As companies engaged in real estate increasingly engage third-party providers, including property managers and investment advisors, as well as valuation specialists, to augment their own expertise and efficiency, they are creating opportunities for cyberattackers to compromise the data and systems of both the provider and their client companies (the providers of the services being offered). A great deal of the operations within the real estate industry today involve large amounts of data being collected and analyzed by operators (individuals and businesses). This collected data includes client information, accounts receivable and payable, contracts, legal documentation, and information about the property's proximity to various types of businesses and/or other properties in the geographic vicinity. When that information is sent to an outside vendor for processing via shared lines or other digital connections, the risk of exposing sensitive information increases greatly.

The incident with Situs AMC Data Breach illustrates the level of risk associated with the use of outside vendors for managing sensitive c-suite/company/clients' information. The unauthorized intrusion into their systems allowed these outside parties access to internal systems used to store their clients' accounts and legal agreements. This was an example of how even companies with established security protocols are susceptible to attacks from cybercriminals as a result of the access provided to them by their vendors.

Vendor-related risks extend beyond just the access to sensitive information and data; they also extend into the potential difficulties in establishing uniform security protocols among various vendors. For example, a vendor may have stored their client data on an unsecured virtual server; that vendor may not have implemented Multi-Factor Authentication (MFA); or a vendor may not have performed an annual audit of their systems. Each of these vendor security lapses leaves a door open for an attacker to initiate an attack targeting either the vendor or the client.

In addition to the loss of immediate revenue resulting from being breached by a cybercriminal, other types of damage could happen, including compromised data about corporations or clients that can lead to identity theft and/or fraudulent activity, as well as fines and/or penalties from government agencies and damage to a company's reputation. In addition, companies could also face exposure to liability claims due to their failure to adequately vet or monitor the security procedures used by their vendors.

Companies mitigate their risk by taking a proactive and multi-faceted approach, which includes performing due diligence when hiring a vendor and evaluating their cybersecurity policies, encryption practices, and past history of cybersecurity incidents. Companies should regularly perform audits of their vendors and have specific contractual requirements regarding security measures to be implemented for each vendor they hire, along with continual monitoring of the activities performed by their vendors. A vendor incident response plan that includes specific considerations for third-party breaches must also be in place to allow for a rapid response, if necessary.

Employee education is equally important. Employees must be educated about the ways that third-party vendors can impact the organization's digital environment, as well as how to identify potential data exposure warning signs. By establishing a culture of accountability and consistent education with respect to cybersecurity, organizations can better protect themselves against security breaches, particularly when there are multiple partnering organizations involved.

The modern real estate industry relies on digital transformation and outsourcing but cannot escape the risks associated with them. Digital transformation and outsourcing provide scalable, efficient, and knowledgeable methods of carrying out business; however, as seen through the SitusAMC Data Breach, these benefits also increase the likelihood of a cyber-attack. Third-party vendors may be leveraging security practices that put both the vendor and their clients at risk for data breaches; therefore, continuous due diligence, strong security standards, and constant monitoring provide the best protection against the more sophisticated and higher frequency of cyber threats.