The CDO Stack: Cyber Risk in Real Estate

By John D'Angelo

September 28, 2022

Digital EditionCFO Corner

Strategies for identifying and managing this growing threat.

It’s a big topic that, according to a recent Deloitte survey, is on the minds of our real estate clients across the globe. We asked 450 CFOs what might have the biggest negative impact on their financial performance in 2023, and cyber risk tied with workforce dynamics and sustained high inflation as the threats or challenges that they’re most worried about. The results made me wonder why cyber risk ranked so high, and I think the answer is twofold.

READ THE DIGEST
John D'Angelo

John D’Angelo

First, high-profile examples of cyber crimes have been plentiful in the news recently, so it’s no surprise that threats have intensified. Second, I believe the steps required to identify, monitor, manage and mitigate cyber risks are inadequately understood in the commercial real estate industry. Put simply, the bad guys are probably far ahead of us, we seem to know that, and there’s general concern that the gap will cost us in financially.

Not to give you more to worry about, but in the cause of building awareness, let’s look at some of the forms that cyber crimes can manifest in the real estate industry.

With buildings becoming more connected and smarter, the amount of data streams within a building and the number of systems and devices has risen dramatically. All that data and all those different systems represent cyber-crime opportunity that ranges from mischief to deadly threats.

One recent example involves an office building that had to be evacuated as cyber criminals accessed a building management system and raised the temperature to triple digits. While not life-threatening, it’s a good example of what can happen if the building management system or individual building systems are compromised. A friend who leads asset management at a big real estate investor confided in me that one of her nightmares is getting a call that a cyber-criminal has control of an elevator car with people in it being held for ransom. A nightmare indeed.

Taking action

Theft and ransomware have long been cyber threats to the industry. With criminals becoming increasingly organized and sophisticated, and the volume and dollar amount of transactions in the industry being high, it’s not surprising that attacks are on the rise. Particularly for those sectors in which personally identifiable consumer information is stored, understanding data sensitivities and vulnerabilities is important. And there are internal threats to consider. Understanding what digital information is leaving an organization, with whom, and for what purpose are all topics that should be addressed if they haven’t already been.

Regardless of the type of threat, it’s important to have at least a broad understanding of the nature and potential implications of cyber threats. Whether through a single leader or distributed team, your level of expertise, plans, and activities should match the threats specific to your organization and adapt to them.

It’s also important to understand that cyber risk isn’t static. I’ve written a great deal about the form and substance that digital transformation is taking in the industry. While digital transformation is great, it introduces change in exposure that needs to be addressed in lock step with the transformation.

Image by BlackJack3D/iStockphoto.com

Regardless of your organization’s size, complexity and level of cyber maturity, following the 4 A’s—assure, advise, anticipate, and accelerate—will help you get on track and stay there. “Assure” requires  taking the steps required to validate the effectiveness of your cyber program. “Advise” means key stakeholders collaborating, understanding, and prioritizing cyber risks and activities based on the unique circumstances of your organization. “Anticipate” refers to taking the actions required to evolve your cyber program as your company and its technologies change. And “accelerate” calls for raising organizational awareness of cyber threats and ensuring you’re prepared to act when weaknesses or threats are discovered.

If you’re not sure where your organization stands, ask internal audit, IT leadership, and your information security leaders about these key issues:

  • what risks are unique to your organization
  • how you know when digital information leaves the organization
  • what controls are in place to monitor your information supply chain (including external vendors and suppliers),
  • what plans are in place for incident response and communication.

If you’re already asking these questions and are happy with the answers, congratulations! You’re at the front of the pack.

John D’Angelo is a managing director with Deloitte and is the Firm’s real estate solutions leader, designing solutions to address client challenges and push the industry forward. With over 30 years of experience as a management consultant to the global real estate industry, John has helped some of the biggest names in real estate leverage technology and use data to optimize and transform their operations.

You May Also Like

Arcadia Cold to Expand Chicago Footprint

April 18, 2024
Property at 8415 Progress Drive, Frederick, Md.

Clinical Research Firm Expands Office Footprint to 116 KSF

April 18, 2024
Black Lion Investment Group plans to transform The Lincoln at 1691 Michigan Ave. in Miami Beach, Fla., into Rivani, a luxury office destination.

Black Lion Pays $63M for Miami Beach Office Building

April 18, 2024
The development at 580 Dubuque Ave. in South San Francisco, Calif.

IQHQ Tops Out Bay Area Life Science Building

April 18, 2024
The office building at 2020 W. El Camino Ave. in Sacramento, Calif.

Chavez Management Picks Up Sacramento Office Assets for $45M

April 18, 2024

EV Battery Quest Super-Charges Demand for Sites, Facilities

April 18, 2024