Cyber attacks: How agents can protect themselves and their client data

Are you protected if the worst happens? Read on to find out how agents can prepare and protect themselves against the threat of cybercrime…

As an agent, it is important to come to terms with the fact that cybercrime is not going away. In fact, it is becoming more prevalent.

Just last year, Optus, Medibank and Telstra were big names to hit headlines after falling victim to cyberattacks.

But it is not just big businesses that are being targeted.

In fact, 96 per cent of all cyber-attacks are directed at small and medium size businesses.

The threat has shifted from small scale social engineering scams to large scale extortion, targeting any business that is vulnerable.  

Throw in the fact that recent legislation has changed to increase penalties to up to $50 million for companies who fail to take adequate care of customer data, and it is vital businesses manage and mitigate the exposures that introduce the risk of cybercrime.

The truth is that real estate agents can’t do their jobs unless they collect personal information from their clients.

However, the type of data that real estate agents use is the kind of information that cybercriminals want.

So, if the worst happens, and data is stolen, cyber insurance can step in. 

At EBM RentCover, we don’t offer cyber insurance.

However, we are part of the EBM Group, which includes EBM Insurance & Risk – a division that has qualified brokers, some of whom specialise in cyber insurance.

So, in this article, I chat to Peter McLachlan – Managing Director of EBM Insurance & Risk – to find out how real estate businesses can make an informed decision about cyber cover and what to look out for in a good policy… 

What kind of businesses do cybercriminals target? 

All businesses are at risk – big and small.

Cybercriminals look to target companies that are vulnerable, rather than valuable. ​

What are the risks to real estate agents and real estate businesses?

Real estate agents manage a lot of data.

If hackers get their hands on personally identifiable information, it can be costly for the targeted business, resulting in reputational damage, costs to fix the root cause of the cyber vulnerability as well as bringing with it government fines and potential lawsuits. 

The most common type of data breach is stolen or compromised private information through phishing and ransomware. 

Phishing is the fraudulent practice of sending emails or other messages pretending to be from reputable companies to persuade individuals to reveal personal information, such as passwords and credit card numbers. 

Ransomware is designed to deny a user or organisation access to files on their computer.

By encrypting these files and demanding a ransom payment for the decryption key, cyber attackers place organisations in a position where paying the ransom is the easiest and cheapest way to regain access to their files.

In recent times, ransomware losses represent 70 per cent of total claims costs, jumping from $60,000 to $600,000.

Who, exactly, is responsible for managing and mitigating cyber-attacks at a business?

It’s important that everyone is aware of the duty of care around the protection of data and what is being done to manage this risk.

However, if we dig deeper, legislation states that responsibility for the protection of data sits squarely with boards and directors. Directors are required to: 

  • Understand cyber risks and the operational, financial and reputational impact on the company.
  • Review systems and processes to ensure the company is prepared to address cyber risks on an ongoing basis.​
  • Ensure that the organisation can respond during a crisis to protect the interests of the company.​

There must also be a response plan capable of being activated should the worst happen. 

What happens if agents don’t take cybercrime seriously?

There are big fines involved for those who do not adequately care for client data.

In fact, recent changes to Australian privacy legislation, amended and passed by parliament in December of last year, saw penalties jumping from $2.2 million to up to $50 million.

This is the world’s highest fine for contravening privacy laws. 

What are some ways that agents can limit their exposure to cyberattacks?

Real estate professionals need to be particularly careful when storing or disposing of private records.

My top tips would be that agents:

  • Review the data you collect to determine if you need it, then safely remove what you don’t require. 
  • Have a plan that details the type of information to keep, how to secure it, how long to keep it, and how to properly dispose of it once it’s no longer of use.
  • Ensure your IT team has a process for securing private information with encryption, backups, passwords, and firewalls.
  • Plan ahead. This involves a communication plan outlining how to respond if data is stolen. 
  • Train team members to be aware of what cyber risks look like, when they occur, and how to avoid them. For example, ensuring team members always call the number within your own contact records, not the number that may appear in an email or SMS. 
  • Instigate a call back procedure to check new or changed bank details, and importantly, ensure you have verified that the principal contact has requested the changes.
  • Take out a cyber insurance policy. You do what you can to mitigate the risk, but when the worst-case scenario occurs, cyber insurance is there to cover losses to the business and to make sure the business is able to continue during the time it takes to recover.

How does insurance step in?

Cyber insurance is designed to complement your IT efforts to deter cyberattacks.

Insurers are taking different approaches in terms of what they offer and how they respond, however they can offer one or a handful of options including preventative services, costs to repair and recover your IT systems and data, cover for financial loss arising from a cyber event, cover for liability actions resulting from an attack and response and resumption services to help businesses get back on their feet. 

What should agents look for in a cyber insurance provider?

Understand what the insurer can offer in terms of taking a proactive approach to managing cyber risks, look at what is covered in the event of an attack and how the insurer will assist you with managing through that situation.

It is critical to have the right coverage that your business needs. 

This should include access to an expert ‘incident response’ panel, who will provide technical resources should an incident occur: IT security experts, forensic investigators, lawyers, and crisis communication specialists who will work together to help you manage the situation and get back online as quickly as possible.

What should they look for in the policy?

Suffering a cyber-attack can ultimately compromise your financial viability.

A good cyber insurance policy should cover your risk exposures and, at the very least, include cover for things like business interruption, loss of data, legal expenses and data recovery. 

Where should agents go if they need help with cyber insurance?

EBM Insurance & Risk can arrange a cyber insurance policy which offers cover for a range of losses.

This article provides general advice only and not personal advice. We have not considered your personal circumstances, objectives, financial situation or needs.

Show More

Sharon Fox-Slater

Sharon Fox-Slater is the Managing Director of EBM RentCover, which protects more than 165,000 rental properties across Australia. For more info, visit