Any organization with a computer is at risk for cyberattack — and nonprofits are no exception.
In fact, nonprofits face unique challenges because they often don’t have the funds to build a strong IT infrastructure or purchase cyber insurance. Without an IT department, they also are likely to miss proactive steps like updating software and installing security updates, says Ryan Brandt, area vice president at Gallagher.
Smart Business spoke with Brandt about how nonprofits can mitigate their cyberrisk.
How common is it for nonprofits to experience cyberattacks?
It’s not something they’ll see every day, and nonprofit leaders may not be fully informed about cyberrisk and cyber liability insurance because it’s a new and rapidly changing risk area.
One leading cyber insurer studied cyber incidents since 2016 and found health care to be the largest industry to be impacted at 33 percent. This includes nonprofits that contract with health care entities and have access to medical records.
In addition, any nonprofit is susceptible to attack through its donation web page. This exposure falls into the retail sector in many surveys, and retail is another high-risk industry. In one instance, hackers donated $1,000 every month for six months, which was the time it took to penetrate the website’s vulnerable points. The hackers then stole 90 percent of the nonprofit’s grant balance.
Another study, commissioned by GuideStar, found that 78 percent of nonprofits have added mobile device capability to their donation traffic. This streamlined process creates ease of use, but it also increases the risk of a cyberattack.
What reasons do nonprofits give for why they don’t purchase cyber insurance?
It usually comes down to budgetary restrictions. Nonprofits have limited resources for cost items such as workers’ compensation, employee benefits and other insurances.
Also, some nonprofits rely on their IT vendor to provide the appropriate protection for their legal exposure following a breach. Unfortunately, in most instances, the protection is inadequate.
How should nonprofits address this risk, either through insurance or other activity?
Education is critical. Have someone come in to discuss the risks with your staff, such as the dangers of a phishing campaign, where, for example, your employees get an email that includes a chance to win Steelers tickets. However, when they click on the email’s link, it’s tied to hackers. Other risks are ‘spear phishing,’ which targets someone who handles the day-to-day finances like a controller, or ‘whaling,’ which specifically goes after someone in the C-suite.
Social engineering is a concern, especially if your nonprofit does international relief work. If the CEO or team leader is overseas, the home office may receive an email that looks legitimate, asking for money to be transferred. Ransomware, where the infrastructure is held for ransom, is another danger.
Cyber liability insurance is relatively inexpensive — yet too often it’s considered a luxury, not a necessity. Even if cyber insurance isn’t a line item on your budget, nonprofit leaders should evaluate whether their current insurance program could be modified to make the addition of cyber insurance a cost-neutral event.
As the threat environment continues to escalate across all industries, the insurance market is evolving to provide robust cyber solutions in a competitive market. Your risk management broker can assist you in developing a practical strategy to evaluate your cyberrisk and manage the financial risk of a cyber event in a prudent and thoughtful manner.
Insights Insurance/Risk Management is brought to you by Gallagher