Information Security in the Real Estate Environment

On June 19, 2019, the EisnerAmper Real Estate Services Group held a cybersecurity forum at the Iselin, NJ, office addressing the importance of cybersecurity for the real estate sector. The expert panel, moderated by Steven R. Ebert, partner at Barton LLP, included Zach Aliberti, Director, Urban Property Management, LLC, & Urban Property Developers, LLC; Kenneth N. Rashbaum, Partner, Barton LLP; and Marc D. Schein, National Co-Chair Cyber Center of Excellence, Marsh & McLennan Agency LLC.

With increasing threats to businesses related to the loss of tenant, purchaser and employee information, cybersecurity is an important area that the real estate sector should proactively address. As the industry increasingly utilizes technology—such as third-party, cloud-based applications and storage—there is an increased incentive to protect information while staying competitive with technology. The panel commented on federal and local policy developments, risk assessment, property management concerns, and protection through cyber insurance.

Businesses often view an investment in cybersecurity as an added expense, but it can also provide a competitive advantage. With the media highlighting breaches on a seemingly daily basis, tenants are looking to see that their information is protected. Schein noted that cybersecurity insurance policies can be tailored to clients’ needs and, with proper controls in place, can be affordable. Preventative measures can help a business avoid potential business reputation loss and costly legal proceedings that can be incurred when dealing with a cyber-attack.

Some of the forum’s key takeaways included:

• Importance of a Data Map – Data mapping allows businesses to understand what information is being stored, where it is being stored, who has access, and how it is being protected. This exercise allows you to reduce risks and improve where needed.
• Don’t Forget to Look Outside of Your Own Company – Partners, such as vendors, should be evaluated for what protections they have set for the data that is being shared. EisnerAmper recommends requesting a copy of the Service Organization and Controls Report (SOC) from vendors and software providers. This report provides details as to whether controls are effective and if there are any areas of concern.
• Internal Guidance and Protocols – Employee training and proper policy- and risk-assessment practices are valuable. With the use of document storage on computer drives and mobile devices, it is important to set policies for employees to follow regarding document security.  
• Avoid Overstoring Data – The more data that is stored, the higher the probability that said data can be compromised. Storing information in excess of regulations or required for a business purpose creates unnecessary risk.
• Compliance – It is important to be aware of and compliant with governing regulations. With technology changing constantly, there is an increasing need for regulations and guidance from government agencies. Zach noted that with additional government regulations, it might be easier to garner support from investors to finance cybersecurity measures that are required by law, rather than just as a prudent practice.

Businesses often fail to take action related to cybersecurity until after an incident has occurred. Real estate in 2018 was the second largest sector targeted for cyber-attacks. The panel’s recommendations and comments allowed attendees to consider various planning opportunities to protect their businesses and create a plan to defend against cyber risk.