top of page

How Big is Cyber Risk to Commercial Real Estate?

In a $55 billion plus commercial real estate (CRE) market there will always be plenty of cyber criminals lurking to take a tiny part of that value for themselves. Cyber risk has always been a risk and a consideration for commercial real estate owners and managers and now that the industry is adopting new technologies like never before, the risks of cyber attack are increasing in tandem. Those risks are also more convoluted and a lackadaisical approach to cyber security could be making it easier and more appealing for perpetrators to wreak havoc.

What Threats Do Cyber Security Incidents Cause for CRE?

There seems to be a general notion that cyber security breaches only present a problem for large corporates, usually financial and government organizations who are hacked by those more deserving somehow; a good example of the ‘Robin Hood’ effect perhaps or simple apathy because those organizations can ‘afford’ to lose it and in any case, shouldn’t they have measures in place to mitigate this sort of thing?

The fact is that attacks are getting ever more sophisticated and the opportunity for attacks is widening, particularly since the evolution of smart buildings in CRE and it’s a growing problem to manage.

BOMA Canada illustrates this perfectly here as we can see the increased number of ‘touchpoints’ that can potentially be infiltrated within the smart building.

In 2021, The Americas saw a 34% increase in cyber attacks and this is likely to rise again during 2022. This is not just a government issue, cyber crime has far-reaching implications, and the financial impact on society as a whole runs into billions of dollars each year - costs which are inevitably passed on to consumers in some form.

Malicious cyber attacks can impact CRE in several ways, in the worst case scenario, some of them may even endanger human life…

  • Damage to reputation if data is compromised or products and services cannot be delivered;

  • Legal action and related costs, even bankruptcy;

  • Costs to resolve a data breach - time, labor, IT and systems equipment, customer loss and regulatory fines;

  • Dealing with the implications of being held reliable for misuse or breaches of data;

  • Breach of data system at corporate offices or retail outlets opening up tenants’ and clients’ personal information for misuse;

  • The breach of building systems that control heating, ventilation, water and air quality can impact the safety of a buildings’ inhabitants and therefore pose a risk to life.

What are the Different Types of Cyber Risk?

One of the biggest threats to all businesses in 2022, including commercial real estate, is the threat of Ransomware. Whilst cyber attacks increased an overall 34% in 2021, when it comes to ransomware specifically, attacks on organizations increased by 93% in the first half of 2021.

Last year, the head of UK’s National Cyber Security Centre, Lindy Cameron, voiced concern around many cybersecurity threats but ransomware was notably the “most immediate danger…” and many businesses are vulnerable given the lack of cyber defenses in place and indifference to implementing incident response plans.

Ransomware attacks result in real-world impact as they attempt to steal and encrypt an organization's data, holding it hostage until ransom payments are made; demands are often for payments in the millions with no guarantee of ever retrieving sensitive data. In the CRE world, this is a huge concern, particularly as the industry digitizes and adopts new ways of doing business. Transactions are high value and rely on multiple stakeholders, their data systems and an enormous amount of personal data which makes the industry a lucrative target for cyber criminals.

The other types of cyber threat on CRE businesses are varied and include;

  • Business email compromise, where employees are tricked into wiring funds to a fraudulent third party;

  • Title fraud - hackers may be able to steal data from unprotected real estate businesses or commercial property owners themselves which allows them to take on false identities and transact on their behalf;

  • Wire scams attempt to divert monies from the intended destination, lawyers accounts for instance, and instead funnel them straight into the hackers’ accounts;

  • Malware and data breaches can occur through insufficient network and server infrastructure protection. Measures need to be taken to secure equipment and build resilience and testing into processes to keep systems secure. Employees may also inadvertently cause a data breach but this can be adequately avoided with adequate training processes.

CRE Cyber Risks Growing in Volume and Complexity

Unfortunately many CRE companies are simply unaware of the cyber risk to their business as they relinquish old ways of working and adopt new technologies. Historically, their systems may have been proprietary in nature but as they transition to cloud technologies and solutions that are more uniform, the risk of exploitation heightens. Furthermore, many will probably lack the internal skill sets to deal with the enhanced and evolving nature of threat.

Mitigating the risks of cyber crime requires CRE to understand the risks in their business, be prepared, track and monitor activity and have a plan to recover from any incident successfully. New and evolving skills are needed within the industry to meet the growing threat posed by cyber attacks and protect buildings, businesses and individuals from the misuse of a huge amount of private information.

Globally, there is a movement to have more control over the way organizations’ use and store personal data and as these voices get louder, regulators are constantly adding requirements for businesses to comply with stringent privacy law including the safeguarding of data. CRE clients will want to do business with those that can demonstrate commitment to this area and the industry must build cyber-resilience into their core offering.

Whilst it’s an exciting time for CRE, building owners and operators who embrace the efficiencies of modern technologies, there’s little room for complacency and the threat of cyber-related incidents should not be underestimated.


bottom of page