HOA Insurer

Question

Does an HOA need cyber insurance and how does it differ from crime coverage?

Short answer

Most associations do carry a real cyber exposure through the owner data they hold and the funds they wire, and cyber insurance differs from a crime or fidelity bond in the fundamental trigger: the crime bond responds to dishonest insiders who steal funds they had custody of, while cyber responds to outside attackers, data breaches, and staff deceived into sending money to an impostor, which the bond generally will not cover.

Does an HOA actually have a cyber exposure?

Boards resist the idea that a residential community needs cyber insurance, because an association is not a technology business. But cyber exposure is not about being a tech company, it is about holding data and moving money, and an association does both.

An association keeps owner names, addresses, email addresses, and frequently the bank or ACH details owners put on file for assessment autopay. It holds board and vendor records. And it wires operating and reserve funds that on a mid-size or larger community reach well into six or seven figures. That combination, a concentrated store of personal and payment data plus a habit of moving large sums on emailed instructions, is exactly the profile attackers look for. The exposure comes in two shapes: an outside breach that exposes owner information, and a fraudulent instruction that tricks staff into sending funds to a criminal. Neither of those is what a board is usually insured against, and neither is what the crime bond the association already carries was built to answer.

The dividing line: insider theft versus outside deception

The clearest way to see how cyber differs from crime coverage is to ask who the bad actor is and how the money leaves. A fidelity or crime bond answers to dishonest insiders: a board member, an employee, or the managing agent who steals funds they had legitimate custody of. The Fannie Mae Selling Guide requires that bond for projects over 20 units under section B7-4-02, sized to three months of aggregate assessments plus reserves and extended to any managing agent that handles the money. Its trigger is an inside job.

Cyber answers to the opposite fact pattern: an outside attacker, and money that leaves through a legitimate instruction rather than a theft. When a spoofed email impersonating a board officer or a known vendor directs staff to wire funds to a new account, the person who released the wire was deceived, not dishonest, so the crime bond commonly does not respond at all. The FBI tracks this as business email compromise, and it is one of the largest categories of reported financial-crime loss precisely because it defeats technical controls by fooling a person. That seam, between insider dishonesty and outsider deception, is the single most important difference between the two coverages.

The half of the risk the crime bond never touches: data and breach liability

The funds-transfer story is only half of what cyber adds. The other half, the data breach, is a risk the crime bond does not touch at any point. If an association's systems, or its management company's systems, are breached and owner personal or payment information is exposed, the association faces two costs a crime bond was never designed to pay.

The first is third-party liability: the association's legal exposure to owners whose data was compromised. The second is first-party breach response: the association's own cost to investigate the breach, notify affected owners, and provide credit monitoring. Breach notification is not optional goodwill. Every state has a data breach notification statute that obligates an entity holding residents' personal information to notify them, and often the state attorney general, within a defined window after a breach. An association that has never thought of itself as a data custodian is still on the hook for those duties. Cyber liability is the coverage that funds both the liability and the response. The crime bond is silent on all of it, because its subject is stolen money, not exposed data.

Where the two coverages meet and can collide

The two are not perfectly separate, and the overlap is where boards get tripped up. The social engineering and funds transfer fraud exposure, staff tricked into wiring money out, can be insured on either side: as a sublimit on a cyber policy, or as a social engineering fraud endorsement bolted onto a crime policy. That means an association can end up with the coverage in two places, in one place, or in neither, and the two policies can disagree at claim time about which one responds first.

Two practical consequences follow. First, do not assume that carrying both a crime bond and a cyber policy means the wire-fraud loss is doubly covered. Read where the social engineering grant actually sits and at what sublimit, because carriers routinely write it well below the headline limit. Second, both grants usually carry a verification warranty, a requirement to confirm any wire or any change of banking instructions through an independent channel before releasing funds, and a claim can be denied if the association did not follow it. Map the coverage across both policies deliberately rather than assuming the two simply add up.

How a board should decide and structure both

For most associations the answer is not cyber instead of the crime bond, or the crime bond instead of cyber, it is both, sized to two different risks. Keep the fidelity or crime bond at the Fannie Mae B7-4-02 floor of three months of assessments plus reserves, with the managing-agent endorsement, because that is the warrantability requirement and the insider-theft protection. Add cyber for the data breach exposure and the outside fraudulent-instruction exposure the bond leaves open.

When reading a cyber quote, the number to scrutinize is the social engineering and funds transfer fraud sublimit, not the impressive aggregate on the front page, since a policy might show a $1M to $3M aggregate while the funds transfer sublimit lands in the $25,000 to $250,000 range. These figures are illustrative of how the market structures the coverage, not a quote for any particular association. Finally, confirm the management company carries its own cyber and crime coverage, because in most communities the manager holds the owner data and initiates the wires, and the association cannot rely on the manager's policy to protect the association's own balance. A board that carries both coverages, maps the social engineering grant across them, and enforces a callback verification control has closed a gap that a compliant crime bond alone leaves wide open.

Primary sources

Sources and references

This answer draws on the following regulatory, statutory, and standards-body sources. Coverage availability and program structure also depend on market appetite and underwriter discretion not captured by these sources.

Related practice areas

Insurance clauses in this area

Related questions

Have a more specific question?

A specialist will reach out by the end of the day.

Request a free coverage review

Free coverage review

A specialist will reach out by the end of the day.

No marketing sequences, no list rental.