Skip to content
INDEX8 READINESS RESEARCH · FIELD BRIEF

Real estate operational security in 2026

Wire fraud, privacy rules, workplace AI, system access, and cyber insurance are converging on the same small teams. We read the public record and mapped what it means for how a brokerage gets ready, and where Index8 helps.

The picture

Real estate has quietly become a data business. A single transaction now gathers bank details, government IDs, and financial records, moves large sums on a fixed schedule, and touches a dozen connected tools and a mobile workforce.

The tools are point solutions. What has been missing is a single place to write down what a team does, keep the proof that it does it, and show that picture when a client, a broker, or an underwriter asks. This brief reads the public research on five converging pressures and maps each to where Index8 helps.

A hand-colored plate of two black-throated magpie-jays on a branch
John James Audubon, Columbia Jay (Plate 96), 1831. Public domain.
Transaction risk

Wire fraud targets the closing window

The costliest attacks in real estate do not break systems. They wait for the moment money is about to move, then change where it goes.

Business email compromise follows a familiar shape. An attacker studies a pending transaction from public listings and records, gains access to an inbox, watches the closing timeline, and sends new wiring instructions right before funds are due. By the time anyone notices, the money has moved through several accounts.

The public record shows the scale. The FBI's Internet Crime Complaint Center logged real estate fraud losses well above the prior year, CertifID's 2026 report found a large share of homebuyers received a suspicious message during closing, and Coalition attributes most cyber insurance claims, by volume, to email compromise and funds-transfer fraud. The steadying response is not a filter. It is a written verification step every agent and coordinator follows the same way.

$275.1M
in reported U.S. real estate fraud losses in 2025, up from $173.6M the year before
FBI Internet Crime Complaint Center (IC3), 2025
~1 in 4
homebuyers received a fraudulent or suspicious message during their closing
CertifID, 2026
~60%
of cyber insurance claims, by volume, tie to email compromise and funds-transfer fraud
Coalition, 2025
How Index8 helps

Index8 helps a brokerage turn wire-fraud awareness into a written verification procedure the whole team follows, and keeps the training records that show the work.

Regulatory landscape

Federal and state rules are converging on small teams

A brokerage that offers settlement, mortgage, or appraisal services can fall under federal data-security rules, and a single out-of-state client can pull it under another state's privacy law.

The FTC's Safeguards Rule sets data-security expectations for non-bank financial institutions, a category that can include brokerages offering ancillary services like settlement, mortgage, or appraisal. It points to a named person accountable for the program, written risk assessments, access controls, multi-factor authentication, encryption, activity logging, and a defined retention and disposal schedule.

At the state level, DLA Piper's 2026 review counts a growing patchwork of comprehensive consumer privacy laws, each with its own thresholds and timelines. Because agents routinely represent out-of-state buyers and sellers, a brokerage's obligations can follow the client rather than the office, and several states have let their post-incident cure periods expire. None of this is legal advice. It is a reason to keep written policies and their supporting records current and in one place.

22
comprehensive U.S. state consumer privacy laws as of 2026
DLA Piper, 2026
$50,120
maximum civil penalty per violation under the FTC Safeguards Rule
U.S. Federal Trade Commission, Ongoing
30 days
FTC notification window after a qualifying incident affecting 500 or more consumers
U.S. Federal Trade Commission, Ongoing
How Index8 helps

Index8 gives a brokerage one place to keep its written policies, its data-handling and retention notes, and the supporting evidence behind them, so the picture is current when someone asks. Adapt the specifics with qualified counsel.

AI governance

AI is already in daily use, and Fair Housing still applies

Most agents now use AI every week. The law that governs housing decisions does not change because a model wrote the first draft.

NAR's 2025 technology survey found that most real estate professionals now use AI in their work each week, led by general-purpose assistants. Much of that use is informal, tool by tool, without written rules for what data goes in or who reviews what comes out.

HUD's 2024 guidance is a reminder that the Fair Housing Act reaches algorithmic tenant screening and ad targeting, and that a neutral-looking model can still produce a result that harms a protected group. The steadying practice is human review: a person makes the final call on any adverse housing decision, and the team keeps a written record of the rules it follows and the tools it has approved.

~69%
of real estate professionals use AI in their work each week
National Association of REALTORS®, 2025
How Index8 helps

Index8 helps a team write down what AI is approved for, what data stays out, and who reviews AI-assisted work before it reaches a client, then capture the acknowledgment.

Access and offboarding

The stack is fragmented, and departures leave doors open

A brokerage runs on a dozen connected tools and a mobile, high-turnover workforce. The riskiest moment is often the day an agent leaves.

