Real estate brokerages are potential targets for cybercrimes. Knowing what to do before and after a cyberattack can help minimize your costs.
John Mondics is President of Mondics Insurance Group, a Texas REALTORS® risk management partner. Here are seven steps he recommends for addressing these threats.
Before: Get help before you need it
Before anything happens to your business, reach out to an attorney who specializes in cybercrime who could help you respond to an attack, Mondics says.
“A family lawyer or real estate lawyer may not be the best person to contact,” he clarifies. “You need someone who specializes in this field and knows what to do about notifying customers.”
Set up this relationship ahead of time. An hour of an attorney’s time will be a small price to pay in retrospect, he says.
Before: Build a strong defense
Make sure your computer systems are secure and have strong defenses in place. Train everyone who accesses your systems to use them safely. Dual authentication is now a standard procedure, Mondics says.
A cybersecurity firm can advise you about the best measures to put in place. Just like with the attorney, Mondics recommends connecting with a firm before something happens. That way, in your hour of need, experts will know your systems and be able to respond quickly.
Before: Consider cyber insurance
Cyber insurance is often a separate policy. Some carriers offer cyber endorsements to existing policies.
“Cyber coverage is like selecting a limit of liability insurance,” Mondics says. “You don’t know what limit you may need until after an occurrence. I would get multiple quotes. You may not need the broadest coverage. It does help to rebuild and pay expenses. For most small businesses, they can afford a little higher premium to prevent that big cost.”
Your business may not need comprehensive coverage. Mondics recommends reviewing your systems and budget and considering what potential losses could look like.
Some firms skip cyber insurance altogether. He says their logic is based on the assumptions of insurance costing $2,000 to $3,000 a year and the business making it 10 to 15 years without an incident. They may refer to it as self-insurance, but it’s really being uninsured, he adds.
Mondics remembers one small business that was hacked and didn’t have any cyber coverage. The costs totaled tens of thousands of dollars, but could easily have been far more, especially if the business had incurred multiple losses.
Self-insuring could be a valid choice for your business, but it is a bad decision if you choose it out of ignorance of your needs and options, he says.
After: Close the gate
Many businesses give remote access to their agents, vendors, suppliers, or other trusted partners. If you believe your firm has been attacked, immediately disconnect remote access, he recommends. “Your servers or network could be compromised,” he explains. “Close it off to stop any further problem.” Then your experts can try to figure out what happened and how the criminals got into your systems.
After: Don’t try to fix it yourself
Maybe you or your agents consider yourselves tech-savvy. In the case of cybercrimes, do not attempt to fix problems yourself, Mondics cautions. Hire a qualified cybersecurity company to ensure that any problems are fixed, any vulnerabilities are addressed, and better systems are in place going forward.
After: Call the authorities
Next, notify local, state, and federal authorities, including the FBI. “The authorities will then tell you what to do,” Mondics says. If the data breach affects 250 or more Texans, you are required to report the event to the Office of the Texas Attorney General within 30 days of the discovery of the breach.
Reach out to the cyber attorney you connected with beforehand. Also call your insurance carrier to keep them in the loop.
After: Contact affected parties
Your attorney will advise you on how and when to notify those who were affected or potentially exposed by the cybercrime, Mondics says.
When you contact stakeholders, be clear about what happened and what steps you are taking. There is nothing to be ashamed of when admitting your firm has been hacked, Mondics says.
Your liabilities should be limited if you’ve prepared in advance and taken the correct steps to protect yourself and notify stakeholders.