Cyber risk in 2020 is not a matter of IF an incident will happen; it’s a question of WHEN. Almost every organization today is exposed, including those operating in the non-profit sector.
Non-profits are just like any other business when it comes to cyber risk. Many conduct e-commerce online for things like processing donations and event registrations, running virtual courses, and connecting communities via newsletters and other information outlets. By engaging in these activities, non-profits are collecting, storing and potentially transferring the personally identifiable information (PII) of their donors and the individuals they serve. All of that creates exposure that cyber criminals and hackers are all too keen to exploit.
While non-profit cyber security risks cannot be avoided altogether, many cyberattacks can be prevented using risk management best practices. For example, non-profits should be using encryption tools and secure websites that protect customer and company during online financial transactions. In a similar vein, they should also use a secure server and network for collecting, sorting, and transmitting PII via email communications. Employee training is also critical as most cyber insurance claims today stem from human error, regardless of whether the claimant is for-profit or non-profit.
“Non-profit organizations have to provide their employees with cybersecurity training and awareness,” said Parvathy Sree (pictured above), vice president of underwriting in AmTrust Financial Services’ non-profit division. “That’s even more important than ever in the context of COVID-19, when non-profits are providing more and more services online. For example, some schools and kids’ camps are now providing classes online or via Zoom, so they need to think about questions like: How do they prevent Zoom bombing? What kind of IT security and privacy protocols do they have in place? Non-profits have to understand that cyber risk is constantly evolving, and they need to stay aware of the risk, and adapt to the risk landscape. That requires continuous employee training.”
Cyber insurance is an important part of the risk transfer process. It’s sometimes regarded as an “extra” and “unnecessary” insurance expense for non-profit organizations, many of whom (especially the small, local set-ups) are running off extremely tight budgets. Rather than purchase cyber insurance, they rest on the idea that their benevolent nature will protect them from any type of criminal attack. But, unfortunately, in today’s cyber risk landscape, that notion of protection is somewhat misguided. Hackers do not discriminate between for-profit and non-profit organizations.
“I’ve heard non-profits say: ‘We’re using a cloud service to store our data, so we should be protected,’ or ‘We use PayPal for donations, so they’ll be liable for any cyberattack and not us.’ In response, I always say: ‘You can outsource the service, but you cannot outsource the risk.’ If a non-profit is using a cloud service and that cloud service is hacked, that non-profit will have a problem,” Sree told Insurance Business. “Non-profits have to use proper legal counsel and IT services – two value-added services that come with most standard cyber insurance policies - to make sure that when they’re outsourcing to third-party service providers, they’re protected from any damages and connected liability.”
There are plenty of affordable cyber insurance options available to non-profit organizations in the United States. For example, AmTrust offers cyber liability coverage to its non-profit clients on a comprehensive standalone basis and via a non-profit package product. The package product, through which insureds can get $50,000 of cyber liability coverage for an annual premium of around $95, has proven particularly popular among smaller non-profit organizations.
Ian Perry (pictured immediately above), underwriting manager in AmTrust’s non-profit division, commented: “The uptake of cyber in the package product has been tremendous. Most non-profit insurance policies that we’re quoting on the package side today include some cyber liability coverage, whether that’s a $50,000 limit or a $100,000 limit. There are even underwriters on the package side that are including cyber as a standard coverage on every policy, and we’re finding that most insureds are happy to see they have a little bit of cyber protection, whether they initially asked for it or not.”
When it comes to cyber insurance, the buy-in has to come from the top, even for some of these more economical products. According to Sree, it’s critical that executive management and the board of directors acknowledge the prevalence of cyber risk, the importance of cybersecurity, and the benefit of spending money on cyber insurance. While they might save a few hundred dollars by not purchasing the coverage, their financial outlook could well be a lot worse if they suffer a breach or a hack without insurance to fall back on. In fact, not only could that lack of insurance result in severe out-of-pocket costs, but it could also result in management liability litigation if it is deemed top executives failed to carry out due diligence in their decision not to purchase cyber insurance.
“This is why it’s so important for non-profits to work with a knowledgeable insurance agent who specializes in non-profit risk,” explained Jim Scardino (pictured immediately above), head of AmTrust’s non-profit division. “Those agents’ recommendations will go a long way, and to the extent that they’re becoming more aware of the exposures cyber can represent, they’ll be able to advise their non-profit clients with more conviction. I think the distribution network is going to play a huge role in the growth of cyber insurance in the non-profit sector.”