Cybersecurity stats show that nonprofits are operating in an increasingly risky digital world. The University of Maryland estimates that hackers attack every 39 seconds – and CohnResnick has found that more than 70% of nonprofits have not run even one vulnerability assessment to evaluate their potential risk exposure.
In other words, many nonprofits are vulnerable to cyberattacks.
So, do nonprofits need cyberinsurance?
The answer is complicated. Cyberinsurance is increasingly a point of consideration for nonprofits – but determining your need for it requires consideration of a range of factors. To help you approach the decision strategically, let’s unpack some of them.
- What cyberinsurance is
- How cyberinsurance works
- The questions you should ask as you analyze your need for nonprofit cyberinsurance
These considerations will help you to make an informed decision as you evaluate your nonprofits needs and risk profile. Your nonprofit cybersecurity strategy may involve cyberinsurance – but the solution will depend on your context.
Are you ready to take a strategic approach to cyberinsurance? Let’s dive in.
What Is Cyberinsurance?
Cyberinsurance is a service that helps to reduce risk by offsetting the costs involved in recovery from cybersecurity incidents.
Perhaps the most common form of cyberinsurance is purposed specifically toward breaches (as opposed to outages or different types of hacks). For example, here’s how Nationwide defines their offering:
“Cyber insurance generally covers your business’ liability for a data breach involving sensitive customer information, such as Social Security numbers, credit card numbers, account numbers, driver’s license numbers and health records.”
While cyberinsurance has only recently become more mainstream, CIO Magazine notes that, as a concept, it’s been around for a while – the term was originally coined in 2005.
How Does Nonprofit Cyberinsurance Work?
Generally, nonprofit cyberinsurance works much like other forms of insurance. Organizations pay a recurring premium to receive varying types and degrees of coverage against cybersecurity damages.
Some areas of coverage include:
- Theft and fraud. Organizations receive coverage in the event of destruction or loss of data due to criminal or fraudulent cyber events like transfers of funds.
- Forensic investigation. These policies cover the legal, technical, or forensic services that are needed to assess whether a cyberattack happened (and what next steps should be).
- Business interruption. These policies cover lost income during outages caused by cyber events.
- Data loss and restoration. Organizations are compensated for the costs of retrieving and restoring data or systems compromised in a cyber event.
Should an event occur, nonprofits will be required to provide legitimizing documentation to receive coverage (in the same way that car insurance policy holders must submit proof of damage to receive payments). Often, nonprofits must also show that there was no negligence on their part – that all reasonable steps were taken to prevent the attack.
What Questions Should You Ask as You Analyze Your Need for Nonprofits Cyberinsurance?
With the what and how of cyberinsurance in mind, here are a few of the most common questions to consider as you evaluate your own nonprofit’s need for the service.
How vulnerable is your organization?
Generally, if you are processing payment information or storing personal data, your organization may be vulnerable to extensive cyber damages. In these cases, seeking coverage may make sense.
However, note that cyberinsurance, like other forms of insurance, varies in cost based on your level of risk. So, if you truly are higher risk, you’ll pay more for insurance.
What will be covered?
This is a crucial point. There are many examples of organizations with extensive cyberinsurance packages going uncovered for damages. In 2013, for example, a health provider called Cottage Health System was held financially responsible for a data breach, even though the organization had cyber insurance – they were found to have been negligent in their cybersecurity upkeep, voiding their protection.
Coverage varies policy by policy, and may also vary depending on your organization’s actions. Don’t pay for insurance without ensuring you comply with requirements and that your coverage applies to the areas where it’s most needed.
What nonprofit cybersecurity measures have you taken?
Finally, consider your organization’s approach to cybersecurity. Obviously, a proactive and strategic approach to cybersecurity can reduce your risk, possibly reducing your need for cyberinsurance in the first place. As we’ve seen, though, it can also impact the cost you would pay for cyberinsurance.
If you take a strategic approach to cybersecurity and identify an area where coverage would be helpful, you may be able to get an affordable premium.
Looking for More Nonprofits Cyberinsurance Guidance?
Hopefully, this information has been helpful as you evaluate cyberinsurance for your nonprofit organization. If you’re looking for more guidance – or to reduce the likelihood of cyber incidents in the first place – get in touch with us.
At Community IT Innovators, we’re experts in nonprofit cybersecurity, and we have worked with clients with and without nonprofits cyberinsurance – and cyber insurance makes a big difference. We’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to after settling for low-cost IT support options they believe will provide them with the right value.
As a result, cyber damages are all too common.
We can help. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure. And we ensure you get the highest value possible by bringing 25 years of expertise in exclusively serving nonprofits to bear in your environment.
Whether you need help reviewing your cyberinsurance options or assistance in reducing the likelihood of an attack – if you’re ready to gain peace of mind about your cybersecurity, let’s talk.