In a world that now uses technology in every aspect of business; from accounting, payment processing, and personal data storage there has been a large rise in cybercrime and in turn a need for cyber liability insurance. What is cyber liability? It is a combination of coverage options that include errors of omissions, media liability, network security, and privacy, which are typically excluded from your regular General Liability, Directors & Officers, and Employee Theft/Crime insurance policies. Broken down, these combined help cover your Association by addressing any legal fees and expenses; notifying your members if there is a data breach, recovering compromised data, repairing damaged computer systems and more. According to a recent study by First Date, the average cost of a cyber claim for a medium-sized business is around $86,500, with just the forensic examination ranging from $20,000 to $50.000.
When I discuss Cyber Liability Insurance with my clients the first response I get is “Why would they attack us? We’re just a community association.” Most people & small businesses believe they will not be the target of cyber-attacks because they are only familiar with large organizations like Home Depot and Equifax as the targets of these types of attacks. What most people don’t know is that as of 2017 more than half of the small businesses in the U.S. experienced a data breach and 55% experienced a cyber-attack. This applies to community associations because they are classified as small businesses and the management companies they employ are often small businesses.
Why Associations are Targets:
Associations typically collect individuals credit scores, social security numbers, bank account information, tax information, previous residential information, work history when approving a new resident. After they are approved all this information is then stored in either the Association or property managers data management system, which lends itself as an easy target for hackers. Additional information sought by attackers is listed below.
- Bank Account & Routing Info
- Credit Card Numbers
- E-mail addresses
- Driver’s License Numbers
- Property Values
According to All Property Management, the most common type of attacks against associations is email scams, phishing, viruses, Trojan horses, and botnets. These are types of hacks that come through via spam emails or pop up on your computers.
A quick claim example; say a board member or employee of a management company receives an email from what they think is their bank notifying them of any issues with their account. The employee is then concerned and clicks the link that leads to a webpage that says it was just an error there’s no issue, so all concern is gone. What happened during the time they clicked the email was a spyware virus was then transferred to the individual’s computer where a hacker can now take endless screenshots and recordings of everything that happens on that computer including access to passwords and banking information. That hacker can also send e-mails fake invoices to be paid to bank accounts that appear to be vendors.
Real World Threats:
- Board member or manager loses a laptop, or I phone containing bank account numbers or passcodes
- An Association employee leaves a file containing confidential unit owner information lying open on a desk
- Fishing e-mails to association members (Claim Example from Above)
- E-mails accidentally sent to all members containing confidential unit owner info
- Cyberthief hacks association/mgmt. entity computer system
Cyber Liability Insurance:
Everything that we have discussed above would be excluded under most standard Association liability policies. To address the concern of cyber liability Associations can purchase a stand-alone policy or some insurance companies will offer endorsements on their Directors & Officers or Crime policies.
Insurance Coverage’s Provided by Cyber Liability Policies:
- Loss of income reimbursement – When the computer is down and cannot collect association fees which are paid online.
- Cost to Repair Computer Systems – Actual cost incurred when repairing hardware or software damage by a cyber attack
- Notification of affected owners, employees, and vendors – This could include the cost of mailings or other means of notification.
- Member credit monitoring – This policy would pay for a year of credit monitoring companies for all the members affected by a data breach.
- Crisis management and public relations – This covers the cost of hiring a company to get information about the data breach out to the members and to minimize the damage to the association’s reputation. These experts will work towards restoring confidence in the owners and in the community.
- Forensic and legal services – This policy will pay for experts to assist in determining if there was a regulatory breach and will help with compliance.
- Social Engineering- Voluntary parting of funds because of phishing
- Defense Cost- Cost Associated with any lawsuits brought against the Association because of a data breach
Common Sense Risk Management:
- If the Association offers Wi-Fi in common areas make sure its password secured
- Implement virus protection on all board member and employee computers
- Change Passwords every 90 days
- Collect only the data you need and only store it for as long as necessary
- Encrypt e-mail communications containing personal or confidential information
Cyber threats are only going to increase as technology continues to play a more prominent role in everyday life. Associations should educate themselves on the threats posed to their community and the tools available to combat these threats. Don’t believe it can’t happen to you!
-Robert Mitchell, CIC, CRM, MS-RMI