This newsletter explores the emerging legal topics and issues affecting the condominium and cooperative services industry. Thought-leading attorneys from Moritt Hock & Hamroff’s Condominium and Cooperative Services Practice Group share their legal insight, experience and best practices on this rapidly evolving area of law.
About The Group
Moritt Hock & Hamroff’s Condominium and Cooperative Services Practice
Group represents clients in all aspects of condominium and cooperative law.
$18 Million Cyber-Fraud Raises Important Questions For Co-op And Condo Boards And Their Insurance Carriers
On July 29, 2025, according to multiple media reports, Milford Management Corp., a property management company and subsidiary of prominent real estate firm Milstein Properties, notified its portfolio of managed condominium associations in Battery Park City that it had been the victim of a cyberfraud scheme and had lost in excess of $18 million (!) in funds belonging to its client properties.
On September 12, 2025, one of the condo boards represented by Milford filed a lawsuit, captioned Board of Managers of Liberty Terrace Condominium v. Milford Management Corp., N.Y. Co. Index No. 655458/2025, seeking the return of $1.3 million, which amount represents this condo building’s share of the overall $18 million lost by Milford.
The stunning scale of the fraud was made possible in part because of the way these properties in Battery Park City are organized. The land is owned by a governmental agency, the Battery Park City Authority (BPCA), which developed the buildings and then leased them out to condominium associations on long-term ground leases. These ground lease condominiums must make periodic rent and PILOT (tax equivalent) payments to the BPCA, which payments can exceed seven figures. Because Milford manages multiple properties in Battery Park City, the rent and PILOT payments processed by Milford were stolen from multiple properties all in one go.
According to the complaint, Milford was the victim of a classic phishing scheme – an employee in charge of processing wires received an e-mail purporting to be from a BPCA employee (but in reality a fraudster) providing new wire instructions for the BPCA’s June 2025 invoice, and the Milford employee not only failed to recognize the indicia of fraud evident on the e-mail itself (among other things, the e-mail was sent from a “.com” rather than a “.gov” e-mail address) but also allegedly failed to verbally confirm the new wiring instructions before releasing the funds.
For readers of this newsletter, one obvious lesson is that it is important to always follow best practices for making payments by wire transfer, like verbally confirming wire instructions. However, that advice is not particularly useful when faced with the possibility (indeed inevitability) of human error. Here, Milford undoubtedly already had those official protocols in place, but this time, for whatever reason, those procedures were not followed.
One might think that these sorts of events should be covered by insurance, but there may be difficulties. First, a generic “cyber” insurance policy probably will not cover the type of loss suffered here. Cyber policies typically only cover classic “hacking” schemes, whereby a criminal breaks into a company’s computer files using his or her own technological skills and tools. In contrast, the loss here was as a result of a phishing scheme, whereby a human employee was fooled into facilitating the theft. These types of losses are covered, if at all, by “social engineering” coverage that may or may not be specifically added to the underlying cyber or crime policy. Thus, the first takeaway for boards is to find out whether their buildings and management companies have social engineering coverage under their existing policies.
Second, and relatedly, we understand that even where buildings have social engineering coverage written into their policies, the coverage limits tend to be low. Perhaps only a few buildings are ever likely to need to wire out seven-figure payments at once like the ground lease condominiums discussed above, but in any event it would be a good idea for boards to contact a reputable insurance consultant to confirm whether they and their management companies have sufficient social engineering coverage to protect themselves from these increasingly common phishing schemes.
Recent Court Decisions Have Narrowed The Scope Of By-Laws Indemnification Provisions
Co-op and condo board members and officers serve without compensation, but in the course of their duties they may, from time to time, be named as individual defendants in lawsuits. This can include lawsuits filed by outside third parties and it can also even include lawsuits brought against the individuals by the co-ops or condos themselves (known as “intra-party” disputes or “direct” actions).
To help attract qualified volunteers to serve despite this inherent possibility of litigation, co-ops and condos need to provide comprehensive insurance coverage as well as promise in their by-laws to indemnify these individuals so that, as long as they were acting within the scope of their duties, they will not have to pay attorneys’ fees or damages awards out of their own pocket.
In order to indemnify against both third party and intra-party disputes, it should be enough to state in your by-laws that board members and officers “shall be indemnified and held harmless from and against any and all claims, demands, liabilities, costs, damages, expenses and causes of action of any nature whatsoever,” right? Wrong!
In 2022, the Court of Appeals in Sage Systems, Inc. v. Liss, 39 N.Y.3d 27 (2022), held –perhaps counterintuitively – that because the broad indemnity provision excerpted above did not make “unmistakably clear” that the parties intended to shift responsibility for attorneys’ fees in intra-party disputes (where the indemnitor and indemnitee are suing each other), the default rule that parties are responsible for their own attorneys’ fees still applied.
In July of this year, the Commercial Division in CWCapital Investments LLC v. CWCapital Colbalt VR Ltd., 2025 N.Y. Slip Op. 32557(U) (Sup. Ct. N.Y. Co. July 10, 2025), found that a similar provision, which indemnified a manager “from any and all Liabilities, as are incurred in investigating, preparing, pursuing or defending any claim, action, proceeding or investigation . . . caused by, or arising out of or in connection with this Agreement, the Indenture and the transactions contemplated hereby and thereby,” nevertheless did not cover intra-party claims.
Thus, it seems apparent that this line of cases is here to stay. For co-op and condo boards that wish to continue to attract qualified individuals to serve as board members and officers, and therefore provide full indemnity protections for both third-party and intra-party claims, they need to review the indemnification provisions of their by-laws. It is no longer enough for those provisions to indemnify for “any and all” claims “of any nature.” The provisions need to include language that unequivocally and unmistakably covers attorneys’ fees incurred in both third-party and direct actions. If you are not sure whether your indemnification provisions are clear or specific enough, we encourage you to contact counsel.
Buildings Face Looming, But Long-Standing, Deadline To Complete Elevator Upgrades
If your building has recently undertaken, is currently undertaking, or still needs to undertake an elevator modernization project, rest assured that you are not alone. In recent months we have observed a significant increase in buildings signing up to perform work on their elevators.
The culprit here is the “single plunger brake,” which is a hydraulic or spring-loaded braking device that stops and holds an elevator car in place during emergencies. Because it is a “single” brake, it can be a “single” point of failure, which can have catastrophic consequences. Many older NYC elevators apparently still use these single plunger brakes.
By no later than January 1, 2027, any elevator cars with these single plunger brakes must be upgraded to use “dual plunger brakes” (thereby solving the single point of failure problem) or “rope gripper brakes” (an alternative braking system with more built-in redundancy).
Alternatively, buildings may opt to modernize their entire elevator systems, which is what many buildings have decided to do, because elevators with single plunger brakes may already be at or near the end of their useful life anyway. It ends up being cheaper and less disruptive to do one comprehensive elevator project now rather than doing one stopgap project now and then another project just a few years down the road.
As for the specific timing, when did this January 1, 2027 deadline first appear? In looking into this question, we suspected that it was part of the “Elevator Safety Act,” which overwhelmingly passed the New York State legislature in 2020 after a well-publicized elevator fatality in 2019 spurred calls for increased regulation. However, it appears that this deadline has its roots all the way back in 2002, when the American Society of Mechanical Engineers (ASME), the industry group responsible for promulgating elevator safety standards, first called for the phasing out of single plunger brakes.
The New York City Building Code adopted a version of ASME’s requirement in or about 2009, but gave building owners all the way until 2027 to comply. Thus, while buildings may currently be scrambling to comply with this particular regulatory mandate, in this case buildings appear to have had more than enough fair warning.
