Managing Cyber Liability and Data Security in Community Associations

Cyber-attacks are a well-known risk to large corporations and supply chains, with infamous cases like the Solar Winds attack making frequent headlines. However, small organizations with lax cyber security are quick and easy targets. Condos, Coops, Single Family HOAs and most types of common interest developments (referred to collectively as “Community Associations”) are prime targets for cybercrime.

Many HOAs and Community Associations store data about their homeowners, such as social security numbers, payment information, dates of birth, tax documentation, vendor data, and so on.

By tightening up cybersecurity requirements for board members and finding the right cyber insurance policy, HOAs can mitigate the risk of cyber-attacks. This blog will review the steps that HOAs can take to fortify their digital defenses and essential considerations when choosing a cyber insurance policy.

Steps to bolster cyber security practices

Make a plan

There may be requirements associated with obtaining a cyber liability insurance policy. The first step to securing your HOAs digital footprint is to create a written plan that will instruct board members on best practices and serve as training material.


Learn more: 4 Tips to Prepare for a Community Association Cyberattack and Data Breach


Consider access and permissions

Who exactly should have access to sensitive homeowner data? When are they allowed to view it? What credentials do board members need to access the data?

These are all helpful questions when developing a cybersecurity plan for your Community Association. Having designated administrators will also help when you need to file a cyber insurance claim should an attack successfully breach HOA data. Having designated users can also help narrow potential breach points in the aftermath of a data leak.

Note that data-access policies are only successful when adequately enforced by the HOA and understood by everyone interacting with confidential data. This is often a challenge because of board turnover, volunteer board members, and misunderstandings about cybercrime risks and consequences.

Multi-Factor Authentication is essential

Multi-Factor Authentication (MFA) is the last line of defense against potential attacks and is required by many cyber liability insurance policies. MFA works by using multiple types of information to verify that the individual seeking to obtain access is authorized to obtain or review the data. A common approach is to send a unique code to a user’s device or email, repeating the process at each log-in attempt.

MFA is becoming more common every day for consumers. Although it can feel annoying in the moment, MFA is vital to creating a robust cyber defense.

Password security requirements

Creating secure passwords is the foundation of cyber security and is a great way to limit cyber liability.

Password best practices include:

  • Make passwords 8 to 12 characters long.
  • Mix upper and lowercase letters.
  • Use numbers and special characters.
  • Don’t reuse passwords or create a general password.
  • Randomly generated passwords are the most secure.
  • Routinely change passwords.
  • Store passwords in a secure location (e.g., a notebook or a password management application).
  • Consider using a pass phrase rather than a single word.

Destroy old documents with sensitive data

Destroy physical and digital documents when they are no longer necessary. Keep in mind that deleting a file and emptying the recycling bin on a computer doesn’t destroy it. It is possible to recover deleted files with computer forensics knowledge. To truly delete a file, you must run it through a third-party shredding app.

Limit personal device use for members

Using personal devices like smartphones and laptops is cost-effective and convenient. Unfortunately, it creates a security gap as personal devices may not be equipped with up-to-date security measures. Additionally, if a board member loses their smartphone and that phone is tied to multi-factor authentication for a critical system, then a potential vulnerability arises.

It may be in the best interest of the HOA to purchase dedicated devices that can be digitally and physically secured.

Keep software up to date

Software patches are a crucial weapon against cyber-attacks. Application developers monitor the web for emerging threats and create code bundles to fill security vulnerabilities. If possible, enable automatic updates on HOA devices and applications or schedule a time to update HOA software manually. Ideally, once a month.

Train board members on IT security

Most cyber breaches come from human error, so your cyber liability insurance policy will likely require your volunteers to stay up to date on cybersecurity best practices. Opening a single email attachment can give cybercriminals access to core systems. Therefore, it’s crucial to train HOA board members, employees, and even vendors (if they have access to HOA data), on the latest cybersecurity threats. Annual training should be mandatory for current and new board members.

Phishing and other social engineering attacks emerge rapidly, but some key points to keep in mind include the following:

  • Never open a suspicious email, even if it comes from a contact. Some phishing schemes rely on hacking email addresses and can send viruses.
  • If a board member’s email or social media accounts have been hacked, inform other board members as soon as possible to prevent potential breaches.
  • Keep antivirus software up to date.

Get help from a professional IT firm

The tools necessary to keep organizations safe from cyber threats are sometimes more than a volunteer HOA board can handle. Working with outside IT firms helps manage and secure organization assets.


Learn more: Why HOAs and Condo Associations Need D&O Insurance


Keeping homeowner data safe requires diligence (and cyber insurance)

Operating an HOA is a minefield of legal, social, and increasingly digital pitfalls. Any individual can unwittingly expose the HOA and its members to a disastrous ransomware attack. Today, it’s not a matter of if your organization will be targeted by ransomware—it’s a matter of when. Taking the steps discussed in this post will help mitigate the risk.

Cyber liability and data breach insurance is an emerging field of coverage, so not all policies are created equal. Each cyber insurance plan has requirements for members and covers different aspects of data breaches. D&O insurance policies rarely protect against data breach or cybercrime liability. To fully protect themselves in an environment with increasingly complex technology and cyber-attack strategies, Community Associations must partner with professionals who are experts in these specific areas.

McGowan Program Administrators (MPA) has been creating insurance products for highly specialized markets since the 1950s. With decades of experience working with community associations and HOAs, our underwriters will help you create a comprehensive cyber liability policy to protect the assets of your HOA.

Share this post