Cybersecurity Resilience: A Guide for Affordable Housing Organizations Seeking Robust Cyber Insurance Coverage

Cybersecurity threats are all too real for housing organizations and take many forms, including phishing, ransomware, and business email compromise.


According to IBM's 2023 Cost of a Data Breach Report, the global average cost of a data breach in 2023 was $4.45 million, a 2.3% increase over 2022 and a 15.3% increase over 2020.


While cybercriminals have multiple attack vectors at their disposal, many cyberattacks on housing organizations start with what looks like an innocent email. Researchers recently analyzed 55.5 million business emails and found that roughly one in every 99 emails is a phishing attack. Of those attacks, 25 percent bypassed default email security measures. Phishing emails typically include a link or attachment that, when clicked, allows cybercriminals to access sensitive data and install ransomware—malicious software that prevents users from accessing their computer files, systems, or networks.


Securing your housing organization in the face of advanced cybersecurity threats


Treat these threats like any risk your organization faces—with proactive and reactive measures, including insurance coverage for an added layer of protection.


Cyber insurance is designed to mitigate losses from cyber incidents, including data destruction, damage to software and hardware, ransom payments, business interruptions, breach incident response and crisis management, and legal claims.  


Angel Fear, a regional manager with HAI Group's Account Services team, works directly with several housing organizations that have experienced ransomware attacks. She's seen the behind-the-scenes costs of these attacks (e.g., ongoing vendor and legal fees, ransom payments, software and hardware updates, additional staff, new security protocols, etc.) add up to millions of dollars in six months or less.  Standard property and general liability insurance policies don't cover most aspects of a cyberattack. Without a cyber insurance policy, organizations typically have no option but to pay most breach-related costs out-of-pocket.


"If you're a public or affordable housing organization, you're going to want cyber insurance coverage," Fear said.


Due to the frequency and severity of losses related to cyberattacks, most cyber insurance carriers require that housing organizations put baseline cyber protections in place. For example, multi-factor authentication (MFA) was once optional, but in today's landscape, it's a baseline requirement for coverage.


"Cyber insurance providers want to ensure your organization is taking proactive steps to avoid a cyber incident," Fear said.


Five key security measures to increase cyber insurability


Cyber insurance providers frequently require multi-factor authentication, secure backups, regular software updates, cybersecurity awareness training, and endpoint detection and response.


"Carriers might not necessarily require them all, but these are what they're looking for in general," Fear said. "If you need to have just one of these, it's multi-factor authentication."


We've put together a brief explanation of each security measure below. Visit HAI Group's Cybersecurity Center for additional free resources. 


1. Multi-factor authentication (MFA)



MFA is a security measure that requires anyone logging into an account to complete a two-step process to verify their identity. This security feature is often referred to as two-factor authentication or two-step authentication.


Fear said that most cyber insurance providers require that housing organizatons have MFA in place before issuing a policy. 


If you use banking or social media apps on your phone, you've probably used MFA before. Still, there needs to be more awareness around MFA. A survey of 3,000 adults in the U.S., U.K., and Canada conducted by the National Cybersecurity Alliance found 43 percent of respondents had never heard of MFA.


MFA verification steps can include but aren't limited to, an extra PIN, security questions, an emailed or texted code, facial recognition or a fingerprint, or a unique number generated by an authenticator app.


"Any place online that is storing your personal information (especially financial information), or any account that can be compromised and used to trick or defraud someone else should be protected with MFA," NCA states on its website. "So, basically everything. Simply put, use MFA everywhere."


2. Secure backups




If cybercriminals breach your system, all isn't necessarily lost as long as you have a secure backup system. System backups provide the ability to recover data you need in the state you need it in.


For example, if your organization's systems are infected with ransomware or another type of malware, you can wipe the system and restore everything from the secure backup. While you should never rely on backups alone for cybersecurity, they're a must-have.


It's crucial to ensure your backup is secure. After Denver Housing Authority experienced a ransomware attack in 2021, the organization couldn't boot up its backup system because the backup password file was on a server that malicious actors locked out. 


Denver Housing Authority Deputy CFO Jim DiPaolo said if his organization hadn't had its password file stored on the same system locked out by cybercriminals, "we wouldn't have had to pay the ransom," 

"We would have been able to get into our backup system, use the backup tape, and gone forward, so it was a good lesson learned," he said. 


