Does My Affordable Housing Organization Need Cyber Liability Insurance?

It’s common to assume your general liability insurance policy covers cyber liability. The reality is that these policies are separate but equally important in today’s landscape. General liability coverage protects housing organizations from a wide range of exposures, including injuries and property damage, but isn’t designed to handle the nuance of cyber risk.
For example, a cybercriminal might obtain and leak an organization’s personal identifiable information (PII), including names, addresses, and social security numbers of residents or employees. A cyber liability policy can assist in notifying victims about the data breach, which is required by law in each state. A cyber liability policy can also help cover risk mitigation efforts and remediation and recovery costs, including legal, public relations, and IT expenses. Most general liability policies don’t cover these aspects of a cyber breach or explicitly exclude them.
Without the proper cyber liability coverage, your organization could be left picking up the bill for a majority of breach-related expenses, if not all. Any housing organization that waits until after it has experienced a cyber breach to shop for cyber liability coverage may have difficulty finding an insurance carrier willing to take on the risk. If so, the carrier is likely to charge a higher premium.
Consider your organization’s cyber risk
Before securing cyber liability coverage, organizations must identify potential risk factors, said Scott Stevens, chief information security officer of cybersecurity firm Integrity Technology Solutions.
“These do not have to be drawn-out projects,” Stevens said of risk assessments. “This is something that you can legitimately do in a couple of days if you focus on what technology risks are out there.”
Housing organizations should perform assessments at least annually, leveraging in-house expertise or a third-party service to examine operational, privacy, and security risks, he said. The process can include steps like determining what kind of sensitive data the organization stores, how many employees have access to such data, and what type of data-protection measures are in place to mitigate risk.
Once risks are identified, organizations should mitigate them and ensure they’re covered under a cyber liability policy.
A sampling of cyber liability coverages
While it differs by the insurance carrier, the following coverages are some of the critical components of a cyber liability policy, according to Angel Fear, senior account executive at HAI Group:
Privacy and Network Security Liability
-
As noted earlier, a cyber breach can lead to the disclosure of sensitive data. This coverage helps handle claims arising from such disclosures, Fear said.
Regulatory Proceeding
-
If a data breach results in the violation of privacy law(s), state and federal regulatory agencies may have questions for your organization. This coverage helps cover costs related to investigations and proceedings brought against your organization, Fear explained.
Breach Event Costs
-
According to Fear, this coverage assists with costs related to initial cyber breach consultations, call center services, credit monitoring, identification theft assistance, and credit/identity restoration services. She said this coverage could also help cover breach notification, IT forensics, and PR/crisis management expenses.
Business Interruption
-
Downtime is not a good time for any business, especially housing organizations. Business interruption coverage helps with expenses and loss of income due to a network interruption, Fear said.
Cyber Extortion/Ransomware
-
Ransomware is on the rise, Fear noted. Cyber extortion coverage provides resources to respond to ransomware cyber incidents (when your organization’s data is held hostage and cybercriminals demand a ransom payment).
Cyber Crime Enhancements
-
Beyond the above coverages, there are enhancements your organization can include in its cyber liability policy, providing nuanced coverage for specific incidents. Examples include:
-
phishing;
-
invoice manipulation; and
Enhancements aren’t always available, and if so, they tend to be sublimited, notes Dan Burke of insurance brokerage Woodruff Sawyer. A sublimit places a maximum on the amount available to pay that type of loss. For example, if your organization has a $1 million cyber liability policy with a 25% sublimit on social engineering coverage, your organization would be limited to a $250,000 payout for that claim.
Contact our Risk Control and Consulting team for more resources and answers to your housing organization’s risk-related questions.
Interested in Working With HAI Group? Our Account Services team is ready to assist you.

Includes copyrighted material from a company under the HAI Group family, with its permission. This post is for informational purposes only and is not intended to provide legal advice, and shall not be relied on as such. We strongly recommend consulting with legal counsel or an appropriate subject matter expert.