Darren Bagnall of Flat Living Insurance looks at the issue of cyber security for block managers.
With all the upheaval of the pandemic diverting business owners’ attention, it could be easy for cyber security to slip quietly off the radar.
Unfortunately, hackers haven’t taken a break over the past couple of years- in fact, they’ve seized the opportunities presented: companies shifting to home working, handing out laptops, creating VPNs and having to make rapid software choices without their usual stringent vetting. Employees are using their home Wi-Fi or even public connections in coffee shops and pubs (a hacker’s dream!) and most workers are adjusting to a new way of life, both logistically and technologically, meaning may have taken their eye off the ball when it comes to online security.
The Statistics
According to Government statistics generated from their annual Cyber Security Breaches Survey, 39% of UK businesses experienced cyber security breaches or attacks in the 12 months from March 2020 to March 2021. This is actually a reduction from the 46% reported in the previous year (which could be put down to the pandemic’s reduction in trading activity) and is therefore expected to creep back up through 2022.
Of those businesses affected by cyber-attacks, 21% reported a loss of money, data or other assets while 35% report being otherwise negatively impacted. Can you afford to be taken back a step by a security threat?
Cyber Security in Property Management
Property Managers, Residents’ Management Companies and Right to Manage companies could be forgiven for believing that they are unlikely to be the targets of such incidents. However, a study by Hiscox in 2018 showed that UK small businesses (of up to 50 employees) suffered over 65,000 attempted cyber-attacks every day, with hackers’ successfully penetrating IT networks every 19 seconds on average.
Small businesses and Residents’ Management Companies are now widely viewed within the Cyber Security industry as the ‘low hanging fruit’ for cyber criminals- chiefly due to their traditionally moderate IT security budgets and reliance upon third-party providers.
The wide array of contacts, funds that are collected and held, and multitude of contractual obligations leaves RMCs particularly exposed to cyber criminals. With so many access points for hackers to enter and potentially cause disruption, identifying risk controls and risk transfer mechanisms should be key to the successful operation of every RMC across the UK.
The high volume of sensitive owner information usually stored and processed means that cyber insurance should be viewed as an essential tool in your day-to-day operations.
A Little On GDPR
These strict data protection regulations have placed a particular emphasis on any organisation that holds personal information to safeguard data or risk devastating financial repercussions. Aside from the potential financial penalties for non-compliance (a maximum of the higher of 4% of turnover or EUR 20 million), GDPR places a number of other substantial responsibilities on organisations storing or processing the personal information of their customers and/or employees.
Companies are required to notify the UK Information Commissioners Office (ICO) and all affected individuals within 72 hours if personal information of employees, customers or third-party contractors is breached. The nature of the data breach is of secondary importance, whether resulting from a cyber-attack, the malicious acts of an employee or something as simple as a member of staff leaving a laptop or memory stick containing client information on public transport; the clock to non-compliance starts ticking from the moment the loss of data has been identified.
Be it one record stored, or one hundred million, these strict regulations provide a clear incentive for every individual and business owner to consider the potential damage that the mishandling of data can cause.
Example Scenarios
With all the techno-jargon involved, it can be hard to comprehend the risks and potential fallout caused by a breach. Here are a few in-context examples to show how easily you could fall foul:
1. Phishing Emails
An RMC employee receives an email that appears to be from one of their regular suppliers, requesting that they ignore their previous email as the attached invoice contained old bank account details.
A new invoice was attached with amended bank account details and the employee transferred their annual payment of approximately £29,000 to the new account.
The scam was only identified when the original supplier chased for payment, at which point the false email address and malicious invoice was identified. Given the time elapsed and the fact the RMC had explicitly requested the account number change to their bank, the payment was lost.
2. Ransomware
An error message appears on all company computer systems stating that access to their network was restricted unless they transferred the equivalent of £2,500 in bitcoin to an untraceable account. The firm was unable to pay suppliers, access client information or conduct normal day-to-day business for 8 hours before they called in outside IT specialist to restore their systems.
Thankfully, the business had backed up their server the previous day, meaning the IT specialists were able to restore the network, although this cost the Company another £4,200.
3. Malware
A new RMC Director or Company Secretary downloaded an attachment from a client’s email, not realising it contained malware. The malware enabled hackers to access the RMC’s IT. The cyber criminals were then able to steal all information relating to residents and third-party supplier contracts used by the RMC, before wiping any record of the data from their IT network.
Substantial costs were incurred while trying to restore the data and the RMC received claims for damages from a number of individuals for breach of privacy. Legal costs of over £50,000 were incurred in settling such claims and complying with their regulatory requirements.
4. System Failure
A Property Manager who stores their customer information ‘on the Cloud’ thought that this would absolve them from their responsibilities under the GDPR. The Cloud service provider suffered a system failure which meant all access to customer records went down. This meant that the firm was unable to pay or manage financial transactions and they were also unable to view any records of payments made during this period of downtime.
Cover Yourself with Flat Living Insurance
Traditionally, cyber policies were very expensive to buy, and it was even more difficult to understand what they covered. Our award-winning cyber insurance product will cover you against all the key digital and online risks your business could face, starting at just £10 a month.
We provide access to third-party experts with the knowledge and experience to get you up and running again if you do experience an incident, and you also gain access to the tools and training services required to minimise the potential loss of a cyber breach.
We provide cover for anyone who manages insurance for flats and apartments so, whether you’re a Residents’ Association, Residents’ Management Company, Freeholder, or Managing Agent, we’d love to help your protect your business, customer and client information, as well as all of your online data, with a cyber insurance policy you can truly rely on.
Flat Living Insurance provides specialist insurance policies for blocks of flats and apartments. For more information or a quote, please contact a member of the Flat Living Insurance team on 0333 577 2044.
Leave a Reply