Real estate agents in Wisconsin often think of their businesses as far removed from the cyberattack headlines on businesses that we see almost daily in the media. The reality, however, is that no business is beyond the reach of these high-tech thieves, and Wisconsin businesses are falling victim to these attacks daily.

Nationally, the real estate industry rose to the number two spot on the target list for hackers in the second quarter of 2018, according to international law firm Holland and Hart LLP. Cybercriminals have figured out real estate agencies hold highly confidential information, deal in frequent and potentially large financial transactions, and have regular access to banking and legal organizations that hold even more information and money. At the same time, small- and medium-sized agencies typically lack sophisticated security systems, making them tempting targets for the bad guys. 

The FBI and the National Association of REALTORS^® have issued warnings in 2019 about sophisticated email scams targeting the real estate industry. These scams include attempts to impersonate real estate agents and others involved in transactions aimed at getting buyers, escrow agents, REALTORS^®, and real estate consumers to wire down payments and closing amounts into foreign offshore accounts.

The second most common attack involves ransomware that can shut businesses down and stall all transactions for an average of 10 days. The alternative is to pay ransoms, sometimes reaching hundreds of thousands of dollars. Security investigations suggest that some sophisticated cyber thieves use information from the initial hack to determine the company assets before setting a ransom price. Most initial attacks are email-based or involve social engineering ploys to gain access.

While real estate agencies are not under the same degree of government regulation as other members of the financial sector, they face potential liability for privacy breaches, expenses to remedy breaches, notification under Wisconsin state law, and the loss of business reputation.

Basic business self-defense tactics

Every business needs basic security technology on its systems, such as secure passwords, anti-virus software, anti-malware software and system firewalls. These, however, are pretty much the security equivalent as a lock on your front door. Businesses that don’t have an internal security team should consider contracting with a reputable service to manage their IT security. 

Using cloud servers may also provide an extra margin of technical security, but businesses should carefully review the services to make sure they are getting the security they need, because the business can outsource the service but remains liable to the client in the event of a breach.

Security strategy recommendations for real estate agencies include:

1. Internal protocols or policies on money transfers that typically involve two parties approving each transfer, phone verification of transactions, secure document transfers, and use of bank security systems to protect accounts.
2. Train all employees to avoid deceptive email traps and social engineering schemes seeking to gain access to the company systems. Employees are a significant line of defense against the constantly evolving threats from cybercriminals; but without training, tests show that more than two-thirds will click on scam email links. Businesses cannot afford leaving their employees unprepared.
3. Have your lawyer include security provisions and processes in company contracts and agreements to help assure that your business associates and suppliers are part of your security system. 
4. Get cyber liability insurance with adequate limits. General business insurance typically excludes coverage for cyber breaches or social engineering or limit coverage to unrealistically small amounts.

Cyber insurance: what you need to know

Unlike the well-established and fairly uniform standard insurance packages, cyber insurance is a new and developing product that varies dramatically from insurance company to insurance company. It also tends to be negotiable and moldable to an extent to address the specific risks and concerns of the business or organization seeking coverage.

In general, a cyber insurance policy has first-party modules, third-party modules and crisis response modules.

Not all cyber insurance policies use the same titles for coverage or definitions for losses, or arrange the same benefits in similar modules. This disparity makes comparisons of policies challenging, which is why a business leader should work with an insurance agent or broker who has a solid knowledge of the organization’s risk exposures and the scope of coverage offered by the various policies. An independent agent with access to many companies may be preferable to an agent who works with only one insurance company in order to ensure that the organization receives the best range of options from which to select. Professional organizations may offer industry-specific packages at special rates.

First-party — property damage

If an organization’s computers are hacked and need to be replaced and records must be restored,  the standard provisions of a business policy typically will exclude coverage. The business will have to shoulder the loss, unless it has “first party” cyber coverage. 

Data restoration

If a cyberattack on an organization destroys, corrupts or impairs access to data, most cyber policies offer a data restoration benefit. This coverage typically will pay the outside costs of contracting services to restore, recreate, sanitize and restore access to the data. Leaders should pay close attention to the terms of the benefits. Most policies will require pre-approval of which vendors an organization uses, and very few policies will reimburse for the time for employees to perform services.

Cyber extortion/ransomware

This form of attack generally uses social engineering schemes to get officers or employees to click on a link that downloads a corrupt code that seizes control of an organization’s computer systems by encrypting certain files, all files, operating systems, and in some cases, even the system backups. The bad guys then will demand payment of a ransom to obtain access to the victim’s own computer and data. In some cases, payment of the ransom results in restoration of the data, and in other cases it does not.