Email, e-signature, CRM, MLS, transaction management, and cloud storage each hold a piece of the client record, and agents connect new tools on their own. Verizon's 2025 report found a third party involved in a rising share of breaches, alongside more incidents tied to software left unpatched.

When an agent departs, access often lingers. A disciplined joiner-mover-leaver routine closes the gap: mark the person's status, hand off active files, revoke access across every connected system, and invalidate old tokens and credentials so a former device can no longer reach the systems of record.

~30%
of breaches involved a third party in 2025, roughly double the prior share
Verizon, 2025
How Index8 helps

Index8 gives a brokerage a repeatable access and offboarding checklist, with a record of who has access to what and when it was last reviewed.

Insurance readiness

Softer pricing, stricter proof

Cyber insurance got a little cheaper and a lot more demanding about evidence. The gap now is documentation, not intent.

NAIC's 2025 report recorded the first contraction in U.S. cyber premium, alongside a rising claim count for the year. Softer pricing has not loosened underwriting: carriers now expect multi-factor authentication everywhere, endpoint monitoring, immutable backups, a tested restore, and a written incident response plan, and they ask for evidence of each.

The hard part for a small team is producing that evidence on the renewal clock. A share of claims are reduced or declined when the controls a policyholder attested to cannot be shown in practice, which makes organized, current documentation its own form of readiness. Carriers still make their own coverage and pricing decisions.

$9.14B
U.S. cyber insurance direct written premium in 2024, down about 7%
National Association of Insurance Commissioners (NAIC), 2025
~50,000
U.S. cyber insurance claims reported for the year
National Association of Insurance Commissioners (NAIC), 2025
How Index8 helps

Index8 helps a brokerage organize the evidence a renewal questionnaire asks for, so the proof is ready before the deadline.

Bringing it together

One readiness picture, four levers

These are not five separate projects. They are one operating question: can your team show what it has in place when someone asks?

Governance frameworks like COSO, OCEG, and the NIST AI Risk Management Framework describe the same idea for large organizations. Treat risk as an ongoing discipline, not a binder you update once a year. A small brokerage needs the plain version of that, not the enterprise apparatus.

Index8 organizes readiness around four levers: people and training, systems and access, policies and documentation, and response and recovery. Each theme above maps onto one of them, so wire fraud, privacy, AI, access, and insurance become parts of one picture a person can keep current and explain.

How Index8 helps

Start with a short check, then organize the work behind one readiness summary.

About this brief

What this brief is

A plain-language summary of public research on the risks facing small real estate teams, with pointers to where Index8 helps a brokerage get ready. It is educational. It is not legal, insurance, or cybersecurity consulting advice.

Where the numbers come from

Every figure is attributed to a named third-party report and reflects that source as of its publication. Index8 summarizes this research for education and does not independently verify the figures. Sourcing is being confirmed with each publisher before this brief is treated as final.

What it does not claim

Nothing here determines that a team is ready, in compliance, or covered. Index8 organizes readiness and documentation. It does not certify readiness, determine compliance, prevent fraud, or promise any insurance outcome. Carriers, regulators, and courts make their own decisions.

How to use it

As a starting point for a conversation with your team, your broker, or a qualified advisor about what to write down, review, or organize next. Start with a short readiness check and go from there.

Sources

Figures above are drawn from the third-party reports cited here and reflect those sources as of their publication dates. Index8 does not independently verify them.

  1. 01

    FBI Internet Crime Complaint Center (IC3). Internet Crime Report. 2025.

  2. 02

    CertifID. State of Wire Fraud. 2026.

  3. 03

    Coalition. Cyber Claims Report. 2025.

  4. 04

    U.S. Federal Trade Commission. Standards for Safeguarding Customer Information (Safeguards Rule). Ongoing.

  5. 05

    DLA Piper. Data Protection Laws of the World, United States overview. 2026.

  6. 06

    National Association of REALTORS®. REALTORS® Technology Survey. 2025.

  7. 07

    U.S. Department of Housing and Urban Development. Guidance on the Fair Housing Act's application to tenant screening and advertising algorithms. 2024.

  8. 08

    Verizon. Data Breach Investigations Report (DBIR). 2025.

  9. 09

    National Association of Insurance Commissioners (NAIC). Cybersecurity Insurance Report. 2025.

  10. 10

    National Institute of Standards and Technology (NIST). AI Risk Management Framework (AI RMF 1.0). 2023.

  11. 11

    Committee of Sponsoring Organizations (COSO). Enterprise Risk Management Framework. Ongoing.

  12. 12

    OCEG. GRC Capability Model (Red Book). Ongoing.

Next step

Turn the readiness gap into a plan.

Start with a short readiness check, then organize the policies, evidence, and training behind one summary you can share.