Cybersecurity threats are no longer limited to major corporations or highly regulated industries. Today, any organization collecting and storing personal data is a potential target—including public and affordable housing providers. As technology becomes more integrated into housing operations, so does the exposure risk. From property management platforms and online rent payments to employee email communications
and HR systems, the data stored and transmitted daily by housing authorities and property managers is of increasing value to cybercriminals.
The rise of generative AI and subscription-based malware tools has lowered the barrier to launching sophisticated cyberattacks. Email scams now mimic real conversations, and voice cloning tools can impersonate staff or vendors with unsettling accuracy. At the same time, data privacy laws are tightening, and regulatory reporting requirements are becoming more complex, placing more responsibility on organizations to protect sensitive information and respond quickly to breaches.
Yet, while the cyber risk landscape is intensifying, there’s a silver lining: the cybersecurity insurance market is softening, creating a timely opportunity for housing providers to reevaluate their coverage, improve risk management practices, and potentially reduce cybersecurity insurance costs—if they can demonstrate cybersecurity readiness.
We spoke with cybersecurity insurance specialists, both internal and external, to provide insights into the current state of the cybersecurity insurance market, emerging trends, and cost-effective measures agencies can take to reduce their risk.
Cybersecurity insurance is currently in what’s considered a buyer’s market, according to Angel Fear, assistant director of account services
at HAI Group. What does that mean? Supply exceeds demand, resulting in more competitive pricing, broader access to coverage, and a market that’s more favorable for insureds.
“Cyberattacks are still happening on a daily basis,” Fear noted. “However, more carriers are coming into the market space, creating more capacity. We have a growing list of cybersecurity insurance providers who will quote public housing authorities (PHAs) because they understand them and get what PHAs do, who they serve, and their budgetary limitations.”
Within a buyer’s market, new players often emerge in the industry.
Fear explained that while additional cybersecurity coverage options can be beneficial, some of these providers may only last
a few years before closing due to a high volume of claims or the costs associated with them, even if they initially find success.
Brad Winchester, partner and director of construction and real estate practice at M3 Insurance, echoed Fear’s comments, recognizing
carrier growth.
“There have been some additional entrants over the past year and a half,” Winchester said. “This has allowed us to bring additional options, which breeds competition and leads to better outcomes for insureds. But I always recommend that insureds to weigh the present with the future and not hop around—it’s prudent to work with a carrier that plans to be around for the foreseeable future.”
The market shift has led to some cybersecurity coverage requirements becoming less stringent. For example, carriers may offer quotes
to agencies even if they haven’t fully implemented multifactor authentication (MFA), often with sub-limits instead.
While coverage requirements may be more flexible, it’s important to note that this should not be seen as an excuse to skip key best practices, like implementing MFA.
“It’s still crucial to follow best practices, even if the requirements are less strict, to ensure your agency is fully protected,” Fear emphasized.
While public and affordable housing isn’t a primary target like healthcare or financial services, the assumption that “it won’t happen to us” is dangerous, says Gary Sullivan, senior director of emerging risks at the American Property Casualty Insurance Association (APCIA).
“It’s a pervasive mentality among small and medium-sized enterprises, regardless of industry,” he said. “That mentality needs to shift.”
Instead, organizations should focus on how they can protect themselves, both software-wise and hardware-wise.
Generative AI and Sophisticated Scams
Voice cloning and vishing attacks are on the rise, enabling attackers to impersonate trusted individuals. At the same time, cybercriminals are increasingly leveraging subscription-based malware tools to automate attacks, making it easier for individuals with less technical expertise
to carry out these threats.
“People can purchase these subscription-based programs and run
the attack software themselves,” said Ross Heginbottom, senior
client executive at M3 Insurance.
Human Error Remains a Major Threat
Business email compromise, phishing, and smishing are the top causes of data breaches. Sullivan noted that internal training and awareness are crucial. For example, some organizations, including APCIA, send fake phishing emails to employees to test their knowledge. If a dangerous link is clicked, the employee undergoes training, helping to reinforce awareness among staff, Sullivan said.
Fear says that with proper training and education, many cyberattacks can be prevented, as this training leads to the development of a human firewall which acts as a first and last line of defense against cyberattacks.
“Education is critical to protect a business from such attacks, as human error is one of the leading causes of allowing cybercriminals to access your information and data,” she said.
Data Privacy Laws and Regulatory Reporting
Kristin Abbott, senior director and counsel for cyber and privacy at APCIA, noted that expanding state-level data privacy laws are becoming
more complex and may create overlapping requirements for agencies operating across different states.
Additionally, the Cyber Incident Reporting for Critical Infrastructure Act, expected to go into effect in 2026, may require multifamily housing providers to report significant cyber events to federal agencies, depending on how “critical infrastructure” is defined, according to Abbott.
and employees.
“Public and affordable housing agencies hold sensitive information
that could be exploited or used to essentially hold an agency hostage,” Winchester said. “For many public housing authorities, cybersecurity is
a relatively new concern, but it’s crucial for these agencies to understand the serious risks they face if their information isn’t properly protected.”
Below are several cost-conscious, high-impact strategies housing agencies can implement mitigate cyber risks (for more resources, be sure
to download the APCIA’s Cybersecurity and Data Security Best Practices):
Strengthen Core Cybersecurity Measures
Prioritize Employee Training
Map and Protect Data
Take Advantage of Free and Low-Cost Resources
Cybersecurity isn’t just a back-office concern anymore—it’s a frontline risk that multifamily housing agencies must address. With the
insurance market softening, now is the time for organizations to invest in smart, cost-effective protections that safeguard sensitive data,
maintain operations, and keep insurance costs manageable.
Agents and brokers: Contact HAI Group’s Business Development team to learn how we can help you secure cybersecurity coverage
for your clients through one of our trusted third-party vendors.
HAI Group policyholders: Reach out to your account executive to explore cybersecurity coverage options, risk management resources,
and learning opportunities available through HAI Group Online Training.
This article is for general information only. HAI Group® makes no representation or warranty about the accuracy or applicability of this information for any particular use or circumstance. Your use of this information is at your own discretion and risk. HAI Group® and any author or contributor identified herein assume no responsibility for your use of this information. You should consult with your attorney or subject matter advisor before adopting any risk management strategy or policy.
HAI Group® is a marketing name used to refer to insurers, a producer, and related service providers affiliated through a common mission, management, and governance. Property-casualty insurance and related services are written or provided by Housing Authority Property Insurance, A Mutual Company; Housing Enterprise Insurance Company, Inc.; Housing Specialty Insurance Company, Inc.; Housing Investment Group, Inc.; and Housing Insurance Services (DBA Housing Insurance Agency Services in NY and MI).