A critical element in policies for cyber extortion or ransomware is whether the policy will pay for the forensic investigation, payment negotiations and ransom if the ransomware entered the system due to “social engineering” that induces an employee clicking on a corrupt link in an email or on a website. Some policies exclude social engineering events or limit coverage amounts.

Crisis management

This coverage pays the costs of identifying and responding to a cyberattack or breach incident as defined in the policy. Typically, the benefits cover:

• Forensics: Expert outside analysis of whether a security incident or breach has occurred, how it occurred, to determine how extensive the damage is, and, if possible, who committed the attack.
• Expert legal services: Determination of how to manage the event legally, whether notification is required, what methods of notification must be used, drafting notifications, advising on public statements, notification of regulators, responding to regulators, and other highly technical analysis.
• Crisis PR: External experts who can advise an organization on how to manage contact with the media and employees to limit damage to public image and reputation.  
• Notification: Physical and media communication with clients and other individuals who are or may be the victims of a data breach in this incident. This coverage generally includes the costs of printing and mailing of breach notifications, placement of newspaper and other media ads, and press releases.
• Credit monitoring: Typically persons deemed entitled to notification are offered credit monitoring to help mitigate the damage that may result from breach of their personal information.
• Call center services: Significant breach events can result in massive client and general public calls to the organization that has suffered the cyberattack. Call centers handle the inquiries in a professional manner and on a 24-hour basis via a toll-free number.
• Insurance crisis team: Many policies offer a “cyber coach” team of dedicated cyber specialists who will help the organization through the event and often has experts in all of the listed specialties ready to deploy immediately. This team is a critical benefit that shifts the burden for securing necessary services from the business leader to the expert team, and gives small and medium organizations a depth of resources that they otherwise are not be able to afford. 

Third-party — privacy breach

This coverage provides the organization with legal defense and liability coverage for damages incurred to others for the consequences of a cyberattack or failure to comply with privacy laws and regulations. As in all modules, careful attention must be given to definitions and exclusions to be certain what is covered.

Network security

This module provides legal defense and liability coverage for system security technology, technology policies and procedures, and negligent IT actions that result in damage to a third party. This scenario typically involves penetration of the organization’s system that is subsequently used by the hackers in a denial of service attack on a third party’s computers.  

Regulatory actions

State and federal regulators are jumping into the privacy regulation arena and imposing oversight and penalties on businesses and organizations for security and data breach incidents. This module typically provides insurance in the case of regulatory investigations. Benefits typically apply to legal representation for regulatory investigations, defense of regulatory actions, and legal defense for damage claims resulting from alleged regulatory violations, and Payment Card Industry (PCI) fines for security standard non-compliance.

Online media liability/advertising

This module protects an organization from allegations that its online advertising and websites are guilty of libel, slander, copyright infringement, or violation of personal rights to privacy. The benefit typically provides legal defense and payment of damages.

Limits, retentions and sub-limit

Organizations should be just as concerned about the limits, retentions and sub-limits on the policy as the modules that they purchase.

The limit generally is the term that applies to the maximum amount that a policy will pay out in benefits. Limits typically are stated as two figures, such as “$1,000,000 / $3,000,000,” which indicates that the total payout will not exceed $1,000,000 for a single incident and $3,000,000 maximum combined for different incidents in a single year.

The retention or deductible is the amount that the organization must incur before the insurance policy kicks in. This amount varies by the insurance carrier and by the amount the organization is willing to incur before going to the insurance.

Sub-limits are limits placed on the modules of insurance. A policy might have a $1,000,000 overall limit, but the notification sub-limit might be only $100,000. If a massive breach incident required notification of many individuals, the costs might exceed the sub-limit and leave the organization responsible for the excess costs.

Careful attention should be paid to the limits an organization selects to realistically insure against the actual loss potential for the exposure the organization faces, while not purchasing excessive or economically infeasible levels of coverage. Most organizations underestimate their potential exposure, especially when considering the indemnity provisions in contracts they may sign with other organizations. 

Experienced legal, financial and insurance advisers should be consulted on issues of coverage terms, limits, sub-limits and deductibles when selecting a policy.

Stephen A. Frew, J.D., CIPP/US, is Vice President and Risk Consultant for the insurance division of Johnson Financial Group. He is a Certified Information Privacy Professional and  a graduate of the University of Illinois College of Law. He is the author of the book Cyber Threats - Risk Management Tips for Business.