The Quarterly Risk Report highlights issues that pose risk to associations and provides resources to help associations build knowledge, incorporate best practices, and avoid claims.
Report Downloads
Download the Q2 Risk Report
Download the Q1 Risk Report
2022 Reports
Download All 2022 Quarterly Risk Reports
Download the Q4 Risk Report
Download the Q3 Risk Report
Download the Q2 Risk Report
Download the Q1 Risk Report
Claims Reported: 18
(13 active/5 potential claims)
4 Employment
3 Cyber
3 Professional Standards
2 Copyright
2 Governance
1 Defamation
1 MLS
1 Membership
1 Other
IN THE SPOTLIGHT: Data Privacy and Cybersecurity
Nationwide, there recently have been high profile data breaches and an increase in identity thefts. With REALTOR® associations managing a great deal of information which includes sensitive financial data, it’s important to be diligent with data privacy and to ensure cybersecurity. Already there has been an increase of seven times (7x) the number of cyber claims filed on the NAR professional liability policy than in all of last year. The following are common cybersecurity and data risks that REALTOR® associations should guard against.
- Email Hacking
The fraudster hijacks or impersonates business email accounts (often the CEO or senior staff) to defraud the company by tricking its customers, partners, or employees into sending money or sensitive data to the attacker. Often, the fraudsters hack into the company’s email by initially targeting a lower-level employee at the company. This can happen by gaining access to the account by either trying common passwords or sending employees a fake email to reset their password giving them access to confidential information.
- Network Intrusion
Fraudsters forcibly enter a digital network without the permission of the network owner. One way fraudsters infiltrate networks are through innocuous trojan horse malware, worm viruses often hidden in peer-to-peer file exchanges (email attachments), which open the backdoor to unfettered access to a network and all its data. These viruses actively seek out specific types of confidential information and send the data to intruders waiting outside of the network.
- Ransomware
Here fraudsters use malicious software to encrypt a victim’s files or lock an operating system and demand a ransom payment to make them functional again. Hackers will steal and threaten to publish sensitive files if their demands are not met. Ransomware is designed to spread across a network and target database and file servers, so it can quickly paralyze an entire organization. But ransomware also can target individuals and companies of all sizes.
The major weakness point for the above risks are often passwords, which account for eighty percent (80%) of hacking-related breaches. Traditional user login and password access, known as single factor authentication, is often easy for criminals to hack into, other layers of protection are needed to prevent cybercrime losses. Multifactor authentication systems offer a second line of defense and reduce the risk of compromise to these fraudsters. These bolstered protections are vital for protecting important information.
REALTOR® association executives should be aware of the risks facing not only its association, but also its members, and educate staff and members about preventative steps they can take to prevent falling victim to cybercrime.
Best Practices
Data Privacy
- Develop and implement privacy and data security policies, and communicate those policies clearly to members and staff.
- Collect and use information about members only where the REALTOR® association reasonably believes it would be useful (and allowed by law) to the members.
- Maintain reasonable security standards and procedures regarding access to all confidential information.
- Review agreements with vendors who handle member data and other sensitive information for data privacy safeguards and indemnity provisions.
- Do not provide any personally identifiable information to a third party without first ensuring they have data privacy safeguards and comply with applicable law.
Cybersecurity
- Require all staff to take annual cybersecurity and data privacy training.
- Ensure your staff know how to identify and properly handle suspicious links and attachments.
- Routinely patch and update business software and equipment.
- Backup data and files regularly, following the 3-2-1 backup strategy; 3 copies of the data in 2 different formats with 1 copy stored off-site.
- Consider using a third-party vendor to conduct phishing tests with staff.
- Require staff to change their password at least once every three months.
- Implement a multifactor authentication process requiring additional steps such as verifying user authenticity via a text message before receiving access to an email.