Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

Transcription

1 Managing Cyber Risk Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust Adam Thomas Principal Cyber Risk Services Deloitte & Touche LLP

2 Give Us Your Feedback for this Session! Session evaluations are available on your chair. Please take a moment at the end of this session to provide your feedback on the content and speakers. Evaluations can be handed in to a NAIOP staff member at the back of the room. Thank you!

3 Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust Robert Entin is Executive Vice President - Chief Information Officer of Vornado Realty Trust, overseeing all information technology initiatives of the Company. Mr. Entin joined the firm in 2005 as a Senior Vice President and became Executive Vice President in Prior to Vornado, Mr. Entin founded Integrated Business Systems, Inc. in Clifton, NJ in He combined technical engineering expertise with accounting and property management experience to provide turnkey technology solutions for the real estate industry. IBS became one of the acknowledged leaders in the real estate industry, dominant in the New York region. In 2013, a portion of the IBS organization joined Vornado. His roles throughout the years have placed him in the unique position of being both designer and user. He has authored many articles and frequently serves as an expert source on real estate technology and emerging trends. Mr. Entin is a member of the Realcomm Advisory Council and served as the Co-Chair at the Realcomm National Conference in Mr. Entin currently serves as an Adjunct Professor at Columbia University where he teaches a master s course in IT & The Real Estate Enterprise, a course he previously taught at Baruch College in New York City. Mr. Entin holds a Bachelor of Science in Computer Science and Engineering from The Moore School of Electrical Engineering at The University of Pennsylvania.

4 Adam Thomas Principal Cyber Risk Services Deloitte & Touche LLP Adam Thomas is a Principal in Deloitte s Cyber Risk Services practice. Mr. Thomas has more than sixteen years of experience in the field of information systems, with the last seven years focused on helping design and implement information technology risk management and information security programs for Deloitte s most significant complex, regulated, global financial services clients. Mr. Thomas provides counsel to senior leaders and Boards of some of Deloitte s largest banking, insurance and real estate clients on various cyber security-related matters. Mr. Thomas was formerly in Deloitte s technology risk management center of excellence where he was responsible for building out the firm s information security and technology risk advisory client delivery capabilities. Mr. Thomas holds a Bachelor of Science in Business Administration from Miami University in Oxford, Ohio.

5 The innovations that drive growth also create cyber risk Threat actors exploit weaknesses that are byproducts of business growth and technology innovation. o o o o o M&A or corporate restructuring New customer service and sales models New sourcing and supply chain models New applications and mobility tools Use of new technologies for efficiency gains and cost reduction Perfect security is not feasible. Instead, reduce the impact of cyber incidents by becoming: o SECURE Enabling business innovation by protecting critical assets against known and emerging threats across the ecosystem o VIGILANT Gaining detective visibility and preemptive threat insight to detect both known and unknown adversarial activity o RESILIENT Strengthening your ability to recover when incidents occur Copyright 2016 Deloitte Development LLC. All rights reserved. Cyber threats are asymmetrical risks Small, highly skilled groups exact disproportionate damage They often have very targeted motives They re spread across the globe, often beyond the reach of law enforcement Threat velocity is increasing The window to respond is shrinking Rather than being a necessary burden, the cyber risk program should be viewed as a positive aspect of managing business performance.

6 Executives must set risk appetite and focus on what matters It starts by understanding who might want to attack, why and how Who might attack? What are they after, and what are the key business risks I need to mitigate? Cyber Risk Program and Governance SECURE Are controls in place to guard against known and emerging threats? What tactics might they use? VIGILANT Can we detect malicious or unauthorized activity, including the unknown? Copyright 2016 Deloitte Development LLC. All rights reserved. RESILIENT Can we act and recover quickly to reduce impact? Theft of intellectual property or strategic plans Financial fraud Reputation damage Business disruption Destruction of critical infrastructure Threats to health & safety Governance and operating model Policies and standards Management processes and capabilities Risk reporting Risk awareness and culture Threat intelligence Security monitoring Behavioral analysis Risk analytics Cyber criminals Hacktivists (agenda driven) Nation states Insiders / partners Competitors Skilled individual hacker Spear phishing, drive by download, etc. Software or hardware vulnerabilities Third party compromise Multi-channel attacks Stolen credentials Incident response Forensics Business continuity / disaster recovery, crisis management Perimeter defenses Vulnerability management Asset management Identity management Secure software development

7 What does this mean for commercial real estate (CRE)? Interconnected smart buildings, leveraging new technology such as the Internet of Things (IoT), increases a CRE organization s cyber risk exposure to securely protect the integrity and availability of the building ecosystem. Building Systems Interconnected ecosystem Infrastructure Sensors, cabling, wireless, data center, communication rooms, etc. Information & Communication Technology Systems Business Systems Cyber risk implications for CRE companies Building systems needs to be securely protected from cyber attacks (e.g., malicious modification, eavesdropping) to maintain the integrity and availability of building operations Compromised building systems (e.g., fire suppression system, alarm system) may cause physical damage and/or put tenants safety at risk Building management system, HVAC controls, access control, security/closed circuit television, fire alarm, utilities Infrastructure network, servers, etc. Office automation , internet Telephony voice, fax, SMS ERP systems, material requirements planning, customer relationship management, etc. Source: IET Intelligent buildings: understanding and managing the security risks Copyright 2016 Deloitte Development LLC. All rights reserved. Compromised building IT systems (e.g., wireless access points) present increased risks that tenants business operations may be disrupted and/or personal data may be stolen The large amounts of personal data collected from tenants needs to appropriately protected and handled to prevent any privacy violations

8 Actions a CRE company can consider taking 1 Put an executive at the helm with responsibility for cyber security 2 Focus on high risk user behavior as most of the major security breaches start with a user unintentionally breaching security 3 Segregate the crown jewels convergence is problematic for highly sensitive systems and building management systems New technologies such as cloud computing are inevitable spend time understanding the real security risk to determine how you secure them Conduct simulations to test the cyber risk program s effectiveness, including incident response, breach notification, and crisis management Conduct annual board (or cyber committee) review of cyber risk budgets to determine that the budget for security and cyber risk management aligns with the organization s risk profile and appetite 7 Annually re-evaluate the use and need for cyber insurance 8 Conduct annual independent reviews of cyber risk programs, to evaluate and benchmark against peers, as well as industry leading practices Copyright 2016 Deloitte Development LLC. All rights reserved.

9 Question & Answer

10 Give Us Your Feedback for this Session! Session evaluations are available on your chair. Please take a moment at the end of this session to provide your feedback on the content and speakers. Evaluations can be handed in to a NAIOP staff member at the back of the room. Thank you!

11 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see for a detailed description of DTTL and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2016 Deloitte Development LLC. All rights reserved.