Cybersecurity threats are no longer limited to major corporations or highly regulated industries. Today, any organization collecting and storing personal data is a potential target—including public and affordable housing providers. As technology becomes more integrated into housing operations, so does the exposure risk. From property management platforms and online rent payments to employee email communications
and HR systems, the data stored and transmitted daily by housing authorities and property managers is of increasing value to cybercriminals.
The rise of generative AI and subscription-based malware tools has lowered the barrier to launching sophisticated cyberattacks. Email scams now mimic real conversations, and voice cloning tools can impersonate staff or vendors with unsettling accuracy. At the same time, data privacy laws are tightening, and regulatory reporting requirements are becoming more complex, placing more responsibility on organizations to protect sensitive information and respond quickly to breaches.
Yet, while the cyber risk landscape is intensifying, there’s a silver lining: the cybersecurity insurance market is softening, creating a timely opportunity for housing providers to reevaluate their coverage, improve risk management practices, and potentially reduce cybersecurity insurance costs—if they can demonstrate cybersecurity readiness.
We spoke with cybersecurity insurance specialists, both internal and external, to provide insights into the current state of the cybersecurity insurance market, emerging trends, and cost-effective measures agencies can take to reduce their risk.
Cybersecurity insurance: a market with expanding opportunities
Cybersecurity insurance is currently in what’s considered a buyer’s market, according to Angel Fear, assistant director of account services
at HAI Group. What does that mean? Supply exceeds demand, resulting in more competitive pricing, broader access to coverage, and a market that’s more favorable for insureds.
“Cyberattacks are still happening on a daily basis,” Fear noted. “However, more carriers are coming into the market space, creating more capacity. We have a growing list of cybersecurity insurance providers who will quote public housing authorities (PHAs) because they understand them and get what PHAs do, who they serve, and their budgetary limitations.”
Within a buyer’s market, new players often emerge in the industry.
Fear explained that while additional cybersecurity coverage options can be beneficial, some of these providers may only last
a few years before closing due to a high volume of claims or the costs associated with them, even if they initially find success.
Brad Winchester, partner and director of construction and real estate practice at M3 Insurance, echoed Fear’s comments, recognizing
carrier growth.
“There have been some additional entrants over the past year and a half,” Winchester said. “This has allowed us to bring additional options, which breeds competition and leads to better outcomes for insureds. But I always recommend that insureds to weigh the present with the future and not hop around—it’s prudent to work with a carrier that plans to be around for the foreseeable future.”
The market shift has led to some cybersecurity coverage requirements becoming less stringent. For example, carriers may offer quotes
to agencies even if they haven’t fully implemented multifactor authentication (MFA), often with sub-limits instead.
While coverage requirements may be more flexible, it’s important to note that this should not be seen as an excuse to skip key best practices, like implementing MFA.
“It’s still crucial to follow best practices, even if the requirements are less strict, to ensure your agency is fully protected,” Fear emphasized.
Risk trends: AI, human error, and regulatory pressures
While public and affordable housing isn’t a primary target like healthcare or financial services, the assumption that “it won’t happen to us” is dangerous, says Gary Sullivan, senior director of emerging risks at the American Property Casualty Insurance Association (APCIA).
“It’s a pervasive mentality among small and medium-sized enterprises, regardless of industry,” he said. “That mentality needs to shift.”
Instead, organizations should focus on how they can protect themselves, both software-wise and hardware-wise.
Key Threats to Watch:
Generative AI and Sophisticated Scams
Voice cloning and vishing attacks are on the rise, enabling attackers to impersonate trusted individuals. At the same time, cybercriminals are increasingly leveraging subscription-based malware tools to automate attacks, making it easier for individuals with less technical expertise
to carry out these threats.
“People can purchase these subscription-based programs and run
the attack software themselves,” said Ross Heginbottom, senior
client executive at M3 Insurance.
Human Error Remains a Major Threat
Business email compromise, phishing, and smishing are the top causes of data breaches. Sullivan noted that internal training and awareness are crucial. For example, some organizations, including APCIA, send fake phishing emails to employees to test their knowledge. If a dangerous link is clicked, the employee undergoes training, helping to reinforce awareness among staff, Sullivan said.
Fear says that with proper training and education, many cyberattacks can be prevented, as this training leads to the development of a human firewall which acts as a first and last line of defense against cyberattacks.
“Education is critical to protect a business from such attacks, as human error is one of the leading causes of allowing cybercriminals to access your information and data,” she said.
