Citrin Cooperman’s Real Estate Industry Practice’s leader, Mark Mindick (MM), sits down with the Cybersecurity Practice’s partner, Kevin Ricci (KR), to discuss potential threats to real estate companies and how to avoid them.

MM: Kevin, can you provide some examples of the impact a cyberattack could have on a real estate company?

KR: When compared to such industries as banking or healthcare, real estate has relatively fewer regulatory burdens when it comes to data privacy or security.

While not being forced to adopt strict information security requirements such as those found in HIPAA or GLBA may appear to be an advantage, it does leave the industry without a well-defined security path to follow.

I suspect that this may be a contributing reason why the industry may be at an elevated risk when it comes to falling prey to cybercriminals, and the growing number of incidents may lend credibility to this theory.

Recent examples of cyber incidents wreaking havoc in the real estate industry range from relatively minor leaks of information to situations with catastrophic repercussions. By injecting malicious code into a cloud video hosting service, more than a hundred real estate websites operated by Sotheby's Realty were infected with skimming malware, allowing viewers’ personal information to be compromised.

Another example involved thousands of New York residents living in buildings run by Douglas Elliman Property Management who were notified that their personal information may have been compromised during a security incident affecting the management company.

The most significant real estate related data incident occurred to Fortune 500 real estate insurance giant First American, a leading provider of title insurance and settlement services to the real estate and mortgage industries. A bug in the company’s website resulted in the possible exposure of over 800 million sensitive records.

The bottom line: the real estate sector is just as susceptible to cyber risks as any other sector, and precautions need to be taken to stay safe and secure.

MM: What are some best practices that will help a real estate business avoid becoming the next victim of a cyberattack?

KR: While there is no silver bullet in the war against cybersecurity threats, there is something I call the silver buckshot.

Here are three best practices to help reduce some of the risks that threaten your business:

1. Stay on top of the onslaught of constantly evolving cyber threats. This can be daunting, as many businesses struggle with where to begin in their journey to becoming more secure.
   • One of the best ways to start getting your hands around the security needs of your business is to go through the process of a cyber risk assessment, as it not only identifies the areas of concern but also provides a strategic plan to address them.
   • Examples of risks that are often unearthed during the assessments we provide include the absence of two-factor authentication for email and remote computing, not keeping systems and applications updated with the latest patches and inferior password requirements that do not meet or exceed best practices.
2. Get your compliance house in order. If you have data that is governed by rules or regulations, make sure you are meeting all requirements. Always ask yourself:
   • If my business accepts credit card payments from my customers, have I met the necessary requirements of the payment card industry data security standards (PCI DSS)?
   • By doing this, you will be strengthening your security posture while showing your customers that you value their information, all while avoiding potential fines and penalties that accompany a credit card breach.
3. Institute a robust security awareness training program. As most attacks arrive via our inboxes, I recommend taking a “trust but verify” approach by supplementing the training with spear phishing simulations to ensure employees instinctually know how to detect and avoid spear phishing attacks.

Training and testing will help transform us, the human element, from the weakest link in the security chain to a virtual human firewall that will help keep our businesses safe and secure.

MM: What can real estate business owners do to proactively prepare their business so they can respond to and recover from a cyberattack?

KR: It could be argued that a data security incident, whether it happens via an accidental data breach or a direct cyber-attack, is less a matter of “if” and more a matter of “when”.

In the event there is an incident, having a response plan in place is critical to quickly respond to and recovering from a cyber-attack. Having a plan is significantly more valuable when it is rigorously tested on a regular basis. This is backed by a statistic from IBM’s cost of a data breach report, stating that the average cost of a breach is more than 2.6 million dollars less when a business has tested its plan.

In addition to planning for the worst, a company should also have a cyber insurance policy in place, as the cost of a breach or attack can be catastrophic.

Examples of the costs involved in an incident include:

• Fines and penalties
• Technology expenditures to replace compromised hardware and software
• Forensic and legal costs
• Downtime during the recovery process
• Reputational damage and brand degradation that accompanies a data breach headline

Another proactive step a business can take is finding and retaining a reliable cyber resource that can immediately respond when an incident occurs to stop the bleeding, restore operations, determine the cause, and reducing the chances of it ever happening again in the future. Preemptively locking in this resource is critical as every minute an incident isn’t contained, the fallout is going to be exponentially more devastating.

MM: Thank you, Kevin. Though a cybersecurity attack for any business, including real estate, is daunting, there are a lot of measures businesses can take to stay secure.

Citrin Cooperman can provide you with the resources and specialists you need in order to bolster your cybersecurity defenses against these growing threats. Speak to a member of our Cybersecurity Practice today or contact Kevin Ricci at kricci@citrincooperman.com.