Bank statements, Social Security numbers, birth dates. Are they secure? And if they are not, are you protected?
It’s time to talk about cyber insurance.
“One of the big misconceptions in real estate is that because they aren’t a retail store conducting online transactions, [co-ops and condos] don’t have cyber exposure. But if they store personal information, they have exposure,” says Jim O’Neill of the New Empire Group, a company that offers cyber insurance for co-ops, condos, and property managers. If that data lands in the wrong hands, the co-op has liability that can cost the building thousands of dollars in legal fees and/or settlement costs.
As a result, building associations and property managers are picking up cyber insurance, since any company that keeps personal information is responsible for protecting that data. Breaches are costly and not covered under traditional protections, such as Directors & Officers liability or crime insurance.
Thieves covet information that can be used to create false identities and bogus credit accounts, explains Stephen Bedosky, vice president of York International, an insurance broker. “If you are constantly e-mailing bank information and Social Security numbers, you should have a policy. If you are using companies such as PayLease for collecting maintenance, you should have a policy.”
Even if a property manager maintains personal information and has cyber insurance, the co-op still may be liable for any stolen information, according to O’Neill. “You can outsource the process, but you can’t outsource the liability,” he says.
Too often, insurance agents say, boards skip cyber coverage, thinking they didn’t have it before, don’t have the budget for it, or are low risk because they have few units. “You didn’t need it 20 years ago because you didn’t do as much with computers,” Bedosky says. “Now everything is electronic.” As for size, he points out, “The smaller ones have the easiest security system to breach. Everyone is a target.”
When personal information is compromised, the responsible party has to alert all the people potentially affected, pay to monitor their credit, and set up a system for people to make claims. It’s also a public relations nightmare that can hurt a building’s reputation, according to insurance agents.
A policy can cost from a few hundred dollars to two thousand dollars annually for coverage ranging from one hundred thousand to one million dollars, agents explain. If there is a breach, the plan covers legal costs, and monitoring fees.
Many insurance brokers are urging associations to add cyber insurance to their package of coverage. Boards can also reach out to companies that specialize in cyber issues. The Ponemon Institute, a Michigan-based research center, estimates that a cyber breach in the U.S. costs $200 for each compromised record. A 50-unit cooperative, therefore, would need to pay more than $10,000 if accounts are hacked. For property managers responsible for dozens of buildings, the liability multiples. Condo associations require less banking information for approval so are at a lower risk, insurance agents said, but are still at risk.
“The property managers are jumping on this coverage but the associations are saying it’s the property managers’ issue,” says Ed Mackoul, president of Mackoul & Associates, an insurance agency that deals with real estate. Only 10 to 15 percent of the 900 associations he works with have cyber coverage, according to Mackoul. Still, two years ago, none did. “Until we see a full breach, people will think that hackers don’t target them,” says Mackoul.
There have been close calls though, notes Mackoul, who recently dealt with a board member who had his cell phone stolen. The thief found an e-mail from a prospective buyer with bank information, set up a dummy e-mail and tried to make a withdrawal.
In another case, a disgruntled employee of a property manager backed up all the shareholders’ information on a disc and left with the data. The disc was recovered before any damage was done. “There hasn’t been a full blown case of cyber theft that I’m aware of, but it’s a matter of time,” predicts Mackoul.
On the property managers’ side, interest in cyber coverage is skyrocketing. At York International, half of property managers have the insurance, a number that is increasing continually, says Bedosky.
Bram Fierstein, a property manager at Gramatan Management, which oversees buildings in Westchester, the Bronx, and Rockland County, added cyber coverage to his policy in December. “We are not Sony, we are not Target, we are not Home Depot, and we have firewalls. But when you see these huge corporations are being breached, you have to be prepared,” he says. “I tell boards to get it as well, but it’s not an easy sell. We have a policy, but it’s a belts and suspenders situation.”
When a management firm or association decides to buy cyber insurance, it needs to take steps to better protect the data it keeps. “The [company] needs to identify the type of information it collects, where it stores that information and in what form. Is it encrypted? Is there a backup? Is the server or computer loaded with the most recent antivirus software?” says David Menken, a lawyer who specializes in data security at Smith Buss & Jacobs.
Most insurance companies will require the client to have a data protection program and a cyber policy that outlines how employees, including boards of directors, use their e-mail, internet, computers, and network, according to Menken. The computer device must have up-to-date antivirus software and be password protected, he said. Network backups also must be updated weekly, policies show.
This process will go a long way toward protecting the information stored. “If you get fire insurance, you have to certify to the insurance company that you have a smoke alarm. If you get a smoke alarm, you’ll be safer. If you go through the act of going through your data so it complies, your data is that much more secure,” he says.
Vanda Jamison, co-op president of a 44-unit apartment complex in Harlem, was combing through the building’s finances this summer when she and other board members discovered $12,500 was missing. When she called the property manager for answers, she was horrified to learn that she, Jamison, had requested the check. The property manager produced an e-mail from the board’s account as proof, complete with information for a phony vendor in Georgia.
That’s when Jamison realized the board’s e-mail had been hacked. “I called the insurance company and they said, ‘You don’t have cyber insurance.’ I said, ‘Cyber insurance? What is that?’” recalls Jamison.
Only parts of her case fell under a cyber insurance policy – a standard crime policy would cover the rest. In her building’s case, the bank that improperly cashed the check – the board president’s signature was missing – returned the money but the board is still looking into getting cyber coverage.
“It’s crazy, but it’s necessary because you don’t know what [the theft is] going to look like,” says Jamison. “You know what fire is when you look at it, you know what water damage is when you look at it. Cyber theft is so new and so clever, that we don’t know the risk.”
So far, cyber breaches in the co-op and condo industry have been infrequent. Yet experts agree that the threat is real and that stolen personal information can take a long time to surface. “It’s not a matter of if,” said Bedosky, “it’s a matter of when.”