Highlights:
- Real Estate companies are increasingly the target of hidden risks.
- The top three hidden risks facing real estate companies today are ransomware demands, social engineering/ business email comprise and sexual harassment lawsuits.
- Insurance policies provide effective risk transfer for these exposures, but having an insurance broker with real estate expertise is key to avoiding coverage pitfalls.
Most real estate owners/operators are concerned with the risks associated with the condition of their property. Hurricanes, hail storms and earthquakes are some of the top exposures that keep them up at night.
But some of the most frequent, and potentially the most severe, exposures are not as obvious as inclement weather. Exposures such as financial loss due to a phishing scam, ransomware demand, or sexual harassment lawsuit may be overlooked by real estate owners and operators as being not applicable to them. These headline grabbing exposures seem to be the problem of larger companies or companies that have well-known names. In fact, the real estate industry has been a trouble spot for these hidden exposures, experiencing even higher frequency and severity than in other industries.
The first hidden risk involves ransomware. Some predictions hold that a business will fall victim to a ransomware attack every 14 seconds, as noted in AXA XL’s recently published report “Ransomware: A Clear and Present Danger.” These attacks are no longer commonly perpetrated by unorganized criminals or one-off hackers, but rather by organized, professional criminal enterprises whose sole operation is perpetrating ransomware attacks. However, despite their apparent criminal professionalism, these operations may be tied to known terrorist organizations or foreign governments, and paying the ransom can introduce negative publicity or noncompliance with U.S. laws.
Having the appropriate cyber insurance coverage, including coverage for ransomware demands, not only provides money to pay ransom, including in online currency such as bitcoin, but also allows access to experts who can determine whether paying is the best action in the face of a demand, and how to navigate complex laws.
It is also a common misconception that the ransom amounts will always be substantial and that targets will be large companies. Rather, these ransomware organizations make money through volume, and demands in the tens of thousands of dollars or less are increasingly common as these organizations gain scale. The FBI estimates that in 2017, $1 billion was paid in ransomware in the U.S. alone, providing incentive for new and larger ransomware operations going forward. No U.S. company is immune, and increasingly real estate companies are among those experiencing loss.
While ransomware is one of the emerging threats for a real estate company, many other cyber exposures also threaten real estate.
The second hidden risk is social engineering, or business email fraud, where an employee receives an email from a purported vender, employee or client directing a payment be made, but the actual money is stolen, is the most frequent loss we see against real estate companies.
According to the U.S. government, losses from social engineering amounted to $361 million in 2014, increased to $676 million in 2017 and reached $1.2 billion in 2018--and those are only the figures reported to law enforcement. Bad actors target real estate companies because of the large number of both vendors involved and payments that are being made, and also because smaller and/or family-owned real estate companies may not have the same protections as a larger company, such as multi-factor authentication, encryption, external email tags and the like.
Some recent losses experienced by real estate firms have exceeded $1 million in a single transfer. The appropriate coverage for social engineering can be found in a cyber liability policy, or a crime/financial institution bond policy. But the coverage is non-standard and often contains significant limitations, such as requiring callback verification be made by the employee effecting the transfer. The coverage is also almost always limited to a small sublimit ranging from $10,000 to $250,000 on a typical policy. However, some insurers offer excess policies that can be purchased in layers to provide limits up to and in excess of $100 million if desired.
The third key hidden exposure on the rise for real estate companies is the exposure to allegations of sexual harassment or other types of discrimination. Most real estate companies are familiar with the headlines surrounding the #metoo and related movements. These movements increased awareness, emboldening victims to bring suits, invigorating the plaintiffs’ bar, creating more sympathetic judges and juries and spurring governments to enact new laws--all increasing exposure to both frequency and severity of these types of lawsuits.
The July 2019 National Women’s Law Center survey noted that 15 states have already passed new protections, including limiting or prohibiting non-disclosure agreements, expanding protected classes to include independent contractors or interns, extending the statute of limitation and requiring more training. Additionally, other allegations are rising as well--more than two-thirds of those who file a sexual harassment complaint with the Equal Opportunity Commission also allege retaliation by their employer for speaking out about the alleged harassment.
An employment practices liability—EPL--policy is the best protection for these types of lawsuits. Even if you’re using a professional employer organization—PEO--that is buying EPL, that policy almost always is missing key coverage when compared to purchasing your own EPL. And PEO EPL limits are shared across all members, not guaranteeing limits to any one member if one of these lawsuits arises.
In summary, some of the largest risks facing real estate companies today have little to do with the buildings they own or manage, and are therefore “hidden” or unseen exposures. Ransomware demands, social engineering and sexual harassment lawsuits are among the top exposures facing real estate companies today.
The insurance marketplace offers solutions that can significantly reduce the exposure to these hidden risks, both in the form of risk transfer, and also by providing expertise to help companies navigate these complex and dynamic situations. A well-drafted cyber policy, crime/financial institution bond policy, social engineering excess policy and employment practices liability policy will provide these protections, as long as language is thoughtfully negotiated. And the insurers of these policies often offer pre-claim training and other services in addition to consultative advice post-loss--a key, proactive way to reduce exposure to these hidden risks.
In a rapidly evolving environment, it is necessary to engage a broker that has expertise in cyber liability, crime/financial institution bond and employment practices liability, and just as importantly, has experience working with real estate companies, in order to ensure there are no gaps in coverage.
