Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Carolyn Woodard explores how cybersecurity insurance has evolved for nonprofits with Jenna Kirkpatrick Howard, Senior Vice President at Lockton Companies, who advises nonprofit clients on risk, insurance, and mitigation strategies to protect their boards, missions, and people.
When Carolyn and Jenna first presented a webinar together on cyber liability insurance, it was a new product that many nonprofits had never considered. Today it is nearly always required, and the risks it covers have transformed. The conversation traces that evolution, from the forgotten laptop and rogue employee scenarios of the early days to the ransomware attacks, sophisticated social engineering fraud, and emerging privacy laws driving claims now.
Jenna also shares what insurers are doing about AI, from underwriter questions about guardrails to new endorsements affirming coverage, and why early AI-related litigation should put every nonprofit on notice about keeping a human in the loop.
As Senior Vice President at Lockton, Jenna Kirkpatrick Howard works with non-profit and for-profit organizations to identify, assess, and manage their financial, operational, and reputational risks. Within her firm, Jenna is appointed to the Executive Committee for the Northeast Series of Lockton Companies. She also serves on two steering committees for Lockton – Women in Leadership and the Diversity Equity & Inclusion Council. Jenna is the 2022 Chair of the Elite Women Producer (EWP) group within Lockton. Outside of Lockton, she has served on the nonprofit boards that support of families in underserved communities around the Washington DC area and national equity organizations, specifically focused on advancing women and girls.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.
She was glad to have this conversation with Jenna Howard about nonprofit cybersecurity insurance updates.
Community IT has been serving nonprofits exclusively for twenty-five years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. Our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.
Being 100% employee-owned is important to us and our clients. It is an important aspect of our culture as a business serving nonprofits exclusively for 25 years.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand.
We think your IT vendor should be able to explain everything without jargon or lingo.
If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
More on our Managed Services here. More resources on Cybersecurity here.
If you’re ready to gain peace of mind about your IT support, let’s talk.
Carolyn Woodard: Well, welcome to the Community IT Innovators Technology Topics podcast. I’m Carolyn Woodard, your host, and I’m really excited today to be here with an old friend, Jenna Howard. So, Jenna, would you like to introduce yourself?
Jenna Howard: Of course, happy to. I am Jenna Howard. I work at Lockton Companies. It’s an insurance brokerage firm. I spend the majority of my time with the nonprofit community advising clients on risk and insurance and mitigation tactics and strategies to protect their board, their mission, and their people.
Carolyn Woodard: And I wanted to have you on the podcast because we did a webinar together about cybersecurity insurance for nonprofits. And I was thinking about it before coming on today, and just thinking that when we did that webinar, it was so new. It really wasn’t required. And now things have changed so much, so it’s pretty much always required. A lot more financial audits also require you to have the cyber liability.
I just wanted to check in with you on what things have changed, and what are nonprofit leaders thinking now about cyber insurance, and what do they need to know?
Jenna Howard: What’s evolved? The risk insurance industry, particularly around cyber technology, and I’m going to add AI (artificial intelligence) and media to that conversation, because it has evolved pretty dramatically, I would say, in the last five to six years. We went through a really challenging market where insurance rates were going up and coverages were going up. And that was in the 2001-2002 timeframe, which was about the time we actually chatted. (Jenna misspoke, she meant the 2021-2022 timeframe) Then there was a sharp decline in the rates and the cost of that insurance, which for nonprofits became an opportunity to make this type of insurance and protection more affordable. And they could really be thoughtful about how much limit they bought, and the right carrier partner, and the right coverage.
When we first started talking to clients about cyber risk, we really were talking about that forgotten laptop in a rental car, or the rogue employee that took information. And while that risk may still exist, what we talk about today is far more focused on ransomware attacks, cyber attacks, which for so long were heavily healthcare and retail, and now it’s every industry everywhere. Second leading in our claims activity is social engineering fraud, which is where you are being duped to send wire transfers and monies out to a third party, because likely someone was living in your email system, tracking payments, and duped a finance professional or someone in the organization to send money voluntarily out.
The third evolution is around privacy law. We are seeing major changes to protection and privacy law. I think AI is only going to increase that. So there are lots and lots of emerging risks. The good news of today is that there are lots of insurance carriers in the cyber insurance marketplace. Many have robust support and services beyond just the insurance coverage. They’ll do vulnerability testing, they’ll do phishing training for you, they’ll go in and do an incident response. So it’s more than just an insurance policy today; it is a holistic approach to risk mitigation. And that’s been a nice evolution for our nonprofit clients that maybe don’t have all of that built into their structure and their staff today.
