DROOMS REPORT

Europe’s real estate cyber war

Implementing solutions in a digital world

101
100
000 001
010 0
010 100 1001
011 1 1 101
110 011 011 111
111 110 1 0 1 011
101 110 100
100 000 001
001 101
010 0
011 0
01
drooms.com
 DROOMS REPORT EUROPE’S REAL ESTATE CYBER WAR

Cyber attacks can affect any business anywhere, large or small

and the threat is enormous. In 2018, there were more than
two million cyber incidents worldwide that resulted in over
US$45 billion in losses, according to the Online Trust Alliance.1
This is most likely an underestimate, given many attacks go
unreported.

These attacks can take the form of hacked devices, network

breaches or stolen data, all of which can seriously damage
commercial interests and be financially devastating. For
example, TalkTalk’s failure to respond rapidly enough to its
data breach in 2015 caused the loss of 101,000 customers.

British Airways suffered an even bigger hit in July this year

when it was fined a record £183 million by the Information
Commissioner’s Office for a breach of its security systems in
2018. In August, the European Central Bank had to admit that
one of its websites had been hacked and the personal details
of 481 subscribers were stolen.

1
Source: Cyber Incident & Breach Trends Report, 2019 drooms.com 2
 DROOMS REPORT EUROPE’S REAL ESTATE CYBER WAR

The real estate industry is far from exempt from cyber attacks.
In fact, the frequent, high-value transactions between multiple
parties and which are taking place digitally mean that it can be
particularly attractive to hackers.

So what do real estate professionals in Europe think about

the threat of cyber attacks? How concerned are they, and how
prepared do they believe the industry is to deal with them?

To provide some answers to these questions and perspective

on where the European real estate industry is with regards to
cyber threats, Drooms has surveyed2 professionals working in
the industry, including private equity and other investment
managers, accountants and lawyers. The results are outlined
below, together with potential solutions.

2
Source: Survey conducted by PollRight between 20 May and 5 August 2019 among 51 real estate industry professionals in Europe drooms.com 3
 DROOMS REPORT EUROPE’S REAL ESTATE CYBER WAR

Nearly nine out of 10 are concerned

The level of concern among real estate professionals in Europe is
1 10
striking: nearly nine out of 10, or 86%, are concerned about the threat
1 0 01 Extremly
11 001 0
of cyber attacks over the next five years in Europe. This includes two
concerned
1
11 1 about cyber attacks
in five (40%) who are extremely concerned. 14% said they were ‘not
1 0 00
0
01 011 10 10
very concerned’ but none said they had no concerns at all.

40
0
1 11 0 11
0 1
00 110 %
An overwhelming majority also expect the situation to get worse.
0 1 01
Over nine in 10 (92%) expect the number of cyber attacks on
0 11 0 0 0
businesses in Europe to increase over the next five years, including 0
0 00 1 10
1 1
57% who expect the increase to be ‘significant’. None of the
0 1 01
1 10 010
1 01
11 000
respondents believed it would decrease.
Concerned
0
0 11 0
1 1 about cyber attacks
But what consequences do real estate professionals fear most
0
0 110
86 %
about cyber attacks? The most significant negative impact appears
to be reputational damage, which was cited by 90% of respondents. 11
This was significantly ahead of any other negative outcome. The
second most concerning outcome was fines from regulators, which
was mentioned by 57% of respondents. Other negative outcomes Not very
cited include: loss of revenue (43%); loss of customers (41%); concerned
compensation to customers (33%); and provision of resources about cyber attacks
Not concerned

14 %
to combat cyber attacks (33%).
about cyber attacks

0% drooms.com 4
 DROOMS REPORT EUROPE’S REAL ESTATE CYBER WAR

100 1100 11000 110

010 1010 101
011 10
101
How prepared are

01
0
111 0111 10111 01111
??
real estate companies?

011
1

00
0
001 0100 01001

001
1

10
1
000 0000
1
Real estate professionals largely appreciate the importance of protecting against

101
1
101

1
cyber attacks. Nine out of 10 (90%) say it is important to ensure proper strategies

??
are in place to manage cyber attacks, including 53% who say it is extremely
important.

