Don’t overlook the 'G'

By Steph Yates

The real estate industry has made significant strides in embedding ESG principles into investment decision-making (perhaps pretend you didn’t read that line if you are in the US). Environmental credentials are scrutinised at acquisition, social impact is measured and reported, and governance frameworks are increasingly demanded by institutional investors and regulators alike. Yet within that governance conversation, one area remains absent: cyber security.

15 years of consulting means that I now gap analyse everything, and this one has sirens and red flashing lights blaring.

For fund and asset managers, governance obligations are not optional: they include how data is protected, operational risk mitigation, and how businesses demonstrate to investors that their controls meet the expected standard. Cyber risk sits squarely within that remit, and its importance is growing.

Real estate businesses hold some of the most sensitive data in the financial ecosystem: ownership structures, fund performance, acquisition pipelines, tenant information etc. A cyber incident during a fundraise or transaction is not just an IT inconvenience, it is a governance failure, and investors are starting to treat it as one.

New and improved regulation reinforces this. DORA (the Digital Operational Resilience Act), the FCA, and the ICO are all placing greater emphasis on operational resilience and cyber security. Businesses subject to this regulation cannot afford to treat cyber security as someone else's problem.

Practical steps exist. The UK Government's Cyber Essentials framework provides a structured, independently verified approach to establishing and demonstrating baseline cyber controls. At its higher tier, Cyber Essentials Plus, businesses undergo rigorous external testing of their systems and processes, providing a credible and recognised signal of operational maturity.

We are proud to have achieved Cyber Essentials Plus certification, and we see it as a natural extension of the governance standards we hold ourselves to on behalf of our clients.

If cyber security isn't yet part of your ESG governance conversation, it may be time to put it on the agenda.

For more information on this, please contact Step Yates.

Register for our newsletter: