NAR Insurance Program Quarterly Risk Report

Download the Q2 Risk Report for 2023 pdf 910.37 kb

The Quarterly Risk Report highlights issues that pose risk to associations and provides resources to help associations build knowledge, incorporate best practices, and avoid claims.

Report Downloads

Expand all

Download the Q2 Risk Report

Download the Q1 Risk Report

2022 Reports

Expand all

Download All 2022 Quarterly Risk Reports

Claims Reported: 18

(13 active/5 potential claims)

4 Employment
3 Cyber
3 Professional Standards
2 Copyright
2 Governance
1 Defamation
1 MLS
1 Membership
1 Other

IN THE SPOTLIGHT: Data Privacy and Cybersecurity

Nationwide, there recently have been high profile data breaches and an increase in identity thefts. With REALTOR® associations managing a great deal of information which includes sensitive financial data, it’s important to be diligent with data privacy and to ensure cybersecurity. Already there has been an increase of seven times (7x) the number of cyber claims filed on the NAR professional liability policy than in all of last year. The following are common cybersecurity and data risks that REALTOR® associations should guard against.

Email Hacking

The fraudster hijacks or impersonates business email accounts (often the CEO or senior staff) to defraud the company by tricking its customers, partners, or employees into sending money or sensitive data to the attacker. Often, the fraudsters hack into the company’s email by initially targeting a lower-level employee at the company. This can happen by gaining access to the account by either trying common passwords or sending employees a fake email to reset their password giving them access to confidential information.

Network Intrusion

Fraudsters forcibly enter a digital network without the permission of the network owner. One way fraudsters infiltrate networks are through innocuous trojan horse malware, worm viruses often hidden in peer-to-peer file exchanges (email attachments), which open the backdoor to unfettered access to a network and all its data. These viruses actively seek out specific types of confidential information and send the data to intruders waiting outside of the network.

Ransomware

Here fraudsters use malicious software to encrypt a victim’s files or lock an operating system and demand a ransom payment to make them functional again. Hackers will steal and threaten to publish sensitive files if their demands are not met. Ransomware is designed to spread across a network and target database and file servers, so it can quickly paralyze an entire organization. But ransomware also can target individuals and companies of all sizes.

The major weakness point for the above risks are often passwords, which account for eighty percent (80%) of hacking-related breaches. Traditional user login and password access, known as single factor authentication, is often easy for criminals to hack into, other layers of protection are needed to prevent cybercrime losses. Multifactor authentication systems offer a second line of defense and reduce the risk of compromise to these fraudsters. These bolstered protections are vital for protecting important information.

REALTOR® association executives should be aware of the risks facing not only its association, but also its members, and educate staff and members about preventative steps they can take to prevent falling victim to cybercrime.

Best Practices

Data Privacy

Develop and implement privacy and data security policies, and communicate those policies clearly to members and staff.
Collect and use information about members only where the REALTOR® association reasonably believes it would be useful (and allowed by law) to the members.
Maintain reasonable security standards and procedures regarding access to all confidential information.
Review agreements with vendors who handle member data and other sensitive information for data privacy safeguards and indemnity provisions.
Do not provide any personally identifiable information to a third party without first ensuring they have data privacy safeguards and comply with applicable law.

Cybersecurity

Require all staff to take annual cybersecurity and data privacy training.
Ensure your staff know how to identify and properly handle suspicious links and attachments.
Routinely patch and update business software and equipment.
Backup data and files regularly, following the 3-2-1 backup strategy; 3 copies of the data in 2 different formats with 1 copy stored off-site.
Consider using a third-party vendor to conduct phishing tests with staff.
Require staff to change their password at least once every three months.
Implement a multifactor authentication process requiring additional steps such as verifying user authenticity via a text message before receiving access to an email.

NAR Resources

Data Privacy

Data Privacy & Security

REALTORS® strongly support efforts to protect consumers' sensitive personal information.

Data Security and Privacy Toolkit

File
April 29, 2022

Educating associations, brokers, agents, and MLSs about the need for data security and privacy.

Creating an Effective Data Security Plan

Video
July 1, 2022

Learn how your business can minimize the risk of a potential data security breach with a data security plan.

Managing Business Records Efficiently

Video
May 19, 2022

Learn how to better manage your business records by creating a document retention program.

Enforcement of Data Privacy Laws

Video
June 1, 2023

Learn how to protect your brokerage from expensive data privacy enforcement actions.

Cybersecurity

Cybersecurity: Risk & Opportunities for Associations

Video
September 15, 2022

Replay this webinar to learn about the cyber response coverage provided to REALTOR® associations through the NAR Insurance Program.

Protecting Your Business from a Ransomware Attack

Video
October 20, 2021

Learn what cybersecurity measures you can use to protect your business from a ransomware attack.

