For all too long, headline-grabbing data privacy breaches at Equifax, Anthem and Target reinforced a false notion that data security crimes are an epidemic confined to the largest and most visible companies. As brand-name firms hardened themselves to attack, investment managers presuming to “fly under the radar” of cybercriminals failed to bolster their defenses. Today they’re paying the price. Real estate investment managers have a target on their backs. They house valuable libraries of personally identifiable information (e.g., bank account, social security and tax ID numbers), and sit at the center of millions of dollars in daily transactions. Hackers seeking to exploit “weak” links in an increasingly connected financial ecosystem are targeting these firms with an escalating level of sophistication and aggression.
In 2018 alone, we have heard several first-hand accounts of successful cyberattacks targeted at real estate investment firms. Consider these actual examples:
- A capital call notice delivered unsecurely to the investor was intercepted by a hacker who changed the bank wiring instructions.
- A senior executive lacking proper data security training responded to a phishing attack requesting the transfer of client funds.
- A malware attack exploiting a delayed software-patch implementation held a real estate manager’s servers hostage in exchange for ransom.
Getting Back to the Basics
In pursuing the transformative promise of “big data,” artificial intelligence, and machine learning, real estate managers have often diverted IT resources from the far less sexy imperative of organizing and securing data. Several managers still struggle to merely locate their sensitive investor data from within a complex web of Excel spreadsheets, physical documents and legacy software systems that each house pieces of information. Multiples surveys of investment managers reveal data security as a top concern. Still, many have yet to address it.
Investors are losing patience. One of a manager’s most important duties as a fiduciary is to safeguard not only investors’ capital but also their sensitive data. Improper data handling can be a disqualifying offense for even the best-performing and most established managers. In a CFA Institute’s 2018 survey of 829 institutional investors, data and confidentiality breaches leapfrogged to the #1 reason investors cited as grounds for leaving an investment manager—a higher concern than underperformance or fee increases. For their part, pension consultants are placing particular focus on codifying procedures for underwriting data practices as part of their manager diligence.
Improper data handling can be a disqualifying offense for even the best-performing and most established managers.
Regulators too are paying close attention, increasingly emphasizing manager accountability to data security. It’s no longer enough to produce a generic set of data security policies and procedures; regulators expect those policies to be appropriately tailored, implemented and followed. In a recent round of cybersecurity “sweeps” of 75 RIAs and broker dealers, the SEC found that although most firms now maintain cybersecurity policies, “firms did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices…” Additionally, certain firms fell behind on basic system maintenance—such as installing the latest software patches—to properly protect their clients’ sensitive records.
Covering Your Bases
When it comes to securing your data, there’s no margin for error. Consider these safeguards to help limit your risk:
Make Data Security the Responsibility of All Employees
It’s all too common for managers to assume data security starts and ends with the IT department. Company leaders often underestimate how much of their risk lies within their own organization. Hackers aim to exploit a lack of “cyber-cleverness” or mere carelessness among a firm’s own employees. To protect your data, ensure all employees attend regular cybersecurity trainings that focus on real-world threats, like how to detect and prevent phishing or malware attacks. As an added precaution, consider hiring outside consultants to simulate phishing attacks as part of ensuring employee readiness.
Bring IT to the Management Table
Gone are the days when your IT team was mainly an on-call resource to fix your Blackberry. IT professionals should be integrated into all aspects of your organization, and technology should be a consideration in every organizational decision. For firms big enough to have a Chief Technology Officer or Chief Information Officer, ensure she has a seat at the business table helping to guide your core operations.
Consolidate and Integrate Your Data Sources
Securing your data starts by consolidating it from disparate sources. The spreadsheets managers commonly rely on for data storage were never designed to be a system of record. They’re not equipped to handle complex workflow processes, access restrictions or simultaneous input by multiple users. Over-reliance on spreadsheets creates data silos within an organization that lead to redundant and often conflicting records. As a result, managers often lack a single “system of truth” where all information can be stored and easily found.
Augmenting the problem, managers commonly use spreadsheets as the “glue” to patch together multiple software systems, introducing excess opportunities for the kinds of fat-fingering that instantly compromises data integrity. Consider: multiple studies reveal nearly 90% of spreadsheets contain errors caused by manual inputs. Instead of relying on spreadsheets as glue, invest in integrating your various software systems together. If your software vendor refuses to integrate with another, find a new one. Modern software vendors understand the importance of data integrity and want their system to integrate with the rest of the systems in your operation.
Implement Controls on Data Permissioning
After consolidating your data, implement a role-based permissioning model for both staff members and outside investors, ensuring confidential information is restricted to the select few who need it to do their jobs. Don’t fall into the trap of presuming confidential information is limited to a handful of documents such as K-1s. Permission-based access should be scoped to all confidential investor data such as bank account information, correspondence and transaction details. Assign an internal data administrator to control and track who has access to all confidential investor information at any one time.
Use Strong Passwords and Ensure Your Confidential Data is Encrypted
In the US, a laptop is stolen once every 53 seconds. It’s far easier to walk off with an unsecured laptop than to hack a database. Don’t let the one abandoned laptop in the airport lounge take down your entire organization! It’s imperative that the hard drives of all employee computers are encrypted and that all systems, including employee computers, are protected by strong passwords. Likewise, when transmitting confidential data, default to using password-protected portals.
Choose Purpose-Built Software
Software development has come a long way since the legacy real estate systems designed in the 1990s and 2000s. The past decade’s rapidly falling software development costs have made it financially feasible for skilled engineers to design high-quality solutions purpose-built for evolving data needs. From a security standpoint, newer software solutions benefit from advances in cloud computing. Compared to “on-prem” solutions that host data on managers’ internal servers, cloud-based data hosting can offer a level of security infrastructure that would be cost prohibitive for most firms to replicate internally. Rather than attempting to force legacy systems to perform functions they were never intended for, managers are best off complementing legacy systems with the right mix of modern, out-of-the-box solutions.
Thoroughly Diligence Your Software Providers
To ensure your software providers are appropriately safeguarding your data, ask them for full transparency over how their data is stored and secured, and additionally verify providers have passed extensive third-party security and data privacy audits (including SOC 2, third-party penetration testing, and GDPR compliance). Also inquire whether software vendors own the major components of their own solutions. Vendors that outsource core pieces of functionality to third parties have less control over their product and are more limited in driving software enhancements.
While firms should make data security basics an operational imperative, it’s not important for real estate managers to understand data security’s every nuance. Rely on the expertise of thoroughly vetted partners to help implement best practices. The most effective software providers will not only have bulletproof data security practices, but also possess the real estate industry expertise to help you implement those practices most productively.
A version of this article authored by Juniper Square’s Brandon Sedloff appeared in the June 2018 issue of Institutional Real Estate Americas.