How REITs are Responding to Cybersecurity Threats

As the nature of cybersecurity threats continue to change, REITs are  embracing a variety of internal and external measures to ensure they adapt and stay ahead of the curve.

REIT magazine: March/April 2020

Cyberthreats pose significant and escalating risks for all industries, including REITs and their customers. As the nature of these threats continue to change, REITs are  embracing a variety of internal and external measures to ensure they adapt and stay ahead of the curve.

“Cybersecurity incidents have become a normal part of doing business in our digitally connected world. Although these incidents can be alarming and costly, the reality is most consumers and corporations accept the risks, given the numerous benefits technology brings about,” Lukas Hartwich, a senior analyst at Green Street Advisors, says.

Most publicly traded companies, including REITs, discuss cyberthreats among the risk factors listed in their annual reports.

In its most recent report on risk factors confronting the 100 largest publicly traded REITs, professional services firm BDO USA LLP found that 92% identified cybersecurity as a concern in their annual reports, up from 63% in 2014, and 25% in 2012. The report indicated that all retail and health care REITs among the 100 largest REITs mentioned cybersecurity as a risk in their annual reports, with 96% of office REITs, 93% of hospitality REITs, and 92% of multifamily REITs also citing cybersecurity risks.

“There is an awareness of the importance of dealing with cybersecurity, and that’s a good part of the battle,” says Mike Stiglianese, managing director of technology and cybersecurity at BDO.

Research released by cybersecurity company Kaspersky found the financial harm of an enterprise-level data breach totaled $1.41 million in 2019, up from $1.23 million in 2018. To combat cyberthreats, enterprise organizations spent an average of $18.9 million last year, compared with $8.9 million in 2018, Kaspersky said.

Ransomware Threats Loom Large

As office REIT Kilroy Realty Corp. (NYSE: KRC) explained in its 2018 annual report, the risk of a security breach or disruption, particularly through cyberattacks carried out by hackers, cyberterrorists, foreign governments, and others have “generally increased as the number, intensity, and sophistication of attempted attacks and intrusions from around the world have increased.”

Michelle Ngo, senior vice president and treasurer of Kilroy Realty, names ransomware [a type of malicious software, or malware, that blocks access to data or a computer system until the victim pays a ransom] as one of the biggest cybersecurity threats for the office REIT. In fact, cybersecurity experts say ransomware ranks as a key cyberthreat for the entire REIT sector.

Across all types of businesses, ransomware attacks around the world are on the rise. From the second quarter of 2018 to the second quarter of 2019, the number of ransomware detections reported by businesses surged 365%, according to a report from Malwarebytes Corp., a provider of cybersecurity software. The U.S. accounted for 53% of ransomware detections from June 2018 through June 2019, the report shows.

In December 2019, data center REIT CyrusOne Inc. (Nasdaq: CONE) reported a ransomware incident in its managed service division. Tom Berry, director, capital markets & investor relations, at CyrusOne, said the incident remains an ongoing investigation, but upon its discovery, CyrusOne initiated its response and continuity protocols to determine what occurred, restore systems, and notify the appropriate legal authorities.  Berry noted that the entire managed services business is less than 2% of CyrusOne revenue, and the incident impacted only six customers, all of which are operational now.

Green Street says they believe this to be the first reported attack on a data center REIT. The firm notes that although data centers face more cyberthreats than other sectors in commercial real estate —given that more data lives within the facility, so there is a greater incentive and opportunity to “hack” the center—threats endanger companies in any industry.

Phishing’s Broad Target  

Another major cyberthreat for REITs: phishing emails. These phony but often authentic-looking emails seek to trick recipients into supplying sensitive data, such as login credentials or bank account numbers, or to install malware on a computer.

BDO’s Stiglianese says phishing scams can be sophisticated. For instance, a hacker might gain access to a REIT’s email system and then, posing as a so-called “man in the middle,” send emails from a legitimate corporate address in the hope of stealing valuable internal data. If this type of scam succeeds, a hacker could wreak havoc, such as diverting money from a REIT’s bank account.

Sourav Ghosh, executive vice president of strategy & analytics at Host Hotels & Resorts, Inc. (NYSE: HST), describes phishing as the “most common and dangerous threat factor out there—partly because it’s difficult to block all the bad emails and partly because it plays with human emotions. The end user is really the weak link.”

Ghosh thinks phishing will remain a sizeable threat, in part because an array of people within an organization receive phishing emails, ranging from IT specialists to sales executives. So, an IT specialist might be on top of the latest phishing schemes, but the sales executive might be unaware of them. Therefore, phishing “can play on people’s emotions,” he says.

“Especially in organizations that are large, you have all kinds of people who are using a company’s systems. They are doing their day jobs and, on top of that, they have to remain vigilant,” Ghosh says.

One way Host tries to battle phishing is by installing software that incorporates machine learning to better filter incoming emails, Ghosh says. He acknowledges, though, that filtering software can’t fend off every phishing email.