Carolyn Woodard: Yeah, we were so excited when they changed that financial audit to include looking, like you said, holistically at all of the risks. That you could pay someone, wire the money to something that seemed legit and it wasn’t, and it would just take all your money.
Jenna Howard: Exactly. Exactly. And for a while it was, send gift cards, and everybody’s like, no, we all know that’s not it. It is very sophisticated now when there has been a major transaction. You’re purchasing a building, you’re investing in a new program, you’re providing grant monies. They are living in your system watching as it plays out, and the day of the transaction, they are looking to modify bank wire information. It is a far more sophisticated effort than the text message that says your CEO is in a meeting, go buy gift cards at the local drugstore.
Carolyn Woodard: Exactly, exactly. And you mentioned AI just briefly, but are you seeing new types of scams with AI? And are there new types of insurance to cover those?
Jenna Howard: This is the number one question we’re getting from our clients. What about AI? How is insurance responding to AI? And up until recently, it was: the insurance carriers are monitoring. We haven’t really seen the cases yet, we haven’t seen the claims yet, but they are all saying that your use of AI is covered under the cyber insurance policy. And for nonprofits in particular, they started to ask questions of how do you plan to use it? Are you writing grants? Are you writing letters? Do you have an internal Copilot or ChatGPT or Gemini structure? Because they want to make sure that there are guardrails. No one’s naive enough to think that no one’s going to use AI in the organization.
So, how do you create policies that enhance your operations but protect the PII, the personally identifiable information, or any health data or any confidential information you have? We started to see underwriters ask more questions around the use of AI, in addition to your cybersecurity controls, but not necessarily seeing changes in the coverage. Then just recently, some of the insurance carriers have come out with an endorsement that defines AI and is stating affirmative coverage. That sounds great, and we love that. When they state affirmative coverage, what that tells me is we are on a path where they have now defined it. They’ve now affirmed coverage; it’s no longer silent.
So we’re entering an opportunity to determine that it could be excluded for some organizations. We’re not seeing that yet, but we are seeing it as a defined term, where before, holistically, everyone was silent. But there is recent claims activity around the use of AI, specifically around nonprofits that are in the healthcare industry, where they are using AI to sum up doctors’ notes and make them more efficient after patient visits. Well, there are some laws, particularly in California, the mandatory AI disclosure and the human in the loop requirement, that basically say you can’t just rely on AI. There needs to be a human review. And so we’re starting now to see some cases, and some very expensive attorney bills that come with that. So I do think we will see a trend of AI litigation in the cyber space, and that may change our landscape. But today, all eyes are just watching it as an emerging risk.
Carolyn Woodard: That’s so interesting, because you can see someone saying, you operated on the wrong leg because the AI notes were wrong, or something like that.
Jenna Howard: Well, even something we have seen in the nonprofit space, where an organization was going to write thank you notes to donors. And they went outside of their own firewalls, went out to the free ChatGPT and said, so-and-so donated, blah, blah, blah, we want to make the letter more personal. And now you have a donation and a donor’s information shared publicly. And so, back to what are the rules and the policies and the procedures and the training internally with your staff on how to use AI.
Carolyn Woodard: So we’ve been really advocating very strongly for having those AI policies, acceptable use policies, in place. But I just saw a statistic a day or two ago that 80% of nonprofits don’t have those policies, and they don’t make a distinction between… you can see the appeal, right? The what they call the freemium tools, where it’s free, you just go to ChatGPT and have it write your thank you note. Versus having the paid version, even the lowest tier that you can pay. Or if you’re using Microsoft or Google Workspace, you use the Gemini or the Copilot that’s included in your license, so it’s internal to your firewall around your cloud environment. So if they’re affirming coverage of AI use, do you expect they’re going to be requiring the client to have that policy?
Jenna Howard: Yeah, I would say that’s probably coming. What we see now in the cyber underwriting: we’ve lived through the world where MFA was not required at one point, and now you can’t imagine anyone not doing the MFA or endpoint detection. And so the questions that you saw underwriters focused on were based on their claims experience, what was happening that they identified as a vulnerability, and then they started asking clients questions around their cyber controls. The initial questions around AI will be, how are you using it? How have you set up guardrails? We will evolve this, very likely, and I’m going to guess in short order, so that if we’re going to affirm coverage for AI, it is in this distinct scope of usage, and anything outside of that would not be covered. Or, we do not intend to afford coverage. We’re not there yet, but I would imagine it’s coming.
