Property management has long focused on tangible assets, the efficiency of services and the quality of human interaction. However, the emergence of a more intangible threat — cyber risk — is now a key focus.
Getting your Trinity Audio player ready...
null

The evolving threat landscape is challenging block managers to ensure operational continuity, tenant safety and financial health from a physical and digital risk management perspective.

According to a July 2025 Royal Institution of Chartered Surveyors (RICS) report, 27% of UK buildings experienced cyber-attacks in 2024, a 16% year-on-year rise1.

Cybersecurity Awareness Month in October, presents an excellent opportunity to take a fresh look at the vulnerabilities and how to build cyber resilience.

The role of AI in weaponising fraud

Cyber criminals are using Artificial Intelligence (AI) as a powerful new tool to target the real estate sector. Attackers exploit the industry's reliance on trust, urgency, and high-value transactions by using AI to generate deepfakes, clone voices, and create forged documents, making it difficult to distinguish between real and fake communications.

What makes real estate a prime target of cyber criminals?

Property transactions involve high-value transfers between multiple parties, a condition that attackers are seeking to exploit. Remote processes and e-signatures improve efficiency but reduce in-person checks and increase companies' digital footprints.

Cyber risks touch nearly every part of real estate operations, creating multiple points of vulnerability. As the business becomes more digital and interconnected, here are some of the issues to think about:

The smart building threat

Modern properties have complex, interconnected digital ecosystems that use automation in access control, CCTV, HVAC, elevators and building management systems (BMS). While automation enhances efficiency, it also expands the attack surface. A successful attack can disrupt heating, lighting or access to the building, potentially leaving tenants in an unsafe or uncomfortable environment.

Risk of financial fraud

Financial transactions, such as collecting rent, managing service charges and paying vendors, are common between tenants, lessors or landlords, making the real estate industry a prime target of cybercriminals. One of the common cyber threats is a Business Email Compromise (BEC) scam, where criminals impersonate trusted contacts in a bid to redirect payments. With the advent of AI, these scams have become more sophisticated, tricking property managers into sending funds to fraudulent bank accounts.

Third-party cybersecurity gaps

Property management operates through a complex ecosystem of contractors, maintenance teams and facilities management (FM) providers. While they provide essential services, these vendors and contractors can be the weakest links in your cybersecurity chain. Shared credentials, unvetted remote access tools and a lack of robust cyber policies can create back doors for attackers to exploit.

Digital portals and tenant data exposure

Tenants expect seamless digital communication, from online rent portals to mobile apps for service requests. However, these platforms are increasingly targets for cybercriminals who use fake apps, spoofed alerts and phishing emails to gain access to tenant data. One successful attack can result in a data leak and/or network interruption, eroding tenant trust and exposing sensitive information.

Top 5 red flags to watch for

  • Unexpected bank detail change requests, even from known contacts.
  • Outdated fob or BMS software with no patching schedule.
  • Contractors with remote system access who lack a documented cyber policy.
  • Service charge communications are sent via unencrypted email.

Staff using personal emails for tenant or site-critical messaging.

How can real estate firms strengthen their defences against cyber threats?

Property managers should embed clear supplier cyber clauses in all contracts, conduct regular security assessments and impose strict access control limitations for every third-party provider, no matter how trusted they may be.

Here is a practical, site-level checklist to build your cyber resilience:

  • Staff training: Implement regular training on basic cyber hygiene for all employees so they can identify phishing and social engineering attempts.
  • Multi-factor authentication (MFA): Make multi-factor authentication mandatory for all administrative access, tenant portals and building management systems.
  • Vendor protocols: Establish precise cybersecurity requirements in all contracts with suppliers and conduct periodic security assessments.
  • Fraud payments: Implement dual verification for all changes to bank details, make mandatory confirmation calls to known contacts and impose a 48-hour waiting period for any such changes to stop most fraudulent schemes effectively.
  • Patch management: Identify and replace outdated operating systems or unsupported firmware.
  • Incident response playbook: Develop a tailored response plan for each building or portfolio that outlines clear steps to take during a breach.
  • Board reporting: Integrate digital risk as a standing item in your regular governance and board updates.

Stay updated with the insurance and regulation changes

In the UK, tighter rules and insurance conditions are changing how organisations deal with cyber threats, with a July 2025 proposal to ban ransomware payments by public-sector-linked bodies demonstrating this shift2. The message is simple: instead of paying up after an attack, organisations are expected to take stronger steps to prevent one happening in the first place.

In return for cover, underwriters increasingly demand proof of fundamental controls like MFA, a formal incident response plan and thorough third-party vetting, making it necessary for boards to ask questions about their organisation's cyber posture to ensure insurability and good governance.

Top-tip

Integrate cybersecurity into innovation from the start — covering smart devices, 5G and the growing wave of IoT connections. Bring technology and security teams together early to address risks proactively.

Protect your properties from the next cyber threat

The average cyber-attack cost for a medium or large business in the UK was estimated at £10,8303. As innovative building systems become more connected, the risks grow.

Contact your Gallagher representative today to learn more about protecting your business from diverse cyber threats.

Sources

1 Millman, Rene. "UK Firms Are 'Sleepwalking' Into Smart Building Cyber Threats," IT Pro., 2 Jul 2025.

2 "UK to Lead Crackdown on Cyber Criminals With Ransomware Measures," Gov.UK, 22 Jul 2025.

3 "Cyber Security Breaches Survey 2024," Gov.UK, 9 Apr 2024.

Disclaimer

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.

Stay connected with the company that’s connecting the dots with what’s happening in the industry and around the world
Related Articles