The world of cyber threats often seems dark and mysterious. We hear about cyber-attacks regularly. But how can we protect ourselves?
The following article, written by Lauri Ryder, CIC, CRM, CMCA, EB Real Estate Practice Leader at Sahouri Insurance was published in the October 2022 edition of WMCCAI's Quorum Magazine.
What you will learn:
- What are cyber/ data breaches?
- How do breaches expose your community's privacy?
- Cyber insurance coverage to consider
- Steps to take if your community experiences a breach
What are cyber/ data breaches?
First, we need to understand what cyber breaches and data breaches entail. Essentially, it boils down to an unauthorized party gaining access to information that should be private. The word “cyber” is a bit deceptive. It might be easier to think of this as a “privacy breach” instead. Confidential data can be digital or in paper format. An association must protect any information that should be private. Even if there is a third-party property management firm, it is still the association’s responsibility to understand how the information is being protected.
Privacy Breach Exposure
Second, we need to understand how we are exposed to the threat of a privacy breach. While hacking is an issue, the most common digital threat is much more banal and comes to you via your email inbox. All of us have seen emails with suspicious links or attachments we were not expecting. Sometimes they can appear to come from people or systems that we trust.
The best way to mitigate this risk is to call your vendor to confirm before clicking on the link or opening the file. Spoofed emails often include falsified contact information. Don’t use phone numbers listed in the email if they are different from what you have on file.
Sometimes exposure is caused by employee error. You can mitigate this risk by having a policy resolution identifying who is given access to private data, how it should be managed, how often passwords should be updated, any websites that will be blocked, etc. Cybersecurity awareness training should be provided to employees.
There are also physical threats to consider. Computers accessing confidential data should be screen locked when unattended. Password lists should not be kept on your desk. Private paper documents should not be left in public view. Your IT professional should be able to quickly “brick” your laptop or mobile device if stolen. This is not an exhaustive list, your IT professional can provide you with a detailed plan to mitigate these and other risks.
Cyber Insurance Coverage to Consider
Third, we need to understand the available insurance coverage. Unfortunately, there is still little standardization in cyber liability policies. At a minimum, consider the following coverage:
- Network Security & Privacy Liability and Defense – Board members and property managers should be included as insureds.
- Forensic Investigation – Immediate forensic work is essential to remediate damage.
- Notification & Expenses – Each state has individual requirements for notification. Most will require at least 365 days of credit monitoring, others require a call center for concerned parties. (Check with your attorney for details on your state.)
- Regulatory Expenses, Fines, & Penalties – Governmental agencies or authorities can require investigation due to breach and/or levy fines and penalties.
- System Damage – Steps should be taken to reconstruct data, and prevent future breaches. New hardware or software may be needed.
- Cyber Extortion – A ransomware event could threaten the dissemination or destruction of data if payment is not received.
- Public Relations – A significant breach that garners media attention may affect unit sales or rentals. You may need the aid of a PR firm to positively affect public opinion.
- Cyber Crime – A breach could mean that an unauthorized party has access to your banking. You’ll want coverage for theft of funds due to the breach.
What Steps Should You Take if You Have a Breach?
- If you have a Cyber Insurance policy – Contact your insurance carrier immediately. Your adjuster will assign a forensic expert and data breach attorney to guide you. Your assigned forensic expert will require the cooperation of your IT professionals.
- If you are unsure whether you have Cyber Insurance – Contact your insurance agent. Some package policies include sub-limits for data breach or data compromise. Your agent can advise if coverage exists, and help you file a claim if necessary.
- If you do not have Cyber Insurance – Contact your IT professional and your association's legal counsel. They will walk you through the system repairs & updates, investigation, and any regulatory requirements for notification, credit monitoring, etc.
As always, if you have a specific question please reach out to your professional partners – IT, legal counsel, and your insurance agents or brokers. October has been named Cybersecurity Awareness Month by the Cybersecurity & Infrastructure Security Agency. Visit their website at cisa.gov/cybersecurity-awareness-month for more details.
About the Author
Lauri Ryder is the real estate practice leader for Sahouri Insurance & Financial and has 15+ years of experience in the real estate insurance industry specializing in homeowners and condominium associations. Prior to moving to insurance, she worked in community association management which she believes gives her a unique perspective as a business partner.
Lauri believes that it’s important to continue to expand her knowledge base. In her quest for learning, she has earned several designations: The CMCA (Certified Manager of Community Associations), the CIC (Certified Insurance Counselor), and the CRM (Certified Risk Manager). Fun Fact: Lauri believes you can find beauty anywhere and loves to take photographs that prove it.
"Washington Metropolitan Chapter Community Associations Institute’s monthly magazine is packed with articles and columns designed to help our readers preserve, protect, and enhance their communities by running productive meetings; enforcing rules in a consistent yet reasonable way; becoming familiar with the legislative and regulatory pressures facing the industry; planning and budgeting for repairs and replacements; performing preventive and ongoing maintenance, and understanding historical and contemporary trends in common interest development."