Why Nonprofits Can’t Afford to Ignore Cyber Risk

Cyber breaches are more common than ever. Almost half of all global organizations will experience a data breach.1 The repercussions go beyond financial, as organizations suffering breaches can suffer reputational damage in the eyes of clients, donors, business partners and the general public.

For nonprofits, such repercussions can cause irreparable harm. Nonprofits tend to underestimate the cybercrime threat, believing they’re less attractive targets than major for-profit enterprises or external service providers performing IT-related functions are responsible for breaches.

Yet critical aspects of nonprofit business operations expose them to cyber risk, often lacking the technology resources, infrastructure, or staffing to manage it.

Consider the following:

  • Since the onset of the COVID-19 pandemic, many employees are working remotely with home networks, creating greater risk as these networks may be unsecure

The stakes have risen on PII

Nonprofit organizations solicit donations throughout the year, with the heaviest activity generally in the fourth quarter. They may store donor data containing personally identifiable information (PII), which are a tempting target for criminal elements. Even if an external party handles the data, the nonprofit is considered the owner and is liable for its safekeeping.

As many as 80% of all data breaches compromise PII, with the average cost of a breach $150 per record.2 These costs include civil liability, defense costs, regulatory fines and penalties and the cost of business interruption. A breach also raises immediate expenses including the costs of investigation, consumer notification, credit monitoring and public relations.

Be a responsible, prudent steward in three steps

Nonprofit leaders are responsible for organizational assets entrusted to their care and are expected to exercise diligence and informed decision making. The following three steps will help a nonprofit organization start improving cybersecurity and reduce risk.

Step one: Assess exposure. Determine the approximate number of records the organization owns that contain protected information, and identify vulnerabilities in technology infrastructure, people and processes. Defenses include firewalls, antivirus protection, encryption and multifactor authentication, background screening, access restrictions, regular equipment inventories and physical security.

Step two: Build a team. Create a comprehensive information risk program, designating an employee or committee to champion cyber security. This team will help train employees and find ways to recognize, report and resolve vulnerabilities.

Step three: Determine insurance options. Explore the availability and cost of commercial risk transfer. Specialty insurance products have proliferated, offering coverage to address multiple risk exposures, from traditional information risk to media liability. Carriers will reward organizations with superior data risk management with better-than-average cyber insurance rates.

Transferring risk to cyber insurance

Traditional forms of insurance such as property, general liability, management liability and crime policies only provide fragmented protection against data breaches. In fact, mainstream underwriters are continually introducing new exclusions to shift the burden away from their policies and into specialty cyber solutions.

Cyber insurance is not one-size-fits all: Each policy must be tailored to the buyer’s needs, based on its unique risks and exposures. A robust cyber policy should cover the following:

  • The services of a privacy attorney to help navigate legal responsibilities after a breach

Cyber risk management starts with quantifying an organization’s risk and the costs to address it and continues through adopting a thoughtful, holistic strategy that includes transferring risk to insurance coverage when possible. It’s a process that will pay off major dividends — even if a nonprofit may not seem like much of a target for cybercriminals.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
HUB International

HUB International is a leading North American insurance brokerage that provides employee benefits, business, and personal insurance products and services.