The Importance of Cyber Liability for Nonprofits
For Nonprofit groups it is always a challenge to find money to accomplish the mission of the group. It seems even harder today given how many organizations are competing for donor dollars. As an insurance broker, we have the privilege to work with many non profits and it is our role to help them protect their funds through the effective management of insurable risk.
Most organizations understand the importance of the traditional lines of coverage: General Liability, Property, Business Auto, Workers’ Compensation, Directors and Officers and Excess Liability. Unfortunately the old adage, you don’t know what you don’t know can often be said for understanding the need for other lines of coverage.
The additional lines of coverage to be considered include:
- Errors and Omissions
- Employment Practices Liability
- Fiduciary Liability
- Business Interruption and Extra Expense
- Media Liability
- Cyber Liability
This article will focus on one of these lines, Cyber Liability. Future articles will address other lines of coverage.
Cyber Liability is getting huge amounts of press in the past few months. Few people haven’t heard of, or maybe even been impacted by some of the high profile breaches making the news. Typical business insurance policies cover “tangible assets” and electronic data is not considered tangible under most traditional policy definitions.
Cyber is a very real and costly threat. Cyber Liability coverage arises from the unauthorized use of or unauthorized access to electronic data or software within an organization. Spreading a virus or malicious code and computer theft are other claims for which Cyber Liability insurance can provide coverage.
A nonprofit might find the associated costs and reputational damage insurmountable if one of the organizations key employees or officers loses a laptop that contains confidential donor information. A hacker gaining unauthorized access to a database containing personal or medical information would be equally damaging.
Nonprofit managers should carefully consider how to mitigate cyber risk. Utilizing insurance should not take the place of implementing internal controls, policies and procedures.
The following are 10 risky practices employees routinely engage in, according to the findings of a 2012 study done by the Ponemon Institute:
1. Connecting computers to the Internet through an insecure wireless network.
2. Not deleting information on their computer when no longer necessary.
3. Sharing passwords with others.
4. Reusing the same password and username on different websites.
5. Using generic USB drives not encrypted or safeguarded by other means.
6. Leaving computers unattended when outside the workplace.
7. Losing a USB drive possibly containing confidential data and not immediately notifying their organization.
8. Working on a laptop when traveling and not using a privacy screen.
9. Carrying unnecessary sensitive information on a laptop when traveling.
10. Using personally owned mobile devices that connect to their organization’s network.
Carol McQueary, Frost Insurance