Phishing Scams Are ‘Tip of the Spear’ for Cyber Threats

April 6, 2023

Scammers often use fake emails and other phishing exploits to launch larger attacks like ransomware. Familiarize yourself with the warning signs.

Safeguard Your Data

April 25, 2023

The best way to stop cyberattacks: Stay educated on how to keep your information safe—and take the necessary steps to do so.

How to Thwart 6 Hacking Threats

October 14, 2019

October is National Cybersecurity Awareness Month—a time to think about the digital dangers to your business. Take these steps to stay safe online.

Held at Ransom

April 25, 2022

It is critically important that REALTOR® associations and MLSs are vigilant with their cybersecurity and have mitigation measures in place.

‘Smishing’ Texts From Scammers a Growing Cyber Threat

December 13, 2021

Hackers are trying to steal your money and data by sending fake texts prompting you to follow harmful links or give private information.

If you experience a cyber incident, please call the Chubb Cyber Crisis Hotline 1-800-817-2665 24/7 for immediate assistance.

Cyber Coverage Summary

The NAR policy includes both Cyber Liability and Cyber Response coverages, each with a $1,000,000 limit. Cyber Liability covers losses related to network intrusion, including digital data recovery, unintentional violation of a privacy or cyber law, extortion (ransomware), and failure to properly handle, manage, or store protected information.

Cyber Response coverage includes expenses (up to $100,000 each) for services including public relations, forensic investigation, compliance with privacy laws, and specialized legal services.

Chubb offers access to enhanced benefits and services through various third party service providers to deliver extra assurance and specialized attention for their cyber policyholders.

Book Collection: Cybersecurity

Quarterly Risk Report Q2 2023 Data Privacy Book images

The NAR Library & Archives has compiled a collection of eBooks about data privacy and cybersecurity to help you better understand your obligations and risks. Share this valuable collection with your board members and remind them that they have access to these books, and many more.

To access these eBooks and the entire NAR library collection, log in to NAR’s eBooks site using your NAR Member ID. Be sure to select “National Association of REALTORS®” as your primary library in the drop-down menu on the sign-in page.

EPL Tip

How should an association intelligently adopt employment-focused AI tools?

Employment focused AI driven tools promise and deliver significant operational efficiencies, cost savings, and enhanced workforce and workplace outcomes. These AI tools include tools related to recruiting, talent assessment, communication, disability accommodations and safety. However, the inner workings of these emerging tools and technologies cannot be simply explained. Further, there is no clarity on how the use of AI will be regulated by Congress, regulatory agencies and the courts, particularly in light of heightened public concern that AI algorithms are capable of discriminatory bias.

Forward thinking corporations can take a pragmatic approach in adopting these AI processes.

Consider whether you need AI. Even if a tool promises to address your entire business, start with a specific use case—one key business activity you want to enhance—and make sure that the anticipated improvements to that process that this AI will bring will be critical to your business. Then make sure that the tool under consideration will achieve that goal better than any other tool.
Investigate multiple vendors and tools and ask detailed questions on four (4) issues: how the product was tested to ensure absence of legally significant bias; what warranties, indemnity, or other support the vendor will supply if litigation results; whether the vendor has qualified testifying experts on hand to explain and defend their work product; and whether the vendor can provide confidential references of others who have used the tool for that same purpose.
Once you’ve adopted the tool, conduct or obtain initial testing to ensure legal standard are met and work with the vendor on any necessary enhancements. Document all your efforts to be a good corporate citizen. Review your results to make sure that the test is leading to the desired outcomes without creating a disparate impact.

Continue to ask questions to learn about evolving technologies as AI driven tools continue to emerge in the workplace.

This employment practices tip, and dozens more, are available to you on the EPL Assist^TMwebsite. Be sure to take advantage of this valuable benefit, which provides policy templates, sample documents, risk management resources, and advice and counsel on common employment law issues facing associations.

Coverage Corner

Addressing Common Policy Questions

Q: Does the policy cover losses when a vendor is attacked?
A: Yes. The policy covers “Cyber Incidents” which includes data recovery costs for the failure of a “Shared Computer System.” A Shared Computer System is one operated for the benefit of an Insured by a third party under written contract with an Insured, including data hosting, cloud services or computing, co-location, data back-up, data storage, data processing, platforms, software, and infrastructure-as-a-service. Chubb will determine the extent of coverage when a claim is made.

Have coverage questions? Check out these Professional Liability Policy FAQs .

Risk Management Webinar Series

gavel on laptop with glowing monitor risk management financial scams

Register for Financial Guardrails for Associations

Learn best practices to avoid financial disasters from an insurance expert, NAR's finance team, & the General Counsel for the Georgia REALTORS®.

Risks ahead road sign in front of cloudy sky background

Risk Management Webinar Series

The Risk Management Webinar Series is a quarterly series for REALTOR® AEs & legal counsel; enhance skills while reducing risk for common claim types.