A keynote interview as seen in the November 2021 edition of PERE.
Real estate managers now have access to significant pools of data across their entire value chain. Increasingly, this is easily accessible in ways which were undreamed of even a decade ago: ESG performance data, movement patterns for workers and shoppers, asset performance data, detailed tenant information and investor reporting information. Managing this data safely and securely is an important responsibility as no one wants to explain to a client that they will be featured in the next Panama or Pandora papers.
Sanne’s global head of digital innovation, Chris Thoume, and group head of information security, Ash Hunt, explain how managers can protect themselves against data leaks, hackers and the more prosaic bogeyman: human error.
Chris Thoume: Real estate as an asset class has expanded enormously, with a huge increase in the volume and diversity of assets managed by private real estate managers as capital flows doubled in the past 10 years. Improved systems and reporting capabilities at the investment, fund and investor levels have created additional data which managers and their service providers must contend with.
The increased sophistication of the real estate industry means managers want broader and deeper knowledge about their assets, tenants or users and the market in order to generate alpha and/or manage risk. For managers to have a better understanding of their assets, they need more data.
A lot of this data is confidential investment data or personal information about tenants or investors. Potentially this will be sitting on the managers’ systems, or those of a trusted third party or agent. Managers need to consider how to process that data and then share the resulting information with other key stakeholders or investors in a way that is meaningful but also maintains the privacy and security of that information.
CT: If you consider the entire value chain of an income generating rental asset, there will be data generated by the property manager, lawyers, valuers and agents before you even get to the investment manager. There are also external service providers who might be contracted by the property manager and who need select data to carry out specific activities, eg, property maintenance firms. Finally, you have the asset holding level, such as a fund, with its associated service providers and likely a store of private investor information.
Each of these parties will likely have a different system, or more likely multiple systems, in which the data is stored with a variety of people who have access to it. In most cases the data will also be stored in different ways from paper records to cloud-based systems. Each of these methods will impact who can, or could, have access to the data or information derived from it
Ash Hunt: We are seeing a move from either traditional data centers, or traditional data storage methods, which may even be more rudimentary, to the cloud. That carries a lot of benefits, but also many risks.
On the positive side, you have out-of-the-box security infrastructure and added protection of a major cloud provider, such as Google or AWS. However, this comes with what you might call data hygiene caveats.
It is extremely easy to exchange data with anyone in the cloud, so it is critical to understand how you are actually configuring the storage of data. Do you want to share it with any third party? Do you want to share it with a restricted group of people that only have a certain level of access?
If you are granting them access, what kind of access are you granting them? Is it the ability just to see the data or to manipulate it in some way?
CT: The opportunities for improved investor, tenant or user experience and additional value creation by unlocking data in these silos are significant; for example, using detailed tenant profiles to analyze rental yield and risk in a prospective portfolio. But what happens if that data is lost, hacked or leaked?
That is a very scary prospect and creates both reputational and regulatory implications. That is why security and privacy must be placed front and center for all businesses who want to get to grips with their data.
Managers need to consider both day-to-day activities as well as projects. Projects can often be easier if secure technology architecture is considered from day one. The solution design can accommodate the requirements and enable it to scale and continue to meet the increasing regulatory burden.
Day-to-day activities can sometimes provide more risk: sharing files through email or an online portal can open a number of malicious or accidental access points for data. We even see the historic reluctancy about moving to the cloud because it is “public and might not be secure” reverse replaced with a mistaken assumption that all cloudbased solutions are secure by default. Unfortunately, that is not the case.
AH: We see this from three angles. First, confidentiality, to prevent data being breached at any point in the chain. Obviously, the more manual or physical storage facilities for that data, the more risk.
Next is integrity; we need to ensure that, as the data is moving between stakeholders, it can’t be affected in any way, either deliberately or accidentally. Finally, availability; how can we actually get data to clients as quickly as possible, and to ensure that it’s available for managers to use, and to have that visibility and transparency across that chain?
We use that triad as a prism through which to view all data controls, which range from manual – checking the integrity of a piece of data, for example – to automated, such as encryption, for both data in transit and data at rest.
Something that is becoming increasingly important is business continuity planning/testing and backup. When I look at data breaches or losses, or even just incidents which affect data availability, the organizations that suffer the lowest material losses are those that can recover as soon as possible, which requires diligence in routinely backing up your data, so you’re not losing your whole set of data for a significant period.
AH: It is a misconception that cybersecurity is always about fighting off malicious actors. Most of the time it is about making the organization and its people aware of and taking joint responsibility for information security. It’s important to come back to effective industry practices and leading by example: understanding your third party, conducting due diligence to check they are someone secure and they are going to treat your data appropriately.
CT: There are also simple things, such as trying to streamline the number of suppliers and people you work with and get to know them better. In our industry and across the sector there is a lot of consolidation of small players or boutiques. So, if you take all those individual small businesses which become part of larger entities, think of the number of systems and underlying processes, or different ways of working. There is risk
It’s important to align business functions and work with the CFOs and COOs to make sure businesses have
standardized methods of working. Of course, that standardization means organizations can also get more out of their data, which leads to better investment decisions and lower overall risk in the business.
AH: There has been an increasing requirement for remote desktop services, which have been important in allowing people to access corporate networks and resources securely. The key is establishing identity, so we can be assured a person is legitimately interacting with the data. Many attacks are focused specifically on capturing credentials in order to get access to an organization’s data.
For organizations, it is about embedding the principles of least privilege and segregation of duties. That is ensuring people only absolutely have access to what they need to conduct their tasks effectively. So, if someone actually manages to compromise their account, they wouldn’t be able to escalate their privileges and cause more harm and damage.
CT: All these changes reinforce the need for an inherent information security culture, just like we evolved compliance and risk cultures. It means getting the simple things right, like privacy screens on laptops and training so staff are aware of how data breaches could happen.
As Ash said, it is very often not the malicious actor, but simple mistakes or incorrectly followed processes which leads to breaches. If we teach people how to work with privacy and security in mind at all points in the data journey, design our systems and processes with sound privacy and information security principles at their core, and then combine this with automated technical solutions, you can dramatically reduce
your cyber-risk whilst unlocking the value of your data.
AH: The threat landscape is far more nuanced than people think, even within financial services. There may be organised criminal groups, or hacktivists’ or even nation states but there are also accidentally-caused data breaches, where the root cause could be a simple user misconfiguration, or a change by some third party who has access to the data and hasn’t been as
diligent as you would have been internally.