October 2017   Volume 43, Number 10      


Commercial Real Estate Becoming More Vulnerable to Cyberattack

At one time, commercial real estate firms were considered less at-risk for cyberattacks, because compared to financial services, healthcare and retail firms, they did not maintain as much personal and intellectual property information. As a result, CRE players have been slow to invest in cybersecurity and insurance for cyber risks.

It also means that some CRE companies now have outdated insurance overages, such as crime policies, that do not include provisions for cyber risk exposures like fraudulently induced money transfers.

A new report from KPMG has revealed that one-third of real estate firms have experienced a cybersecurity event themselves or at one or more of their properties in the last two years. However, this number is likely higher since half of respondents also reported they were not adequately prepared to prevent an attack nor would they know if they were infiltrated.

CRE firms have become attractive targets to cybercriminals because they have access to both data and money. Data — such as personal information, blueprints, building technology and financial information — can be sold or used for future exploits. Money can be skimmed from vendor and tenant accounts or credit cards. Ransomware also allows criminals to extort companies directly.

Last year, an Austrian hotel was forced to pay a hefty ransom after its computers were hacked. In August, property management firm BNP Paribas Real Estate reported a ransomware attack that took down most of its global systems.

Cyber Insurance Coverages

While first-party cyber insurance typically covers lost business income, extra expenses, forensics and notification costs associated with investigating and resolving a breach, companies also need to invest in additional coverage. Third-party liability cyber insurance covers expenses related to regulatory investigations and when customers and others seek personal damages subsequent to a security breach.

For covering other losses, such as stolen money, CRE companies also must revise their traditional insurance policies, particularly crime coverage. Most crime coverage now includes endorsements to cover loss caused by social engineering, where cybercriminals manipulate a firm’s employees to share confidential information that can be used to steal money.

Another risk CRE firms face is intellectual property loss and liability incurred through third parties. Many CRE firms rely on vendors to host web applications, organize customer data or facilitate financial transactions.

In one case, cyber criminals gained access to Medidata’s computers through one of its vendors. Medidata’s employees were tricked into wiring funds offshore through realistically fabricated emails from the company’s president. Fortunately, a federal court in New York ruled that the firm’s crime policy covered the $4.8 million loss because the policy was worded in such a way that included the third party vendor as an insured.

As in Medidata’s situation, CRE insurance companies need to be sure their cyber liability is tailored to fit the risks they face.

It is only a matter of time before many more CRE companies face an attack against critical business programs that could result in significant financial loss for the company. With the appropriate insurance policies in place, CRE firms can minimize the damage associated with such attacks.

[return to top]





In this issue:

Commercial Real Estate Becoming More Vulnerable to Cyberattack

8 States With the Largest Housing Bubbles

20 ZIP Codes with the Highest Real Estate Returns

Banks Tightening Lending Standards for Commercial Real Estate in Q2

Facebook Launches Dynamic Ads for Real Estate

Nextdoor App Rolls Out Real Estate Listings

Robot Real Estate Agents to Sell Homes

U.S. Home Sales to Foreigners Surge by 49 Percent

What Real Estate Agents Need to Know About Zero-down Loans

Four Costs Homebuyers Often Forget to Factor Into Their Budgets


The information presented and conclusions within are based upon our best judgment and analysis. It is not guaranteed information and does not necessarily reflect all available data. Web addresses are current at time of publication but subject to change. SmartsPro Marketing and The Insurance 411 do not engage in the solicitation, sale or management of securities or investments, nor does it make any recommendations on securities or investments. This material may not be quoted or reproduced in any form without publisher's permission. All rights reserved. ©2017 The Insurance 411. Tel. 877-762-7877. theinsurance411.com