Half of managers have dedicated Chief Security executive; one-third require multifactor authentication in-office

NAREIM Member Survey

Data Security, July 2021


Almost three quarters of real estate investment managers have either a dedicated or designated Chief Information or Chief Security officer, according to the latest NAREIM member survey – with half creating a standalone position within their firm.


As corporations across the globe upgrade security systems amid increasingly sophisticated cyberattacks, real estate investment managers are also prioritizing data security – with multifactor authentication emerging for in-office access, as well as the requirement by institutional investors for third-party audits of security processes.


During a NAREIM member survey, conducted between July 16 and July 29, members were asked about the resources for information security as well multifactor authentication and SOC certifications. The survey was initiated by a NAREIM member following LP DDQ questions.


Download the survey results here.


Key takeaways include:

  • More than half of survey participants have a dedicated Chief Information or Chief Security Officer in position, while just under one fifth of managers had designated resources. A further 18% outsource the functional role provided by a Chief Security or Information Officer.

  • All NAREIM members required multifactor log-in for remote access to corporate systems. However, just one third of managers required multifactor authentication for logging onto systems while in the office.

  • Almost three-quarters of survey participants prevented employees from installing software on their own computers, with eight out of 10 participants saying they prevented employees from installing software on the core systems. Just two members said IT administrators were allowed to access the core systems, with both using separate accounts or elevated privilege accounts (and not everyday logins) to provide access.

  • SOC certifications. Service Organization Control certificates are issued by CPAs and governed by the AICPA and provide a third-party audit of the design and controls around an investment manager's systems. Almost four-fifths of survey participants said they were not SOC certified, with one citing cost as a reason. Just two survey participants said they were certified, with one member saying they already had SOC 2 certification and were in the process of gaining SOC 1. The other member said the open-ended fund had SOC 1, while the parent company had SOC 2 certification.


NAREIM members often reach out to ask their peers about pressing concerns impacting their business.


Data security, including authentication of systems for remote and in-office log-in, as well as the type of personnel dedicated or designated as lead Information Security executives are of increasing interest to LPs during due diligence. We invited members to share their best practices regarding Data Security strategies between July 16 and July 29, 2021. A total of 11 member organizations submitted data representing more than $200bn of AUM.


All survey answers are provided anonymously - to both fellow members and NAREIM.


Download the survey results here.

Download the submitted responses here.