Today, virtually every organization stores vital information about their business, employees and donors, electronically. Storage locations may be in the cloud (i.e. in software and services that run on the Internet instead of your computer), in a hosted environment or on internal servers. All of these environments may be vulnerable to cyber-theft, and numbers of data breaches are increasing with each passing year.
Although we hear about major breaches, like Sony Pictures or Anthem Health, even smaller organizations are increasingly being targeted. While I often advise clients to take aggressive steps to protect its data, I also suggest they seriously consider the additional step of obtaining cyber security insurance.
While some may feel they are adequately covered by the more traditional insurance policies, the fact is that in most cases such traditional policies will only cover “physical” theft, and will not compensate organizations for digital loss.
What is Cyber Security Insurance?
A cyber security insurance policy is designed to help organizations mitigate risk exposure by offsetting costs and expenses involved with recovery after a data-security breach or similar event. Most cyber security policies currently on the market offer a combination of two types of insurance coverage:
- First-party coverage: covering direct losses to your organization.
- Third-party coverage: protects against claims against your organization by third parties, such as donors.
Does Your Organization Need a Cyber Security Insurance Policy?
Should your organization consider procuring a cyber security insurance policy? For many, the answer is probably “yes.” Most nonprofits accept and process donations, creating a variety of cyber liability and data-breach exposures, including cyber business interruption – a breach during a period in which you typically do much of your fundraising could have a devastating and long-lasting impact. Additionally, these policies can also protect against loss of business, loss and damages of/to digital assets, including computers and data stored on them, and security events such as improper or accidental exposure of donors’ and/or employees personal information.
Cyber security insurance policy can also cover other important potential issues, such as costs involved in managing a crisis – which may involve repairing reputation damage – and breach notifications to donors, employees and other affected parties, which are mandated by law in many jurisdictions, and credit monitoring for those whose information was or may have been breached.
Obtaining Coverage
Many of the major insurance companies offer cyber insurance policies. However, like any business insurance, cyber security insurance coverage varies by insurer and policy. As tedious as it may be, I strongly recommend that you review any potential cyber security policy in detail, mindful of your organizations risks and vulnerabilities. I am often amazed at the number of policies I find that are ill-suited to the organizations that purchase them.
Here are a few key components to consider:
- What are the deductibles?
Be sure to compare deductibles closely among insurers, just as you would for health, vehicle and facility policies.
- How does coverage and limits apply to both first and third parties?
For most nonprofits, coverage for third-party service providers will be essential. You should also require all of your service providers that are storing, transmitting or have access to your data to have cyber security insurance and to name your organization as an additional insured.
- Does the policy cover non-malicious actions taken by an employee?