The threat of data piracy grows. So too does the cost of cybersecurity protection. Community associations are evaluating vulnerabilities and budgets in the technological battlefield.
By Mike Ramsey
MIKE MCGINNIS, board president of a condominium in Spokane, Wash., got a surprise earlier this year when his community association changed insurance carriers.
It turns out the building's new policy did not include cybersecurity protection. For that layer, the condominium would need separate coverage.
“I hadn't even heard of that, quite honestly. I'm not an insurance expert, but I started to know more," says McGinnis, a retired school principal. The board's insurance broker came back with a plan that would provide up to $1 million in coverage for an annual premium of about $700. Not an extravagant sum when shared across 63 condominium units, McGinnis concedes, but board members took time to think about it.
The condominium was already dealing with increased expenses, including repair work on the building's outdoor swimming pool, which necessitated special assessments, he says.
“Our debate was paying out an additional $700, which could go to upgrading, say, our security cameras," McGinnis says. “Is our cyber risk large enough that we want to spend that, as opposed to using those resources somewhere else on an aging building?"
For his part, McGinnis reasoned that his community, West 700 7th Condominiums, is small potatoes compared with the more lucrative targets cybercriminals presumably are after. The community association, which has a single computer for its business, is run with the help of a part-time manager who comes in to pay the bills and perform other administrative duties.
McGinnis says he's not blind to the dangers of breaches, including a series of highly publicized ransomware attacks that have paralyzed companies. But he adds: “I'm not sure what they would be holding us ransom for."
The Spokane condominium board is not alone in wrestling with questions about the rapidly changing field of cybersecurity and whether to buy insurance as a hedge against the unthinkable.
It's really not unthinkable, experts insist. Their common mantra is: It's not a question of if organizations will suffer some kind of data breach—it's a question of when.
Cybercriminal activity was expected to inflict damages worth $6 trillion across the world in 2021, double the $3 trillion estimated in 2015, according to Cyber Security Ventures. The research group predicts the global level of economic harm will increase to $10.5 trillion by 2025. The latter sum is significantly higher than the gross domestic product of most nations.
Major companies have fallen victim. Last April, hackers tapped into the Colonial Pipeline network and demanded a ransom in bitcoin after simply using a compromised username and password, Bloomberg reports. Owners sought to contain the damage by shutting down the pipeline, and this caused a regional gasoline shortage that drove up consumer prices at the pump. Colonial Pipeline ultimately forked over millions, though much of the payout was later recovered by authorities.
Routine thefts of data also continue with regularity. In January 2021, cyberintruders captured the personally identifiable information (PII) of more than 7 million customers of men's clothing retailer Bonobos; the data included addresses, phone numbers, and partial credit card numbers. Also last year, supermarket chain Kroger reported that some of its human resources and pharmacy data was exposed through weaknesses in Accellion, a third-party file-transfer system. The gro cer said it would offer free credit monitoring to impacted individuals.
Large-scale cyberstrikes get most of the attention. But community associations should not consider themselves invulnerable or too small to matter to the criminal underworld, says Mary Ellen Seale, director of the National Cyber Security Society, a group that advises small businesses and nonprofits.
“Reputational harm can have a dramatic impact, and you can't put a value on it," she says.
Seale notes that many states post information about condominiums and homeowners associations on publicly accessible registries. These listings can become starting points for bad actors who are looking for opportunities, she says.
“You really need to think about what information you share, who you share it with, and what you have of value," she says.
Some community associations traditionally have compiled information about households, including the number of children who live at a particular residence, Seale says. This probably is a holdover from simpler times, she explains, when such details might have been used to foster relationships in the neighborhood.
That was then. Now, she says, “A lot of creepy things could be happening with that data."
Hilton Head Plantation Property Owners Association, which has 10,000 residents across 4,000 acres and its own security department of 30 officers, currently does not carry cyber insurance, says T. Peter Kristian, CMCA, LSM, PCAM, general manager of the South Carolina community.
A committee determined the coverage would be “cost-prohibitive," he says, after weighing the potential expense versus the risks and the defenses the community has in place.
“You can insure everything for a price, but what price are you willing to pay?" asks Kristian, a CAI past president.
Among the safeguards, he says, are multiple backups of the community's server. When cybercriminals hacked into the database a couple of years ago and tried to hold it for ransom, they got nothing, the manager says.
“We went back to one of our backups to make sure we were in good shape," Kristian says. “We told them to get lost and just had our IT person repopulate the system, and we went along on our merry way. The key there is to make sure your system is backed up."
The community does not store owners' Social Security or credit card numbers, Kristian notes. Households pay their assessments through old-school paper transactions. He says this could change, with the association one day offering an electronic payment option.
“That opens up a whole other window of cybersecurity," Kristian says. “We're going to have to take another hard look at that security, both internal security and also whether cyber insurance makes sense. This is a very evolving issue."
Cyber insurance is a relatively new field. It's also a fluid one, with underwriters adding specific types of coverage to offset the latest threats from increasingly wily cyberthieves.
“When we started selling the first policies to coops and condos, there was no coverage for ransomware," says Edward Mackoul, president of Mackoul Risk Solutions in New York and New Jersey. “But that wasn't the issue at that point. Initially, it was having the data breached, and if you had the data breached, you had to monitor the (victims') credit and you had to inform them and do other things."
