Cyber Essentials for Estate Agents, Letting Agents, and Property Firms

Cyber Essentials for Estate Agents, Letting Agents, and Property Firms

Estate agencies, letting agents, property managers, and surveying firms sit on an unusually sensitive mix of personal data: IDs, passport scans, proof of address, bank details, AML documentation, tenancy references, property keys and access codes, client valuations, and confidential offer and pricing information. That combination, plus the regulatory overlay (HMRC AML supervision, CQS for property lawyers, PRS codes for letting agents), has pushed Cyber Essentials from optional to expected across much of UK property.

This guide covers what CE means for a property firm, how the controls apply to the typical estate agency or letting agency IT stack, and the specific failures that most often come up during assessment.

Why property firms are being asked for Cyber Essentials

HMRC AML supervision. Estate agents, letting agents, and property sales businesses are HMRC-supervised for AML compliance under the Money Laundering Regulations. HMRC has published guidance indicating that AML-supervised firms should have appropriate technical measures in place; CE is the simplest way to evidence this.

Property conveyancer and solicitor expectations. Property solicitors running on CQS (Conveyancing Quality Scheme) requirements increasingly ask estate agency partners for evidence of cybersecurity controls. CE is the standard answer.

Corporate client due diligence. Agencies acting for corporate clients (relocation agencies, lettings handling expat clients, firms managing PRS or BTR portfolios on behalf of institutional investors) face supplier assurance packs that ask about CE.

Cyber insurance. Increasingly a renewal requirement, particularly for agencies that have had claims or that handle client money beyond a nominal threshold.

Franchise or network standards. Larger agency networks (Countrywide, LSL, Foxtons, Hamptons, regional franchise groups) sometimes cascade CE expectations to their branch operations or franchisee estate.

What property firm infrastructure looks like

A typical UK estate or letting agency runs:

Every item holds some form of organisational or personal data and is in scope.

The AML overlap

Property firms are HMRC-supervised AML-regulated. The documents collected for AML — passport scans, address proof, source of funds documentation — are among the most sensitive categories of personal data. Losing a customer's passport scan is both a GDPR breach and an AML compliance issue.

CE does not prescribe specific AML data handling, but assessors will probe:

Firms that use dedicated AML tooling (Credas, SmartSearch, Thirdfort, Yoti) usually have a cleaner posture because the data stays inside the tool rather than being pulled into email attachments.

The Rightmove / Zoopla / OnTheMarket accounts question

These platform accounts are in scope. They hold organisational data (listings, vendor / landlord names, pricing) and they are accessed by named users on each agency's team. MFA needs to be enforced; leaver processes need to reach these platforms; no shared accounts.

A common gap: each branch has a single "Rightmove account" that the whole branch team uses — shared login, shared password, no MFA. This fails. Each named user should have their own credentials, with MFA, and with individual accounts deprovisioned on leaver.

All three major UK property portals support MFA and per-user accounts. If your agency is on shared credentials, switching to individual is the first remediation action.

BYOD and the negotiator-on-the-move question

Estate agents and letting negotiators are frequently on the move between properties. Laptop use is often in hybrid mode — laptop in the office, phone in the field. Some agencies also issue tablets for valuations.

BYOD for work email is common — a negotiator checks email on a personal iPhone between viewings. Under v3.3, that phone is in scope for CE. The workable positions are the usual BYOD options:

1. Bring personal phones into MDM coverage (many negotiators will resist this)

2. Restrict email access so only managed devices (corporate iPhones enrolled in MDM) can connect

3. Ban personal-device email access, provide corporate phones to all field staff

Most progressive agencies are moving to Option 2 — corporate-issued phones with MDM for field staff, restricted email access for personal devices. This is more comfortable for staff than trying to MDM personal phones and cleaner for compliance than ignoring BYOD.

Cash handling and client money protection

Property firms handling client money (letting agents with deposit protection, sales agents holding holding deposits, service charge accounts, deposit protection schemes) have an additional layer of regulatory expectation around protection of that money. CE does not cover client money scheme compliance (TDS, DPS, mydeposits, PRS Mediation, Property Mark CMP) but it addresses the cybersecurity risks that could lead to fraud or diversion of funds — business email compromise, invoice fraud, phishing of finance staff.

Agencies that have had fraud incidents involving bank detail changes or diverted deposit refunds are particularly likely to be asked for CE by insurers.

The five property-sector failures I see most often

1. Shared property portal accounts. Rightmove / Zoopla / OnTheMarket access by whole branches on shared logins. Fails user access control.

2. AML documents in email. Passport scans and proof of address attached to emails, stored in inboxes, forwarded to solicitors as open attachments. Both a CE gap and an AML risk.

3. Personal phones for work email without MDM. Every agent's personal iPhone has Outlook or Gmail configured with their work account; none of them are in MDM.

4. Leaver accounts left active on the CRM. Ex-employees still in Jupix, Reapit, or Alto months after leaving. Common because the CRM is managed separately from the main IT, and the person who manages it is not always alerted to leavers.

5. Branch-level inconsistency. The head office has MDM, MFA, and a documented posture. The branch offices each do things slightly differently because "they have their own IT". Inconsistent posture across a multi-branch estate fails during assessment.

Practical path for a property firm

If you run an agency with 5-100 staff:

1. Eliminate shared logins. Every named user on every platform — CRM, property portals, AML tooling — has their own account.

2. Enforce MFA everywhere. This is usually the biggest remediation task. It affects the CRM, the portals, M365/Google, AML tools, accounting, and everything else.

3. Move AML documents inside dedicated platforms. Stop attaching passport scans to emails.

4. Address BYOD phones. Enrol in MDM or restrict access.

5. Run a leaver reconciliation. Particularly on the CRM and portal accounts, which are often missed.

6. Consolidate branch posture. If you run multiple branches, enforce a consistent configuration across the estate via group policy or MDM.

7. Submit. CE micro (1-9) £299.99 + VAT; small (10-49) £399.99 + VAT; medium (50-249) £449.99 + VAT.

Bottom line

Property is a sector where CE closes real operational risks, not just ticks a compliance box. Business email compromise, invoice fraud, and AML document leakage are all real and recent risks for UK estate and letting agencies. The controls CE asks for — MFA, leaver processes, managed devices, restricted sharing — directly address those risks.

It is also commercially useful. Firms that hold CE pass corporate client due diligence faster and can evidence AML-supervised cybersecurity posture more cleanly during HMRC engagement. For a sector where trust with clients, landlords, vendors, and insurers is the entire commercial offer, CE is a credibility artefact worth holding.

Check your readiness | View pricing | Talk to an assessor