Commercial Real Estate Cybersecurity Governance and Best Practices
Commercial real estate (CRE) companies are increasingly recognizing the critical importance of robust cybersecurity governance and best practices. As the industry embraces digital transformation and smart building technologies, the cybersecurity landscape has become more complex and fraught with risks. This article explores key aspects of cybersecurity governance and best practices for the commercial real estate sector.
The Growing Importance of CRE Cybersecurity
The commercial real estate industry has traditionally considered itself less vulnerable to cyberattacks compared to sectors like retail or financial services. However, this perception is rapidly changing as CRE firms implement technology-driven innovations for smart buildings, including IoT devices and AI data analysis. These advancements, while beneficial, also introduce new vulnerabilities that cybercriminals can exploit.
CRE Cybersecurity Governance Framework
Effective CRE cybersecurity governance requires a comprehensive approach that addresses several fundamental questions:
- What protections are being implemented for cybersecurity?
- Are these cybersecurity protections sufficient??
- How can you verify protection sufficiency and performance?
Understanding Current Practices
CRE organizations must first fully understand their current cybersecurity program and governance model. This involves:
- Identifying what client and property data is being collected and how
- Ensuring only necessary data is stored
- Understanding regulatory compliance obligations across multiple jurisdictions
Assessing Adequacy
Continuous risk evaluation is crucial. CRE firms should:
- Understand specific cyber risks unique to real estate transactions and building operations
- Ensure compliance with relevant data protection regulations
- Implement robust security measures for property management systems and smart building technologies
- Develop comprehensive backup, recovery, and business continuity plans
Monitoring and Validation
To ensure preparedness, CRE companies should:
- Implement appropriate monitoring and active protection systems to detect cyber breaches across networks, including remote properties and IoT devices, and to block unauthorized communication to building controls
- Engage third-party validation of cybersecurity controls
- Develop incident response plans and recovery processes
Best Practices for CRE Cybersecurity
1. Comprehensive Asset Inventory
The first step in devising a CRE cybersecurity policy is compiling an inventory of all building systems to create an asset register. This enables property managers to understand all technologies and hardware in a property and their potential exposure to external threats.
2. Secure Communication Channels
Implement encrypted email systems, transaction management platforms, or secure document-sharing programs to protect sensitive information during real estate transactions. Additionally, encrypt communication between building control devices and implement Zero Trust authentication so that only authorized devices can communicate on the building control network.
3. Access Control and Authentication
Employ strong access control measures, including:
- Multi-factor authentication (MFA)
- Long, complex passwords
- Regular password changes
- Principle of least privilege access
4. Employee Training and Awareness
Regularly train staff on cybersecurity best practices, including:
- Recognizing phishing attempts
- Proper handling of sensitive data
- Safe use of public Wi-Fi networks
5. Data Encryption and Protection
Implement data encryption for sensitive information, both in transit and at rest. This is particularly crucial for protecting client information, transaction details, and building operations.
6. Regular Security Audits and Updates
Conduct regular security audits of all systems and keep software, operating systems, and security tools up-to-date with the latest patches.
7. Incident Response Planning
Develop and regularly test an incident response plan to ensure quick and effective action in the event of a cybersecurity breach.
8. Third-Party Risk Management
Carefully vet and monitor third-party vendors and service providers who have access to your systems or data.
9. Compliance with Regulations
Stay informed about and compliant with relevant cybersecurity regulations, such as the Cybersecurity Incident Reporting for Critical Infrastructures Act of 2022 and the SEC’s proposed rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
10. Cyber Insurance
Consider obtaining cyber insurance to reduce financial risk exposure associated with potential cyberattacks.
Conclusion
As commercial real estate companies continue to innovate and adopt new technologies, the importance of robust cybersecurity governance and best practices cannot be overstated. By implementing a comprehensive cybersecurity framework and following industry best practices, CRE firms can protect their assets, maintain client trust, and ensure compliance with evolving regulations. In today’s digital landscape, cybersecurity is not just an IT issue but a fundamental aspect of risk management and business strategy in the commercial real estate sector.
References
[1] intelligentbuildings.com/outcomes/cybersecurity/
[2] www.bpm.com/insights/cybersecurity-governance-for-the-commercial-real-estate/
[3] cbre.com/insights/viewpoints/cybersecurity-fortifying-commercial-real-estate-for-a-digital-world
[4] nar.realtor/sites/default/files/documents/Cybersecurity%20Checklist%20%20Best%20Practices%202020.pdf
[5] deloitte.com/us/en/pages/real-estate/articles/evolving-cyber-risk-in-commercial-real-estate.html
[6] www.consolidated.com/blog/artmid/3914/articleid/240/prioritizing-cybersecurity-in-real-estate-transactions
[7] www.ey.com/en_us/insights/cybersecurity/six-critical-cyber-questions-for-commercial-real-estate
[8] nar.realtor/law-and-ethics/cybersecurity-checklist-best-practices-for-real-estate-professionals
—
Blog Post Summary – All of our recent posts listed on one page