Some community associations may assume they already are protected against cyber intrusions under general property and liability insurance. That really is not the case, says Los Angeles-based insurance broker Kevin Davis, who specializes in plans for condominiums and homeowners associations.
Board members also may think liability rests with another party, like their management company, if a breach occurs. Again, Davis says, this is a misconception.
“If you talk to the homeowners association, they'll say, 'I don't worry about it because the manager is the one who has all my data,' " he says. “But if I live there, and my data has been compromised or I just lost $10,000 because I sent my money to the landscaper and it was a fake landscaper, then we're out of the money."
“It's easy to throw everything on the manager," Davis adds. “But the manager can always say, 'It wasn't us.' Then you're in trouble."
“The truth is, they do have the largest exposure," Mackoul says of management firms. “But the buck doesn't stop there. It doesn't stop somebody from suing the association. What's the association's recourse at that point? They sue the management firm. They may even be indemnified at the end of the day, but you still have to go through that process."
He says the cooperatives in his client base tend to be more receptive to the idea of buying cyber insurance. This is because they regularly evaluate sensitive financial information and other records submitted by shareholder applicants, he explains.
“A coop does have a larger exposure than a condo," Mackoul says.
Not surprisingly, cyber insurance claims and payouts have increased in recent years, and this has had an effect on the cost of premiums, the Council of Insurance Agents & Brokers' Commercial Property/Casualty Market says. In the second quarter of 2021 alone, cyber insurance premiums rose an average of 25.5%, a recent survey found.
Insurance professionals blame the price increases on the rise in cyberattacks but also “poor risk management protocols" and “lack of sufficient employee training to ward off cyberattacks," the council reports.
Mackoul knows of management firms that have filed claims after their data had been held for ransom. One acquaintance in the housing industry also suffered a breach and then tried to negotiate a lower ransom, he says. The hackers, however, knew the scope of the business and held fast to their original demand.
“They basically had a sliding scale based on the size of the firm. (The hackers) do their homework," he says.
Given the rising number of claims associated with ransomware, Mackoul says it's possible insurers may eventually stop offering that particular coverage or price it so high that few clients will buy it.
We're not there yet. For now, despite increasing premiums, cyber insurance is a relative bargain, both Davis and Mackoul say. The cost will vary for community associations, depending on their size and annual revenues, but they say policy premiums typically are in the annual range of $1,000 or less.
Board members at West 700 7th Condominiums in Spokane, Wash., decided not to purchase additional cyber insurance at the end of 2021. For now, the board is focused on adequately funding its reserves, increasing salaries, maintenance, and infrastructure in the aging buildings, says McGinnis, the board president.
“Since we do not store the personal banking information of our owners on the office computer, we felt our exposure was limited, but we recognized that we should be mindful of protecting our system nonetheless," he says. “We upgraded our security software and, when our insurance renewal comes due, we may revisit the issue again."
More insurance industry data on the number of cybersecurity claims may guide the community's future decisions, McGinnis adds.
“My goal is to protect the best interests of our homeowners and also have a quality place where they feel safe—personally, but also safety in their information and everything else," he says.
Mike Ramsey is a Chicago-based freelance writer.
JUST WHEN people may have learned how to evade or ignore “phishing" attempts from cybercriminals, along come the variants.
Phishing, of course, is a con artist's attempt to get sensitive information, such as a password or bank account numbers, through fraudulent emails. Or, the sender may try to entice a group of recipients into clicking on a suspicious link or opening an infected attachment. “Spear phishing" is when a communication is tailored to a specific individual, after a scam artist does some research.
In “Smishing," the bad actor tries to lure their mark with a text message (via Short Message Service, or SMS) on a smart phone. “Vishing" is the use of voicemail to scare or cajole a victim into doing something they'll regret later.
These are all a form of “social engineering," an umbrella term for criminals seeking to influence the behavior of others, with the hope of a payout. Los Angeles-based cyber insurance broker Kevin Davis, who sells coverage plans to community associations, nearly became a victim himself.
“I did a cyber talk in Hawaii about two years ago," he recalls. “As soon as I get there, my controller calls up and asks, 'How many gift cards do you want?'"
When Davis said he didn't request any gift cards, the employee replied: “Yes, I got an email from you that says you're going to land and you want gift cards to give out to your clients."
What happened? Somebody likely saw a social media post about his plans to attend the seminar, Davis says. Then they sent an email with a “spoofed," or forged, return address that made it seem like he was the author of the message.
“That is social engineering," Davis says.
This attack method is expected to get even more sophisticated and persuasive with the rise of visual counterfeit technologies. The FBI predicts cybercriminals will combine social engineering schemes with synthetic content that includes “deepfake" elements.
A deepfake refers to a video that has been realistically edited with an artificial intelligence program to replace a person in the original footage with someone else. Some stunning examples of deepfakes that use the images of celebrities (google “Tom Cruise deepfake") are already on the internet.
“We anticipate malicious cyber actors will use these techniques broadly across their cyber operations—likely as an extension of existing spear phishing and social engineering campaigns," the FBI said in an alert to businesses in 2021.
Davis notes there is insurance coverage against social engineering scams. This enables boards to file claims in the event that someone, such as an owner, suffers financial harm and tries to hold the community association responsible. He says the product hasn't caught on—yet.
“Every big corporation has it. Most condo people never heard of it," Davis says. “Most boards think the manager has ultimate responsibility if anything goes wrong. And it's not true." —M.R.
Join CAI to get the full issue of Common Ground magazine and receive additional member benefits.