such as in the case of SOC 2 compliance. Developed by the American Institute of CPAs, SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy. SOC 2 certification is issued by outside auditors and the process is costly, with peace-of-mind being the primary return on investment to the lender and agency.
Appraisals are also a key area of concern, as data for rent rolls and other critical information is pulled during the appraisals process. Just like lending data, this data too must be secured with similar controls, as a borrower’s data is ultimately only as secure as its weakest link.
Whether vendor management, SOC 2 compliance, or other security measures, costs run high. Well established lenders, therefore, are arguably better able to absorb them than newer players who may find them too cost prohibitive to bear. Either way, the answer to a lot of the issues surrounding the meeting of heightened security requirements is automation.
Automation must be thoroughly tested. Therefore, it should bring both controls and efficiencies into the lending process. Alternatively, a manual environment without controls is ripe for both mistakes and inconsistencies. Automation also provides a means for reporting and monitoring, enabling easier interaction with auditors and an ability to walk them through systems, processes and controls, making the auditing process quicker and less costly. If a lender is able to leverage automation within security systems to not only detect and notify the lender of a security breach, but ultimately to remediate it, customer data is even better protected.
All of this matters immensely to borrowers, whether they recognize it or not. The more savvy a commercial real estate lender is in terms of security, the more peace-of-mind given to a borrower, whose private data on real estate holdings, guarantors, property, appraisals, loan transactions and more is protected. Besides, a secure lender has more time to focus on its core business of servicing its customers and its loans.
Matthew Stoehr is chief technology officer of Sabal Capital Partners, LLC, a wholly-owned subsidiary of Regions Bank.