Carolyn Woodard: And do you think in that case… one of the things I think a lot of nonprofits are struggling with is there’s no accepted acceptable AI use policy. So they all kind of have to come up with it on their own. And I would imagine there’s a huge variation. There are also going to be variations between if you’re a healthcare nonprofit, or an education nonprofit with student information, or you’re an advocacy group, or you’re saving the snails or something like that, where you have less personal information.
Jenna Howard: If you’re a purchaser of cyber insurance, though, that oftentimes affords you some vendor legal advice and some vulnerability advice. And now I think we’re starting to see not just incident response and how to report cyber breaches, but also some advice on these types of policies and procedures. So there are resources out there, but I won’t say there is a standard. There’s so much framework driven by cyber; we don’t yet have that on AI.
Carolyn Woodard: I had another question, just to switch gears a little bit, because it’s come up in a couple of conversations that I’ve had, and that’s around copyright. If you’re using AI and you’re creating your own materials, have you seen clients worried about when they have to be transparent and acknowledge that AI was used? When they’re using maybe images that were copyrighted, but then the AI is altering them? How is that working? Are you seeing anything like that?
Jenna Howard: Copyright. So copyright typically falls under our media liability, which for most organizations, particularly nonprofits, oftentimes is paired on the same policy with cyber. Sometimes it’s separate. We are seeing a lot of increases around copyright law, not always AI driven, just not citing the right source, but AI will change that. And that is why the human in the loop concept is so incredibly important: the editorial process should not be abandoned when using AI. One of the most common claims we are seeing in this space, particularly with nonprofits, is the use of unlicensed music on podcasts and at events. That copyright sort of extends to everything they do. And back to your AI policy: if you’re not making sure that the editorial process is extended to the use of AI, you will find yourself in trouble with those copyrights, because there are many organizations and law firms that are looking for copyright violations, and AI has made that search much easier as well.
Carolyn Woodard: I feel like that’s another area where there’s so much variety in the nonprofit sector. In my experience, it seems that nonprofits that are working in the arts community, for example, are really, really aware of artists’ concerns over copyright and AI stealing their art. Whereas nonprofits in other areas might just be like, oh, this is such a cute image, I’ll just use this in the style of this artist that I like, and then they get into trouble.
Jenna Howard: Or what’s your favorite walk-up song at that big event? And now that big event turned into a podcast, and now it’s out there for everyone to hear, and you have not authorized or licensed that music. We’re seeing things that seem so benign in the moment become quite an expensive legal issue for the organization. One of the other things we’re seeing that I think is worth noting, and the Canvas breach is a good example.
Canvas is a learning platform used by 9,000 higher ed and education institutions. They publicly said there was a cyber breach; no one had access to the platform. In the middle of exams. The timing is always good with cyber attacks. And it does appear that a ransom payment was issued to get the platform back up online. But it has raised the question, and there have been many, many cyber attacks that have identified this: your dependency as an organization on a third party has become a big risk to the organization. Whether it’s your payroll system, your learning platform, a cloud provider, those dependent vendors have created an aggregation risk for cyber insurers. Because they are looking to underwrite a nonprofit organization and ask about your controls, they do now ask about some of your major dependent vendors. Because when a Canvas goes down, it becomes 9,000 insurance claims for all of those institutions, rather than a single claim for Canvas. So that has become a very heightened issue of how dependent are you on other organizations, and do you understand their protocols?
Carolyn Woodard: Yeah. And in that case, because we always, of course, recommend that you have your backups, that they’re recent, and that they’re in a separate system, so that if your system gets ransomware and is locked down, it’s a pain in the butt, but you have everything. But I think in the Canvas case, the ransomware attackers had the student data, right? That’s what they were threatening to do, to make that data available.
Jenna Howard: Correct. And from my understanding, what’s publicly available about their demand is that they wanted all of the institutions to go tell students and parents that their data had been compromised, before there was really known fact. So then it lends to: there is a notification requirement, but when is notification triggered, and how much do I know? It’s a complicated web. It’s not as simple as, oh, our system is down. It’s: our system is down. Why is it down? Who needs to be notified? What system is down? Is there a redundancy? That takes some time to source and figure out.
Carolyn Woodard: And I think you told me in our previous webinar that that is often something that your insurer can help you with, that they have an incident response plan for when you have to go to the FBI, when you have to do the different things, who you need to call.
Jenna Howard: The most critical person or group in a cyber claim is your breach counselor, which is oftentimes a law firm. And it’s specific teams that know and understand all of the triggered laws, all of the notification, all of the legal and government agencies, and then how to pull in the right forensics team. Because one forensics team that’s inundated in the Canvas breach today, and you have a ransomware over here, do they have the capacity to take it on? So that breach counselor, whether you identify them through your insurance policy, which is ideal, or you have a working relationship where you know that’s your person, that key to the incident response is huge, because you need them informed and on the ground, ready as soon as possible, within hours.
