It’s well documented that nonprofits are at just as much risk of a cyber attack as for-profit businesses—if not more so. So why aren’t nonprofits buying cyber insurance at a higher volume?
There are a number of reasons. Many of these can be traced back to erroneous beliefs and misconceptions about the level of risk—misconceptions that can have serious consequences, for both nonprofits and those they serve. Some of the most common of these include:
- “We don’t do transactions over our website, so we don’t need cyber insurance.”
Just because a nonprofit doesn’t take donations or membership dues online doesn’t mean they aren’t exposed to cyber-related losses. As a cost-saving measure, many nonprofits have employees or volunteers design their websites for free. These volunteers often have lots of dedication, but not always a high level of professional knowledge.
Under these conditions, a well-meaning developer could include images, music, and other material on the nonprofit website without the proper permission, which could result in copyright infringement charges for unauthorized use. In addition, online bulletin boards and testimonials can attract defamation claims and result in damages to reputation.
General liability policies specifically exclude copyright, patent, and trademark infringement, as well as personal injury arising from bulletin boards and chat rooms. The only way to get this coverage is through cyber liability insurance.
- “We don’t keep or store sensitive information.”
This isn’t an unusual claim, but often, nonprofits don’t realize exactly how far-reaching the definition of “personally identifiable information”—or PII, as referred to in privacy law—really is.
In fact, PII includes any information that can be used to identify, contact, or locate an individual, including: cell phone numbers, email addresses, social security numbers, driver’s license information, and health information.
Mailing lists of donors, volunteers, and members are essential to any nonprofit’s fundraising and operations. It’s difficult to imagine any organization that doesn’t maintain some way to identify and contact the people it depends on, and therefore, one that doesn’t need cyber protection.
- “We don’t store our data on a computer; we have paper files only.”
Data doesn’t have to be digital to be stolen. Paper files can also be the target of a data breach, and this can wreak as much havoc on an organization as a digital hack. A number of cyber policies will cover this type of occurrence.
- “We only use our computers for email.”
Email is one of the most vulnerable points of any organization, due to an attack known as “phishing.”
The term refers to emails sent by hackers to get the reader to give up sensitive information. These attacks can be surprisingly sophisticated, with emails and websites that cleverly mimic trusted organizations such as the recipient’s bank or a social media site they use.
According to a 2016 study by PhishMe, a whopping 91% of cyber attacks start with a phishing email. One reason why these are so pernicious is that these emails bypass even the strongest cyber security defenses—and thrive on human curiosity and error. According to the survey, almost one-third of employees will respond to phishing emails, even after receiving training on cyber security awareness.
And this is just as true, even two years after this survey was completed. In February 2018 alone, the cities of Savannah, Georgia and Allentown, Pennsylvania were the victims of digital breaches that caused financial damage in the millions. In each case, the breach was initiated by an employee opening a malicious email.
- “We don’t have a website or social media presence; therefore, we aren’t vulnerable.”
Hackers don’t have to rely on websites or social media presences to gain access to a nonprofit organization’s system. All an employee has to do is click on the wrong popup, get taken in by a phishing email, or unknowingly download an infected file to bring a cyber threat into a nonprofit organization.
- “We’re a small nonprofit; hackers wouldn’t be interested in us.”
There are plenty of examples of small organizations that thought the same thing—and were proven wrong.
For instance, the Red Barn, a small nonprofit that uses horses to help those with physical and cognitive disabilities, had its website hacked in 2015 by a group of terrorist sympathizers. The event made national news, damaged the nonprofit’s reputation, and left them without a website in the middle of a fundraising effort.
Far from being less vulnerable to attack, small organizations are low-hanging fruit for hackers. While larger organizations have more to lose, they also have stronger security measures.
Smaller nonprofits frequently can’t afford to take these extra security measures, leaving the door wide open to cyber attacks. The truth is that smaller nonprofits need cyber insurance just as much as larger organizations do—if not more.