Cyber fraudsters “always figure out a way to go around it, right? So, there’s always something that passes through the filters,” Ghosh says. “You could block 95% of [phishing emails], but even if 5% go through, you just need one user to click on that email and somebody is going to [infiltrate] your system.”

To supplement anti-phishing software, Host Hotels consistently informs and trains its roughly 180 employees about ongoing cyberthreats, Ghosh says. “It’s not like an annual thing or just a quarterly thing,” he says. “It is much more on a regular basis that we are providing awareness and training to our employees.”

Without regular cybersecurity updates and training, employees might mistakenly believe phishing and other cyberthreats are no longer an issue, according to Ghosh.

“You’d be amazed how much people can help keep you secure when they’re aware of what to look for and how to react to things versus … just doing things ad hoc,” Stiglianese adds.

Help From Outside

Aside from technology and training, REITs rely on a myriad of other measures to beef up cybersecurity. For instance, outside specialists might be tapped to assess a REIT’s cybersecurity proficiency.

Through so-called “vulnerability and penetration” testing, a cybersecurity consultant pretends to invade a REIT’s IT network and then hunts for vulnerabilities. “Do you have all the [security] patches that you need? Are there ways that we can actually compromise your processes?” Stiglianese says.

In collaboration with its cybersecurity vendor, Kilroy Realty tracks all data activity through network firewalls and is “very vigilant in investigating any cyberthreat triggers,” Ngo says. “Given that cyberthreats are pervasive across all industries and no one is immune, we take potential cyberthreats very seriously.”

Yet for all the firewalls that REITs put in place to monitor IT traffic and stop unwanted traffic, they still must contend with what cybersecurity adviser Dennis Van Ham, managing director of professional services firm KPMG US LLP, calls the “human firewall.”

No technology can entirely overcome the psychological element of technology, he says. For instance, an employee might be tempted to click on a link they believe is an urgent email from a colleague. However, that seemingly innocent click could wind up infecting the REIT’s IT system with ransomware.

Risks From Third Parties

Shoring up a REIT’s cybersecurity infrastructure extends beyond employees and other insiders, though. Outside stakeholders, like customers and third-party vendors, also must be looped in. Despite their own firewalls, password protections, penetration testing, and other initiatives, REITs can’t control the cybersecurity efforts of their customers and third-party vendors, meaning a REIT could be susceptible to a cyber incident originating outside its purview.

Susan Lilly Gerock, vice president, information technology and chief information officer at WashREIT (NYSE: WRE), notes that while WashREIT’s internal cyber security posture remains paramount, in recent years the REIT has focused on its third-party relationships as its biggest risk area. “We not only perform a thorough cyber review at contract signing, but we also hold annual cyber reviews with key vendors to ensure they are constantly evolving their cyber strategies,” she says.

Ghosh says what worries him most are unknown cyberthreats, including ones that could be spread by third-party vendors, such as providers of payroll and HR software. “My concern always is, who is one step ahead of those vendors providing those services?” he says.

Despite the array of ever-present dangers, Kilroy Realty isn’t daunted by cyberthreats, as “we’re up to speed on security measures and up to date on best practices,” Ngo says. “We’re confident in our processes.”

As part of its cybersecurity process, Host Hotels strives to eliminate what Ghosh refers to as a “technical debt.” Central to that undertaking is installing security patches in a timely manner. Now, the REIT installs security patches on a monthly basis as opposed to the previous quarterly schedule, he says. “Prevention is better than the cure,” he says.

WashREIT, meanwhile, uses a cloud-based tool to see what the world sees from the REIT’s cybersecurity footprint, Gerock explains. The tool passively monitors the company’s security behaviors and scores the information, much like a credit score, Gerock explains. “This helps us improve our security posture as well as perform due diligence on third parties with whom we have or are considering a business relationship.”

WashREIT is also in the second year of performing self-scoring against the National Institute for Standards and Technology (NIST) Cybersecurity Framework. Gerock says the detailed evaluation enables the company to set cyber priorities on an annual basis and measure improvements over time.

Not Just an IT Risk

While Host Hotels has not been directly affected by a cyberattack, the lack of such incidents and the presence of cybersecurity protocols should never give way to complacency, Ghosh emphasizes.

“This is ultimately a game of continuous improvements,” KPMG’s Van Ham says, “and it has to be that way because of the fast-changing environment.” He notes that more and more cybersecurity improvements involve cloud solutions run by outside vendors. Such technology enables REITs to reduce complexity and boost flexibility, he says, allowing a focus on managing a vendor relationship rather than on managing cybersecurity tools.

Whatever approach a REIT takes to data protection, it must view cybersecurity as a business risk and not just a technology risk, Van Ham says. “Don’t make this an IT thing,” he says. “Make sure that you balance the [cybersecurity] measures with your [broader business] risks.”