Data Privacy Laws and Regulatory Reporting
Kristin Abbott, senior director and counsel for cyber and privacy at APCIA, noted that expanding state-level data privacy laws are becoming
more complex and may create overlapping requirements for agencies operating across different states.
Additionally, the Cyber Incident Reporting for Critical Infrastructure Act, expected to go into effect in 2026, may require multifamily housing providers to report significant cyber events to federal agencies, depending on how “critical infrastructure” is defined, according to Abbott.
Low-cost steps to boost cybersecurity and reduce costs
Many public and affordable housing agencies face financial limitations. And while they may not have significant financial assets to lure cybercriminals, they possess something just as valuable: personally identifiable information (PII), including private data on residents
and employees.
“Public and affordable housing agencies hold sensitive information
that could be exploited or used to essentially hold an agency hostage,” Winchester said. “For many public housing authorities, cybersecurity is
a relatively new concern, but it’s crucial for these agencies to understand the serious risks they face if their information isn’t properly protected.”
HAI Group Online Training offers a curated list of cybersecurity-related courses, available to HAI Group policyholders and subscribers. Topics include browser security basics, email and messaging safety, incident preparedness, social engineering, and more.
Below are several cost-conscious, high-impact strategies housing agencies can implement mitigate cyber risks (for more resources, be sure
to download the APCIA’s Cybersecurity and Data Security Best Practices):
Strengthen Core Cybersecurity Measures
- Multifactor Authentication (MFA): Implement MFA for all systems, not just the agency’s main platform.
- Endpoint Detection and Response (EDR): Deploy monitoring to detect suspicious activity.
- Data Backup Management: Regularly back up essential information and test recovery procedures.
- Password Protection: Implement strong password policies and enforce account lockouts.
- Patch Management: Keep all software current and patched.
- Access Controls: Base system access on job role, not individual discretion.
Prioritize Employee Training
- Conduct regular, engaging cybersecurity awareness training.
- Test employee awareness through phishing simulations.
- Institute retraining for staff who fall for simulated attacks.
- Use HAI Group Online Training’s cybersecurity learning pathway.
Map and Protect Data
- Identify what data is collected.
- Understand where and how data is stored and shared.
- Limit access based on necessity, not convenience.
Take Advantage of Free and Low-Cost Resources
- Use free cybersecurity services from CISA, including vulnerability scans and phishing assessments.
- Encourage staff to complete free or low-cost cybersecurity training to build awareness.
- Stay informed with free reports and updates from trusted industry organizations.
HAI Group offers the annual Loss Prevention Fund, a reimbursement program available to policyholders and members. Cybersecurity risk mitigation initiatives are considered for funding in addition to other
risk management and loss prevention programs implemented by housing authorities. In 2025, $3.5 million in funding was available. You can find out more about the program, past winners, and more
on the HAI Group website.
- Partner with the right carrier.
- Work with carriers who specialize in affordable housing and understand their operations.
- Ensure insurance applications are thorough and truthful to avoid issues during claims.
- Use best practices from APCIA and CISA to help clients prepare for underwriting evaluations.
Final thoughts
Cybersecurity isn’t just a back-office concern anymore—it’s a frontline risk that multifamily housing agencies must address. With the
insurance market softening, now is the time for organizations to invest in smart, cost-effective protections that safeguard sensitive data,
maintain operations, and keep insurance costs manageable.
Agents and brokers: Contact HAI Group’s Business Development team to learn how we can help you secure cybersecurity coverage
for your clients through one of our trusted third-party vendors.
HAI Group policyholders: Reach out to your account executive to explore cybersecurity coverage options, risk management resources,
and learning opportunities available through HAI Group Online Training.
This article is for general information only. HAI Group® makes no representation or warranty about the accuracy or applicability of this information for any particular use or circumstance. Your use of this information is at your own discretion and risk. HAI Group® and any author or contributor identified herein assume no responsibility for your use of this information. You should consult with your attorney or subject matter advisor before adopting any risk management strategy or policy.
HAI Group® is a marketing name used to refer to insurers, a producer, and related service providers affiliated through a common mission, management, and governance. Property-casualty insurance and related services are written or provided by Housing Authority Property Insurance, A Mutual Company; Housing Enterprise Insurance Company, Inc.; Housing Specialty Insurance Company, Inc.; Housing Investment Group, Inc.; and Housing Insurance Services (DBA Housing Insurance Agency Services in NY and MI).