However, real estate professionals are also pessimistic about the degree of
preparation by companies in their industry to deal with the threat of cyber attacks.
Only one in 25 (4%) would say the industry is ‘extremely well prepared’, while just
over half (55%) said the industry was moderately prepared. Just over one in 10
(12%) see the industry as extremely unprepared and 29% say it is moderately so.

In terms of weak points, more than half of real estate professionals (51%)
believe companies in their industry are most vulnerable to the threat of cyber
attacks in terms of controlling external parties’ access to information.
The second area identified was protecting information flows between devices
(24%), followed by protecting against ransomware (12%); controlling employees’
access to information (10%); and protecting interfaces between software
applications provided by third parties (4%).

drooms.com 5
 DROOMS REPORT EUROPE’S REAL ESTATE CYBER WAR

101100001010011011110110
000101001101110110000101
001101111011000010100110
111101100001010011011101

101100001010011011110110
000101001101110110000101
001101111011000010100110
111101100001010011011101
101100001010011011110110
000101001101110110000101
001101111011000010100110
111101100001010011011101
Recognised measures
Respondents to our survey do have a good idea of what can be done to counter
cyber attacks. Training staff beyond the IT department to ensure they are
aware of risks and response processes was seen by 92% of respondents as
important, including 63% who saw this as extremely important. Encryption of

101100001010011011110110
000101001101110110000101
001101111011000010100110
111101100001010011011101
all data was recognised by 88%. Other measures cited included: maintaining the
most recent patching by updating software and hardware as needed (88%);
having a full back up system in place with regular and separate data uploads
(88%); putting adequate insurance in place (80%); having the right governance
structure in place, including a core group responsible for monitoring, developing
and implementing cyber security programmes and policies (75%); and
implementing multi-factor authorisation (62%).

Most real estate professionals (55%) say their companies implement cyber

101100001010011011110110
000101001101110110000101
001101111011000010100110
111101100001010011011101
security measures through a combination of internal and external resources.
Significantly fewer (25%) say this is achieved through external third-party
providers and just 16% say it is internally staffed.

101100001010011011110110
000101001101110110000101
001101111011000010100110
111101100001010011011101

100001010011011110110
101001101110110000101
101111011000010100110
101100001010011011101
drooms.com 6
 DROOMS REPORT EUROPE’S REAL ESTATE CYBER WAR

110
01
10
101
01

001
110
110

001
101
0110
Countering the threat

101 1

011
100
1

011
0

101
10000
1010
01111

011
101
011

000
01001

010
10000

011
11101

010

110
1

001
1

1
001
1
0

0
001
0
0

111
1
0

100
1

100
1

0
00010

101
1

110

101
1
0

101
11

101
As mentioned above, the costs of a cyber attack can be devastating for

10

000
11110

001
00110

111
00010
10110
companies. However, real estate firms can counter such threats with the
right crisis management and preparation.

The first line of defence that should be put in place should be an early
warning system: Identifying a cyber attack is often much harder than it
might seem. Ponemon’s 2017 Cost of a Data Breach study found for
example that companies take up to 200 days on average to register an

!
!
attack has taken place. As such, adequate monitoring is essential to
highlight breaches as soon as possible. This monitoring system must
pinpoint when attacks have taken place, what kind of attacks they are
and the impacts they could have.

The second stage of defence is to contain the attack. Responsibility

for this must rest with either the IT department or be tasked to an
external cybersecurity specialist.
! !

drooms.com 7
 DROOMS REPORT EUROPE’S REAL ESTATE CYBER WAR

An effective recovery
strategy is essential
Transparency is an increasingly important facet of the business world.
Stakeholders are very unforgiving of product and service providers who
breach their trust by failing to make them aware of important developments
at the earliest opportunity.

Reporting incidents in a timely manner has become even more imperative

under the GDPR reporting rules, which require relevant authorities and
customers to be apprised of cyber attacks.

