>>View and download the article PDF.
By Julie Warren
Imagine the president of a board you manage accidentally leaves her laptop—which contains names and email addresses of all association members—on a plane during a trip to the coast. Or, what if your computer, which includes links to your management company's financial records as well as the personal information of all the residents in several associations you manage, is hacked and locked for ransom.
Cybersecurity isn't just about protecting big tech companies, financial institutions, and nation-wide retailers. “It's a real, unrecognized threat (to associations)," says Mike Hardy, president and chief executive officer at TOPS Software, a CAI Business Partner. “And it's a fast-moving problem."
Hardy, along with Joel Meskin, ESQ., CIRMS, and Kevin Davis, CIRMS, hosted “Techno-Dilemmas: How Community Associations Can Manage Risks Associated with Technology Use and Abuse," one of the most popular education sessions at CAI's 2018 Annual Conference and Exposition in Washington, D.C., in May. The session illustrated several ways an association or a management company can protect their daily operations—and particularly their financial transactions—from being interrupted or hijacked internet thieves.
WHERE IS THE DANGER? The presentation highlighted some of the more likely tech threats to community associations and management companies. Meskin described one chilling scenario that a client community association recently experienced:
“Upon settling an association's multi-million-dollar construction defect suit against its builder, the association's attorney placed the settlement funds—several million dollars—in his trust account until they could be distributed. A few days later, the attorney's office received a call from what seemed to be a credible source with instructions where to deposit the money; the attorney followed the instructions.
About a week later, the community's manager called the attorney's office with instructions for depositing the same funds. Confused, the attorney explained to the manager that the money had already been wired to a bank account. Turns out, the first call the attorney received was not legitimate, and the settlement funds were wired to the scammer's account. The money was gone."
Someone knew about the settlement and how to perform an electronic transfer, says Meskin, who reminded conference attendees that it's worth the few extra minutes it takes to double check a source, like who is calling with instructions or the name of the bank that is receiving funds. It's also worth the effort to have a second signer or authorizer on an account.
Meskin also explained to conference attendees that a “data breach" can be as simple as dropping a banker's box full of papers that go flying down the sidewalk. If those papers contain personally identifiable data—homeowners' names, social security numbers, phone numbers, and credit card numbers—then those homeowners need to be notified.
WHO IS CONCERNED? Whether it's through ransom demands, identity theft, or wire fraud, “theft of funds is your number one exposure," says Davis, president of Kevin Davis Insurance Services in Los Angeles. “People want the money."
About two years ago, Davis suggested that the Foundation for Community Association Research study technology threats to community associations. The ensuing survey revealed that “industry leaders and business partners are concerned with associations' use of technology, social media, and the internet." Association boards and managers, however “are more focused on property maintenance, residents' complaints, and association spending," Davis says. “We need to close that gap, and educate these people about the risks."
According to Davis, the Foundation's research committee quickly established some goals to:
AVAILABLE REPORT WIRED: 2018 Survey of Cybersecurity in Community Associations, a new report by the Foundation for Community Association Research (FCAR), is one result from the Foundation's 18-month project on cybersecurity in associations. The report, which was debuted at Hardy, Meskin, and Davis' Annual Conference presentation, examines what's at risk when associations and their management companies use any kind of technology to conduct business. The document is available at www.foundation.caionline.org.
More than 600 community association managers, board members, and professionals who support associations responded to the survey. The information in Wired—and subsequent education sessions and reports based on the survey's results—can help managers, association board members, and business partners understand more about the risks associated with using social media, websites, and third-party payment portals.
“We consider this the kickoff of what we're doing," said Christine Danielson, chair of the Foundation's research committee and a Foundation past president, as she introduced Wired to conference attendees. “There will be additional publications and educational sessions to come on this topic throughout the year."
HOW CAN WE PROTECT ASSOCIATIONS? Meskin urged conference attendees to re-evaluate the type of social media their associations use. Change your passwords, he says, and close Facebook. Davis recommends that associations use intranet and dedicated email systems. All three presenters urge associations to get some type of insurance coverage to protect the association and its board against all varieties of cyberattack.
“There's a part that protects the data itself, and a part that protects the funds," Davis says. “Make sure both are protected."
In many states, any type of wire fraud, data breach, or other form of cyberattack requires an association board to notify all members, Davis said. “Some states require call centers and credit monitoring. That's why you must have insurance. If you don't contact people, you can be sued, or fines and penalties may be levied. And directors can be sued under their directors and officers (D&O) policy because they failed to properly supervise the information."
Several types of insurance coverage are available to management companies and associations:
Cyber liability and data breach response insurance
D&O liability insurance
“Because technology is so accessible, we must be diligent about what communities are using and how they are using it," says Davis. “The bottom line is that you need to have a cyber policy because … you have the data."
Julie Warren is editor of Community Manager and CAI's news and content manager.
NOW AVAILABLE! STATE SUMMARIES OF TECHNOLOGY USE As more security and data breaches occur in the U.S., states are amending and adopting laws governing the protection of personal and financial information and how breaches in these areas must be reported and addressed. A snapshot of this legislation now is available online along with WIRED: 2018 Survey of Cybersecurity in Community Associations, the summary of the results of a recent survey by the Foundation for Community Association Research (FCAR).
>>Download copies of the State Summaries of Technology Use, along with Wired: 2018 Survey of Cybersecurity in Community Associations.
Join CAI to get the full issue of Community Manager and receive additional member benefits.
As the professional backbone of the communities you serve, you need advanced skills and expertise that are essential to the successful
management of associations. Let CAI help you shape the industry.