Why cyber insurance is critical for nonprofit organizations
Nonprofit organizations play a valuable role in advocating for their clients, improving communities, and positively impacting the lives of many. They also face unique cyber risks due to their handling of sensitive individual data and reliance on donations. The financial and personal data typically handled by nonprofits make them an attractive target for attackers seeking to exploit the valuable data for monetary gain.
Nonprofits often have limited resources and tight budgets, which can hinder their ability to invest in comprehensive cybersecurity solutions and staff training. As a result, they may not have the necessary expertise or systems to detect and respond to cyber threats effectively.
A cyber attack targeting a donation system or website can severely impact a nonprofit's ability to raise funds and even expose donors to becoming victims of scams or fraud. Cyber incidents involving technology could expose sensitive data and lead to costly data breaches, not only damaging the reputation and credibility of the organization but also resulting in significant financial losses, reinforcing the importance of cyber insurance to protect their organizations.
How bad could one small security incident be?
$98,000
Average cost of a cyber claim for nonprofit organizations
58%
Percentage of cyber attacks originating from email inbox
$172,000
Average ransomware loss for nonprofit organizations
Unique exposures for nonprofit organizations
How essential technologies can create cyber risk
Client intake and case management software
Many nonprofits provide services directly to their clients and use tools to determine eligibility, needs and track services delivered and progress over time. These types of systems are not only essential to the operations of the organization but often contain sensitive personally identifiable information about clients receiving services.
Donor management systems (DMS)
BIM software is used to create 3D models and help with planning, coordinating, and managing project costs. While BIM software can improve efficiency and reduce errors, the data it relies on exposes organizations to cyber risk in the event of a breach.
Online fundraising platforms
These platforms enable nonprofits to collect donations online, which is vital to the health of an organization. However, if a platform is compromised, cyber attackers can gain unauthorized access to donor information and potentially steal funds.
Mobile applications
Some nonprofits deploy mobile apps to reach wider audiences, facilitate donations, and raise awareness. If the applications are not secure, they can provide an entry point for hackers to access user information or perform unauthorized transactions.
Social media
Nonprofits utilize social media platforms for outreach, fundraising, and creating awareness. However, cybercriminals can exploit this increased online presence of nonprofits through social engineering techniques to steal sensitive information or launch phishing attacks.
Websites
Nonprofit websites provide information about the organization's mission, its projects, and collect user data. But if they lack proper security, websites can become vulnerable to hacks and expose sensitive user information.
How sensitive data can increase business liability
Board member information
Cyber attackers may target data pertaining to board members or other nonprofit leaders to gain unauthorized access to personal details, including contact information, professional backgrounds, or financial holdings. This information can be used for spear-phishing attacks or extortion attempts.
Donor information
Nonprofits typically maintain records about their donors, including names, addresses, contact information, and donation history. This data can be targeted and used for identity theft or sold on the dark web.
Financial data
Nonprofits may handle financial information, such as bank account details, credit card information, and transaction records. Cybercriminals can exploit vulnerabilities to gain unauthorized access to these records and conduct fraudulent activities.
Grant applications
Cybercriminals may target grant applications to gain access to sensitive information about a nonprofit’s plans, finances, or projects. This data can be used for corporate espionage or sold to competitors.
Volunteer information
Nonprofits often collect personal information about volunteers, including names, addresses, and background checks. Cyber attackers may use this information for identity theft or to glean additional details about people affiliated with the organization.
For more insights, download our complete guide:
Business impacts for nonprofit organizations
What to expect after a cyber incident
Direct costs to respond
Responding to a cyber event typically requires numerous direct costs, also known as first-party expenses. If a nonprofit organization experiences a data breach involving PII, it will require a prompt response and the need for additional legal counsel, forensic investigation, victim remediation, and notification to comply with regulatory requirements. Simple investigations can cost tens of thousands of dollars, while more complex matters can increase costs exponentially.
Liability to others
Navigating the patchwork of laws and regulations after a security incident or data breach is especially difficult for organizations that operate in a highly regulated industry. A data breach or security failure can trigger liability to third parties and cause bodily harm or injury, even if the management of financial records is outsourced and the organization is otherwise in compliance with applicable regulations.
Business interruption and reputation damage
A cyber event that impacts essential technology can have a significant impact on a nonprofit's ability to operate and can be highly visible to donors, beneficiaries, and other stakeholders. Even short periods of disruption can lead to direct loss of revenue and inhibit an organization's ability to champion a cause, negatively impacting not only donor retention but also the delivery of essential services.
Cybercrime
Beyond ransomware and data breaches, cyber events can result in financial theft for a nonprofit or its supporters — often without an actual breach. If an attacker dupes someone in the billing department to alter payment instructions, an organization can lose tens or hundreds of thousands of dollars almost instantly. Attackers can also gain access to email accounts and send fraudulent invoices or payment instructions to donors, beneficiaries, and other third parties.
Recovery and restoration
After a cyber event, resuming operation is no easy task. If an attacker damages or destroys essential technology, data, or physical equipment, an organization may need to bring in external support or purchase new equipment to re-secure systems. Full remediation, restoration, and recovery can take a significant amount of time, when possible, and may require purchasing new software, systems, and consultants to rebuild the network.
CYBER INSURANCE BUYER’S GUIDE
Choosing the right cyber coverage for your business
Cyber insurance is an essential aspect of modern risk management, offering coverage for the losses associated with data breaches, cyber extortion, business interruption, and other cyber-related incidents.
Coalition created a Cyber Insurance Buyer's Guide to help businesses navigate the complex cyber insurance market and confidently select the right coverage for their business.
Coalition’s products are underwritten by certain underwriters at Lloyd’s of London (A.M. Best A rating) and Arch Insurance Canada Ltd. (A.M. Best A+ rating).
