By Pat Bruen
If you’re like most association board members, you probably think you have a good handle on potential risks the association might face. Concerns such as injuries from accidents, disputes among neighbors, and potential lawsuits against board members may top that list. But there’s a risk too many people overlook: data security.
Associations handle personally identifiable information on a daily basis. This data includes homeowner names, addresses, bank account information, credit card numbers, credit histories, and Social Security numbers, which are very attractive for cybercriminals.
As data thieves grow more sophisticated in their tactics, the potential risks of a data breach increase for an association.
The Foundation for Community Association Research, reports that more than half of homeowners associations have policies and procedures in place to collect, store, and protect homeowners’ personal data.
According to the Foundation’s report, Wired: 2018 Survey of Cybersecurity in Community Associations, ransomware and phishing are the most common forms of attack on community associations. More than half of the communities surveyed reported that fraud and theft are their top concerns.
More than half (52%) of all data breaches result from hacking, which occurs when an unauthorized user accesses a computer network for illicit purposes, according to Verizon’s 2019 Data Breach Investigations Report. This can happen either externally (by a cybercriminal from an outside entity) or internally (by an association board member).
Thirty-two percent of breaches occur due to phishing, where a cybercriminal sends an email designed to mimic that of a financial institution or otherwise trusted resource. If a board member believes the email is authentic and provides login credentials as requested, the data thief has all the information he or she needs to access association accounts. Phishing schemes have become more effective as fraudsters refine their strategy.
An emerging type of data breach is called social engineering. Here, a cybercriminal sends an email that evokes fear or urgency in a board member, essentially conning him or her into divulging personally identifiable information. That email is often one of many steps in a more complex fraud scheme.
In every piece of sensitive data, cyber thieves see dollar signs. According to Verizon, 71% of breaches are financially motivated.
But don’t make the mistake of thinking breaches only happen to large companies. Ponemon Institute’s 2018 State of Cybersecurity in Small and Medium Size Businesses report shows that 58% of small-to-mid-size businesses (companies employing between 100 to 1,000 people) experienced a data breach during fiscal year 2018, up from 54% in 2017.
Data thieves know that even large companies struggle to control data breaches. They also know that small businesses have fewer resources to prevent them. That’s what makes community associations a prime target.
Even a small data breach can bring big expenses. Ponemon estimates the average data breach cost a small- or medium-size business $1.43 million in 2018. For associations, those costs may include compensation to association members whose information was stolen, fines for stolen credit card information if the association didn’t comply with payment card industry regulations, and myriad legal defense costs.
No matter how well-intentioned board members may be, they could be one mistaken email away from falling for a phishing scheme and causing a data breach. That’s why protecting your association and its board is paramount. Thankfully, you can take steps to protect both your personal liability and that of the association in the event of a breach.
Start by reviewing your association’s insurance coverage. Board members may think their association’s directors and officers (D&O) policy offers protection. While these policies provide liability coverage for claims when individual members (or the entire board) fail to act or act wrongfully on the association’s behalf, they do not cover cyber liability unless it’s specifically listed within the policy.
The association’s crime and fidelity policy, which protects the money in the association’s accounts, may provide some coverage depending on the endorsements included in each association’s plan. Ensure your association’s crime policy includes the following:
Computer fraud. Covers loss of money, securities, and property as a result of using a computer to fraudulently transfer funds from inside the association or banking premises to outside the premises.
Funds transfer fraud. Covers losses resulting from theft of association funds by means of a fraudulent communication, such as a phishing email.
Fraudulently induced transfers. Covers losses due to any act that influences a person to take actions that may or may not be in their best interest, such as replying to social engineering threats.
Associations also should consider cyber liability coverage if it’s not specified in their D&O policy. Look for policies that provide first-party (losses and damages to the association) and third-party (losses and damage to outside entities) coverage. These will cover many of the expenses of data breaches, including legal and forensic services, regulatory expenses, notification costs, crisis management, and credit monitoring for all affected parties.
Most cyber liability policies will include a retroactive date; if a claim happens prior to that date, your association won’t be covered. This is an important stipulation to consider, especially since 56% of all breaches take months to discover, Verizon notes.
In addition to reviewing the association’s insurance coverage, board members can take multiple steps to improve data security.
■ Make sure all personally identifiable information is encrypted and stored in a secure server.
■ Talk with your manager about the data security requirements that are in place.
■ Use complex passwords with lowercase letters, uppercase letters, numbers, and special characters.
■ Implement two-factor authentication that requires users to log in twice from two different devices.
■ Give administrative privileges or personally identifiable information access only to board members whose specific roles require it.
■ Engage an outside cybersecurity firm that can monitor association data and alert the board of any concerns, if funds allow.
The risk of data breaches grows every year, and homeowners trust a community association’s board to keep their information safe. Don’t break that trust. Taking steps to prevent cyberattacks will save board members and residents from agonizing and expensive headaches down the road.
Pat Bruen is product manager for Distinguished Programs’ community associations program.