Companies must have a proper response plan ready. This must include a
PR/marketing strategy to mitigate the negative publicity as well informing
key stakeholders, including customers, regulators, business partners,
employees and investors, on the type of attack involved, potential impacts,
responses in place and possible compensation. Another key element of this
is to outline what security measures will be put in place going forwards.
These should draw on lessons learnt and involve investing in security
solutions and expert advice. Encryption technology, the use of highly secure
cloud-based solutions and advanced firewall and malware software
should also be seriously considered.

drooms.com 8
 DROOMS REPORT EUROPE’S REAL ESTATE CYBER WAR

If the response to a threat has been wanting in any areas, then current practices must be
seriously reviewed and overhauled if necessary.

Key points of consideration for companies include:

Strategy
Governance Training
management

A core group should be made Response plans must be Team members beyond just the
responsible for monitoring, updated regularly to ensure IT department must be kept
developing and implementing they are fit for purpose. informed of the risks faced by
cybersecurity programs the company and its cyber
and policies. security policies.

While prevention is key, it is just as essential to have

an effective recovery strategy in place too. If the right
procedures are in place, cyber attacks can be contained
and recovery can begin immediately.

drooms.com 9
 DROOMS REPORT EUROPE’S REAL ESTATE CYBER WAR

The Drooms VDR solution

The Virtual Data Room (VDR) products developed by Drooms incorporate
features that provide extensive support to companies involved in the
containment phase.

These features include:

Multi-factor authentication

Encryption of all data

Updating software and hardware as necessary to

ensure patching is state of the art

Maintaining a full back-up system

These measures maintain the efficiency of the containment process, providing

the foundation for a paid recovery process, including slick communication
channels between relevant stakeholders.

drooms.com 10
 DROOMS REPORT EUROPE’S REAL ESTATE CYBER WAR

New features
Drooms continues to upgrade its products to keep them state of the art and ensure
they give clients the security they need.

In March this year, Drooms PORTFOLIO was launched. This VDR incorporates
features developed from more than a decade’s experience in providing services to
asset managers, such as UBS’s Real Estate Investment Management Business.
It represents a step-change boost to the administrative efficiency of real estate
asset managers, facilitating intelligent and secure portfolio management of multiple
assets throughout their hold phase, allocating bespoke data rooms to individual
assets while storing them on a single platform.

It also includes an ‘auto allocation’ functionality, an artificial intelligence (AI)

feature, which sorts all incoming documents and indexes them accordingly.

The fact is that many real estate firms will run several data hubs within their
organisations, making it difficult for them to know where data is held and who
might be processing it. This means they are all the more susceptible to a cyber
attack. In contrast, a VDR can store all data centrally on a highly encrypted
platform. What is important from a security perspective is that Drooms’ auto
allocation functionality only allows users with the required permissions to
upload folders and documents via a drag-and-drop function, automatically
allocating them to the respective index points.

drooms.com 11
 DROOMS REPORT EUROPE’S REAL ESTATE CYBER WAR

For real estate asset managers, though, a key feature of Drooms’ proposition is
its lifecycle asset management facility provided through its portfolio offering.
This enables assets to be managed throughout their ‘life cycle’ of buy, hold
and sell.

They allow transaction-relevant documents to be kept up to date and made

available at all times. Creating such a database means that sellers are in full
control and can bring an asset to market rapidly, reacting to market conditions
whenever they are favourable.

All data is stored securely on a cloud platform and accessible to all

authorised parties, including potential buyers. The availability of an accurate
and complete document base cannot be underestimated because unclear
or incomplete transaction documentation can lead to price reductions, or even
sales falling through.

drooms.com 12
 DROOMS REPORT EUROPE’S REAL ESTATE CYBER WAR

Essential for survival

The potential for cyber attacks is growing as digitisation becomes an
ever-increasing part of commercial life.

Preventing such attacks by having the right protection in place will always
be less costly than recovering from a breach.

This requires companies to secure and manage data in the right way.
While real estate companies need to fully consider all their options,
cloud-based data storage and VDRs offer a robust solution for many
of them.

Drooms’ VDR products provide the security protocols to meet all the
best practice principles outlined above. They tick all the boxes in terms
of being fully GDPR-compliant and having encryption, multi-factor
authentication and back-up solutions in place.

Learn more about These are all the boxes that real estate companies must ensure they
have covered, for in today’s world, protecting against cyber attacks is
Drooms PORTFOLIO not a luxury, it is essential for their survival.

drooms.com 13