Associations handle personally identifiable information on a daily basis. This data includes homeowner names, addresses, bank account information, credit card numbers, credit histories, and Social Security numbers, which are very attractive for cyber criminals.
As data thieves grow more sophisticated in their tactics, the potential risks of a data breach increase for an association.
The Foundation for Community Association Research, reports that more than half of homeowners associations have policies and procedures in place to collect, store, and protect homeowners’ personal data.
More than half (52%) of all data breaches result from hacking, which occurs when an unauthorized user accesses a computer network for illicit purposes, according to Verizon’s 2019 Data Breach Investigations Report. This can happen either externally (by a cyber criminal from an outside entity) or internally (by an association board member).
32% percent of breaches occur due to phishing, where a cyber criminal sends an email designed to mimic that of a financial institution or otherwise trusted resource. If a board member believes the email is authentic and provides login credentials as requested, the data thief has all the information he or she needs to access association accounts. Phishing schemes have become more effective as fraudsters refine their strategy.
In every piece of sensitive data, cyber thieves see dollar signs. According to Verizon, 71% of breaches are financially motivated.
But don’t make the mistake of thinking breaches only happen to large companies. Ponemon Institute’s 2018 State of Cybersecurity in Small and Medium Size Businesses report shows that 58% of small-to-mid-size businesses (companies employing between 100 to 1,000 people) experienced a data breach during fiscal year 2018, up from 54% in 2017.
No matter how well-intentioned board members may be, they could be one mistaken email away from falling for a phishing scheme and causing a data breach. That’s why protecting your association and its board is paramount. Thankfully, you can take steps to protect both your personal liability and that of the association in the event of a breach.
Start by reviewing your association’s insurance coverage. Board members may think their association’s directors and officers (D&O) policy offers protection. While these policies provide liability coverage for claims when individual members (or the entire board) fail to act or act wrongfully on the association’s behalf, they do not cover cyber liability unless it’s specifically listed within the policy.
The association’s crime and fidelity policy, which protects the money in the association’s accounts, may provide some coverage depending on the endorsements included in each association’s plan. Ensure your association’s crime policy includes the following:
Computer fraud. Covers loss of money, securities, and property as a result of using a computer to fraudulently transfer funds from inside the association or banking premises to outside the premises.
Funds transfer fraud. Covers losses resulting from theft of association funds by means of a fraudulent communication, such as a phishing email.
Fraudulently induced transfers. Covers losses due to any act that influences a person to take actions that may or may not be in their best interest, such as replying to social engineering threats.
Associations also should consider cyber liability coverage if it’s not specified in their D&O policy. Look for policies that provide first-party (losses and damages to the association) and third-party (losses and damage to outside entities) coverage. These will cover many of the expenses of data breaches, including legal and forensic services, regulatory expenses, notification costs, crisis management, and credit monitoring for all affected parties.
Most cyber liability policies will include a retroactive date; if a claim happens prior to that date, your association won’t be covered. This is an important stipulation to consider, especially since 56% of all breaches take months to discover, Verizon notes.
In addition to reviewing the association’s insurance coverage, board members can take multiple steps to improve data security.
■ Make sure all personally identifiable information is encrypted and stored in a secure server.
■ Talk with your manager about the data security requirements that are in place.
■ Use complex passwords with lowercase letters, uppercase letters, numbers, and special characters.
■ Implement two-factor authentication that requires users to log in twice from two different devices.
■ Give administrative privileges or personally identifiable information access only to board members whose specific roles require it.
■ Engage an outside cybersecurity firm that can monitor association data and alert the board of any concerns, if funds allow.
The risk of data breaches grows every year, and homeowners trust a community association’s board to keep their information safe. Don’t break that trust. Taking steps to prevent cyber attacks will save board members and residents from agonizing and expensive headaches down the road.