3. Regular software updates (patching)


Software updates, also known as patches, fix known problems and provide new security measures to protect against ever-evolving cyber threats.

"Cybercriminals target known vulnerabilities," said Jonathan Hochman, founder of CodeGuard, a website security company, and Hochman Consultants, a boutique search marketing agency. "Making sure your software is up to date goes a long way toward helping keep you safe."


Your organization's IT team would typically manage software update processes. If you don't have an I.T. department, consider hiring an I.T. consultant to help maintain your network's security. 

You can also handle some software updates on your own, Hochman said. 


"If you have Windows, type Windows Update in the search bar," he explained. "Look for the magnifying glass next to the Window icon in the bottom left corner of your screen. Make sure to set it for automatic updates so the system will just update itself. Then keep an eye on it to make sure these updates are happening."


If you use Apple products, you can learn how to update your Apple software here.


4. Cybersecurity awareness training 


Humans are prone to mistakes because, after all, we're only human. Cybercriminals use social engineering to prey on our imperfections. 


"Social engineering is a discipline in social science that refers to efforts to influence particular attitudes and social behaviors on a large scale, whether by governments, media, or private groups, to produce desired characteristics in a target population," said Richard Moore, CEO and founder of CyberSix, a cybersecurity company. "Social engineers use the scientific method to analyze and understand social systems so they can design the appropriate methods to achieve the desired results in human subjects."


In the context of cyberattacks, social engineering often involves phishing emails and text messages that appear to be from a person or business you know and trust. 


Training your employees to identify these phishing emails and use the appropriate level of caution before clicking on suspicious links and attachments creates a human firewall that serves as your organization's last and most vital line of cybersecurity defense. 


Your IT team can serve as a training resource for employees. You should also consider a third-party training service, of which there are plenty on the market. We've negotiated a deal with KnowBe4, a trusted cybersecurity training firm, to provide exclusive discounts for HAI Group members for a limited time only. We also offer eight free cybersecurity training courses through our HAI Group Online Training platform for managers and employees. 


5. Endpoint detection and response (EDR)


EDR is akin to the next generation of antivirus technology. These systems are designed to continuously monitor your organization's computers and electronic devices (commonly referred to as endpoints) to detect and respond to the latest cyber threats.


EDR systems collect technical data from endpoints and transmit it back to a server or vendor to search for suspicious patterns and threats, according to the Center for Internet Security (CIS).


If a threat is detected, the EDR system can block it and generate an alert. EDR systems still incorporate traditional antivirus functionality, CIS notes, but they take security a step further and are also designed to simplify security management by consolidating several common functions into a single platform.


Next steps for securing cyber insurance coverage


If this all seems overwhelming, we understand. But make no mistake, cybersecurity should be a priority for your organization, and the security measures outlined in this article can help your organization find a cyber insurance policy that offers the protection you need.


Importance of Key Security Measures for Cyber Insurability
Multi-factor authentication Always required 
Secure backups Often required
Regular software updates (patching) Often required
Cybersecurity awareness training Highly recommended
Endpoint detection and response
Highly recommended


Luckily, there's cybersecurity help available, and it comes at no cost to public housing organizations. The Multi-State Information Sharing & Analysis Center (MS-ISAC)–operated by the Center for Internet Security and recommended by the U.S. Department of Homeland Security—provides various free cybersecurity services to U.S. state, local, tribal, and territorial government entities, including public housing organizations.  


HAI Group no longer offers a master cyber liability policy to its members and doesn't sell cyber insurance directly. Still, a member of our Account Services team can assist you in finding a standalone policy.


Fear said that if you're an HAI Group policyholder interested in a cyber insurance policy, set up a call with your HAI Group account executive and include your organization's executive director and IT team member in the meeting. Your HAI Group account executive can talk through the application process and coverage scenarios and answer any questions you might have.


"We offer a single cyber insurance application that we can send to multiple cyber carrier partners on your behalf," Fear said. "As long as you have multi-factor authentication in place or are working on it, you're eligible to apply for coverage."


Contact My Account Executive


This article is for general information only. HAI Group makes no representation or warranty about the accuracy or applicability of this information for any particular use or circumstance. Your use of this information is at your own discretion and risk. HAI Group and any author or contributor identified herein assume no responsibility for your use of this information. You should consult with your attorney or subject matter advisor before adopting any risk management strategy or policy.

Leave a Comment