With so much on their plates, it’s not surprising that cybersecurity isn’t at the top of some not-for-profits’ to-do lists.
But cyber risks are real and can prove costly in terms of both finances and reputation. Fortunately, you can take some proactive steps to reduce your risks without breaking the bank.
Why your not-for-profit is vulnerable
Cybersecurity isn’t just for the Targets, Home Depots or Citibanks of the world. Not-for-profits are increasingly threatened by data breaches, partly because they generally have less sophisticated protections and fewer resources to fight the danger than larger or for-profit organizations. Client records, donor information and credit card data all could be targeted for theft.
Cybercriminals might access information by attacking your organization’s servers, of course, but that’s not the only risk. Many not-for-profits outsource services such as bookkeeping, payroll and donation processing to third parties. Your information could be vulnerable if these providers have inadequate data security. And it’s not only cyber attacks that you should worry about. Data also can be exposed if for example, an employee loses a laptop, smartphone, or flash drive containing sensitive information.
The potential costs are high, according to NetDiligence, a cyber risk assessment and data breach services company. Its 2016 Cyber Claims Study, which examined 176 cyber liability insurance claims, found that “Non-Profit” was the fourth most affected sector with 19 claims, more than both “Financial Services” (18 claims) and “Retail” (17). The mean cost of a not-for-profit claim was $208,015.
What you can do about it
To keep a lid on cyber risks, you should consider:
- Prioritizing cybersecurity. When data breaches or hacks hit the headlines, they usually involve familiar for-profit companies, so your employees might not worry too much about your not-for-profit’s security. To counter this mindset, management must prioritize cybersecurity and clearly communicate its importance, both internally and externally. A not-for-profit that takes its security seriously is less likely to be targeted.
- Conducting appropriate training. Demonstrate the importance of cybersecurity by training your employees extensively on their roles in preventing it. Your employees — as well as volunteers and board members who use your computers — need to know about the risks they may encounter: for example, phishing emails with malicious links. They also should be aware of the policies and procedures you’ve created to address those risks.
- Familiarizing yourself with the law. Federal and state rules and regulations may impose certain cybersecurity obligations on your organization. Hospitals, for example, must comply with the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules and the HITECH Act. Almost every state has a law requiring organizations to notify affected individuals of data breaches involving personally identifiable information. And the Federal Trade Commission’s disposal rule requires proper disposal of information in consumer reports and records to prevent unauthorized access to the information.
- Performing a risk assessment. A team composed of representatives from across the organization should assess its cyber risks so you can implement appropriate internal controls. A risk assessment typically begins by taking an inventory of systems and data and ranking them by importance and sensitivity. The team can then devise measures to mitigate the various risks, deploying the available resources according to the level of risk. The team also could develop incident response plans so the organization can move quickly in the event of a breach.
- Upgrading your computers. It’s not unusual for not-for-profits to have older computers or software, which are much more vulnerable. The risk is even greater when the manufacturer no longer provides technical support or security updates, as with Microsoft’s Windows XP. The costs of a breach down the road could far outweigh the upfront costs of new hardware and software.
Stay on top of things
Technological advances are coming at us fast and furious, and cyber risks are evolving at a similar pace. You can’t afford to ignore technology that might help you accomplish your mission. But you also should take steps to address the associated risks and protect your organization and its stakeholders.
Sidebar: What about insurance?
A growing number of not-for-profits are looking into data breach insurance (also known as cyber liability or cyber risk insurance) to cover costs not covered under general liability insurance.
Cyber insurance usually covers regulatory fines and penalties, lawsuits and response costs (for example, forensic analysis, notification of affected parties and public relations) for data theft or destruction. While the general coverage is similar across policies, some significant differences exist.
For instance, policies may or may not allow you to choose your own vendors in the postbreach response process.
You also should look at the specifics of the response coverage. Does the policy cover all response costs or only certain costs? A standard policy, for instance, might cover credit monitoring but not identity theft monitoring.
Obtaining your preferred response coverage will affect your premiums and sublimits. You should negotiate sublimits for each coverage area, rather than just an overall limit. Your existing security and privacy controls and your revenues also will likely affect premium rates. You can reach out to one of our not-for-profit consultants about reviewing your policies and procedures.