Carolyn Woodard: Yeah. And I heard the advice to have their number printed out somewhere, or in your phone, so it’s not in your system that is now locked and you can’t get into.
Jenna Howard: On more than one occasion, even more than a handful of occasions, I’ve gotten the call from a client that says, I know I have cyber insurance and I have a plan, but it all lives on the system that I have no access to. Help me.
Carolyn Woodard: Well, I have one more question. I’ve been thinking about this a lot lately, and I just wanted to get your take on it. It seems like we have a couple of perfect storms converging at the same time. If we were only dealing with AI and the very rapid changes that AI is making, that would be a lot to deal with. But we know in the past year, year and a half, there’s been kind of a change also in the environment around nonprofits. A lot of nonprofits that were merrily going along their way, that were never controversial before, suddenly there’s a lot of partisan interest in your nonprofit, no matter what it is you do. And so we’re seeing that a lot. Are you seeing that kind of adversarial impact on attacks, on insurance? You talked about media insurance, but what about the staff who might say something controversial online?
Jenna Howard: Oh, really great questions. There are a lot of directions you could go with that. If you are a scholarship organization, there’s a lot of scrutiny, and advocacy groups will go after your criteria in certain scholarships. If you are in accreditation, how you view accreditation and what you say about accreditation. Sometimes that comes through a government regulatory investigation, sometimes that comes through an advocacy group or a law firm, and other times it can come from your employees, through a reverse discrimination suit or a public forum where there is an op-ed.
I had a client where one of their employees wrote an op-ed outside of their scope of work, but it’s easily found where this individual worked. And so distinguishing what was in the scope of your employment and what is your own personal opinion shared online, it can get very murky. In that particular case, the nonprofit organization did actually have to hire an attorney to get themselves out of the litigation that came from the employee statement, but they still felt protective of the employee and supported them through the process.
So again, it goes a lot back to policies and procedures. When you have a high-profile individual at a nonprofit who is speaking, what is to be said within the scope of work and what’s not? Because there is far more attention on and attacks on nonprofits than we’ve ever seen before. And they oftentimes will turn into directors and officers insurance claims, the mismanagement of a firm. And even some cyber events can turn into a governance issue, which turns into a cyber claim. So it’s a tangled web we weave, and a lot of insurance implications can come from it.
Carolyn Woodard: Yeah, we’ve just seen so many changes recently. And yes, it’s often the directors or the executive director, the executives, the board members, but sometimes it can be just the person on the staff who has the identity that’s most likely to be attacked. So having those protections in place is so important.
Are there any final words of wisdom you can give us going forward? If you are not sure you have insurance, and you’re an executive director at a small organization, or new at an organization, where do you start?
Jenna Howard: Well, start with the staff that you have in place. Really look at what policies, procedures, and insurance program you have. Reach out to the advisors within the organization. Oftentimes, your bank, your accountant, your insurance broker, your HR consultant, your IT consultant, everybody in your spectrum will have a perspective on how well managed and protected their piece of the pie is. So really get a good gauge of tracking your risk and sharing that with your board. Creating a risk tracker and having an enterprise risk management, no matter the organization or how sophisticated it is, it is very important that at least the senior leadership team and the board are aligned to understand what their top risks are.
High risk doesn’t mean you don’t do it. It could be your program, it could be your endowment, it could be things that keep your mission going, but that just means it needs to be well managed and thoughtful and have the right procedures and policies in place. And I have yet to see a risk tracker or a board not put cyber in that top category. I will say five years ago, it likely didn’t live in that space unless you were healthcare or retail or some of the higher profile industries, but in this day and age, cyber lives somewhere in the top five.
Carolyn Woodard: Well, thank you so much for your time today, Jenna. I really appreciated reconnecting with you and catching up on what’s happened in insurance since we spoke last. Thank you so much. It’s always a delight to spend time with you.
Jenna Howard: Happy to do it.
As advocates for using technology to work smarter, we’re practicing what we recommend. This transcript was drafted with the assistance of AI, and is not a verbatim transcript. The content was edited for clarity, and was reviewed, edited, and finalized by a human editor to ensure accuracy and relevance.
Photo by Ozzie Stern on Unsplash
Wednesday June 17th at 3pm Eastern join Steve Longenecker for tips to set up or re-set your Google Workspace for security as you grow.
Fill out the form below to request a quote. We’ll be in touch shortly to discuss your needs and take the first step toward better nonprofit IT.