Community associations should be prepared for cyberattacks

Cyberattacks are increasing every week and hit every type of business. This means community associations, including, but not limited to, HOAs, Condos, and Coops, all of which are holding personally identifiable information such as names, emails, addresses, phone numbers, and financial account data. 

Many community associations are staffed partially or entirely by volunteers who may not be aware of the steps they need to take to protect association members’ personally identifiable information. Even with the best of intentions, most HOA leaders don’t take the necessary security steps of changing passwords. But today, that’s not enough to stop a sophisticated cyberattack.

As the world grapples with the coronavirus pandemic, hackers have stepped up their game. With more employees working from home, it is easier for hackers to target businesses like community associations that are vulnerable to cyberattacks. Every country on earth has been targeted with a coronavirus-themed cyberattack. Conventional strategies include phishing emails and other malware that mentions the coronavirus or COVID-19.

Why should community associations care about cyberattacks?

HOA leaders are obligated to protect, preserve, and enhance the association’s assets.  Accordingly, they need to take advantage of all the resources to mitigate cyberattacks, causing data breaches. If they don’t, they can be subject to notification costs notifying anyone whose information was at risk and the cost of credit monitoring for one or two years for each of those whose information was compromised.   

If a third-party management company maintains and handles this information for the community association, the association will still be responsible for any breaches that occur. The failure of the HOAs to comply with these requirements outlined in state data breach statutes may subject them to an action by a state attorney general. They could be hit with fines, penalties, and remedial expenses. 

Considering the staggering costs of some attacks, it’s in the HOA leadership’s fiduciary obligation to take all necessary steps to mitigate risk. This means following best security practices and getting cyber liability/data breach response services coverage.  

survey by the Cyber Readiness Institute revealed that more than 60% of small businesses lack an appropriate cybersecurity policy. The most common reason for not having a robust cybersecurity policy is a lack of resources needed to invest in proper cybersecurity measures.  

One of the most cost-effective resources is those included with the data breach response services provided in conjunction with many cyber liability/data breach response services coverage. Resources include access to attorneys, computer experts, and many training services and libraries available. These resources are included in the cost of their insurance, which at this time, is exceedingly inexpensive for community associations.

We’ve discussed the need for cybersecurity and the risks in past articles, but now is an excellent time to recap cyberattack prevention.

Preventing cyberattacks for community associations

With cybercrime becoming more prevalent, HOA leaders who claim they did not know they needed to protect past and present members’ personally identifiable information are unlikely to find a sympathetic ear from members, service providers, or state attorneys general. 

To protect their members’ information from cyberattacks and protect themselves against significant costs and expenses, HOA leaders must take proactive steps to improve cybersecurity. First and foremost, train all HOA board members on the following tips below

1. Control access to information

Limit information to as few people as possible and consider who has access to personally identifiable information. There should be strict policies about accessing the data. HOA leaders need to have a plan in place to update who has access, especially if the individual no longer needs access. 

If a third party is managing the information, leaders should ask the right questions about how the information is protected and stored. Confirm that the management company properly segregates each managed association’s information, so the association is not liable under the Data Breach statutes or the management agreement indemnification provision for other associations’ notification and credit monitoring costs.  Security breaches can and will often occur on the third party’s end.

Notwithstanding who has access, the ability to download or copy data from the association system or website should be minimal, including not allowing board members to download or copy information.

If possible, the association that allows on-line payments should engage with a bank to set this up.  Doing so will spread the risk and exposure to the bank.

2. Strong Passwords

HOA and CA leaders should implement strong passwords that are changed frequently. Create separate logins for each user. Use two-factor authentication. This method of password protection requires a login and a code sent to a cellphone.

When creating a password, use strong, unique passwords or phrases that incorporate a mix of capital and lowercase letters, numbers, and symbols. Don’t reuse passwords or phrases. If hackers gain access to one password, they have software that allows them to test across all accounts. Everyone should be on the same page about strong passwords and good cyber hygiene practices.

Consider investing in password management software. A password manager can create random combinations of letters, numbers, and symbols that are difficult to hack.

Consider having different levels of access to the association’s website where information is held.  Access should comply with statutory regulations regarding what information should be available to whom.

3. Antivirus Protection

Whoever handles IT for the association should make sure that antivirus and firewall software is adequate for the task. Update as appropriate. An association volunteer member should not determine the appropriate software and backup protocol. Hire a third-party professional.  No insurance coverage for the association will provide defense or indemnity for a volunteer working as an IT professional for the association.

4. Backup Data

Backup data regularly and in multiple places on both local storage options and to the cloud. Sound backup policy can protect against cybersecurity threats like viruses, Trojan horses that steal or erase data, and ransomware.

In many cases, the risk of a cyberattack is less about who has access to sensitive information, and more about where it ends up. If a user is viewing confidential information on a secure website using a computer with an up-to-date firewall and antivirus software, the security risk is minimal. But every time someone downloads information and stores it on a personal computer, the risk of a data breach increases.

Any third-party providers who have access to personally identifiable information represent an additional threat. While community associations cannot control the behavior of outside vendors, they can protect themselves from liability by requiring that third parties agree to indemnify the association as a result of the data breach of the outside vendor.

Sound governing documents help reduce the risk of liability

An association should seek advice from its general counsel or a community association attorney of the best method to make sure it complies with the statutory requirements and governing documents. Most cyber liability and data breach response services policies have access to plans, protocols, and information to help the HOA.  

These policies also have experts available for free or discounted pricing to assist the associations. Cyberattack exposures should be part of an association board’s regular review of the association’s governing documents to ensure that they adequately address cybersecurity risks. 

How Cyber Liability/ Data Breach Response Services Coverage helps

Adding an extra layer of protection is always a good idea when the stakes are high. Cyber Liability/Data Breach Response Services coverage is no longer an optional part of a community association’s risk management program — it is now a mandatory piece.

The board’s duty is to “protect, preserve and enhance” the association’s assets, and this is now a required tool.  It is also imperative to obtain this from a community association insurance professional who is properly-versed in the necessary coverage.

McGowan Program Administrators is here to help with our Community Association Cyber Liability Insurance & Data Breach Response Services Program. We also offer a wide range of additional products, including Community Association Fidelity/Crime Insurance, Directors and Officers Liability Insurance and Umbrella Liability Insurance. Our additional coverage products round out the puzzle pieces for many other issues addressed in this blog.

Our experts have helped HOAs and CAs around the country to reduce their risk of exposure to cyberattacks by providing practical, economical insurance coverage and data breach response services. Contact us today to learn more.