Article By: Steven R. Robinson, Area President, RPS Technology & Cyber (A division of Arthur J. Gallagher & Co.). Reprinted by permission of our friends at Arthur J. Gallagher & Co.
Introduction
One cannot pick up a newspaper or browse a news site today without seeing a headline story about cyber crime. Incidents ranging from website intrusions, email fraud and social engineering scams to political “hactivism” and electronic theft are commonplace. Once upon a time, news events like these were reserved exclusively for large public corporations and government entities. Today, opportunists are increasingly turning their aim to more vulnerable targets.
The unauthorized release of private information and communication in today’s rapidly-evolving digital environment is among the top threats that even the most profitable of today’s businesses are facing. So what happens when the business isn’t in the business of profit at all? Unfortunately, today’s religious and nonprofit organizations are not insulated from these new risks. In fact, their lack of resources and experience to defend threats like these creates an attractive target for those who seek to illegally benefit from the very organizations whose missions are to help those in need.
As with most forms of risk, tools are available to help mitigate the negative effects of these events on an organization’s mission, reputation and bottom line. With so many options, it becomes critically important to choose a
partner with experience – both in the subject matter and with organizations of similar description.
“Cyber” Insurance
Cyber, Privacy and Network Security Liability insurance, hereto referred to as “Cyber” insurance coverage, is among the most rapidly burgeoning elements of comprehensive risk management programs for nonprofits of all descriptions. “Cyber” is perhaps a bit of a misnomer due to the implication that the coverage itself addresses risks of a digital nature only. This is certainly not the case. A properly constructed risk transfer approach for churches and other religious nonprofits revolves around two key principles: 1) the unauthorized release of personal information and the downstream liability and expense implications associated with said release, and, 2) liability implications for a religious entity when communicating and networking in today’s electronic environment.
The case for Cyber coverage is becoming a resounding chorus in religious and nonprofit organizations. Within the walls of these institutions, in their physical files and on their networks, laptops, mobile devices and websites are countless access points and areas of significant risk that traditional insurance policies are not addressing in an adequate way. The disparate network platforms and mere volumes of valuable information managed by churches, temples, synagogues and the nonprofit entities that support their missions make them among today’s most popular targets by outsiders who seek to benefit financially through access to their private information. These are organizations that people trust and want to support. Unfortunately, it is this same aura of innocence that further makes them prime
targets for those who wish to profit at the expense of their goodwill. Personally identifiable information (PII) and protected health information (PHI) have significant black market value and religious nonprofits are a treasure trove of opportunity for identity thieves. Additionally, as social media and other forms of online communication become an ever-essential part of communicating with employees, volunteers, donors, members and the community at large, traditional insurance policies have struggled to keep pace with the substantial risks these new exposures bring to religious and nonprofit entities from a financial, regulatory and, yes, branding perspective.
Vulnerabilities
Religious institutions and their associated nonprofit entities are vulnerable to a wide host of exposures with respect to privacy breach and electronic communications. Some are exposures we have known about for many years such as the physical theft of laptops, mobile storage devices, smart phones and servers. Hacking incidents have garnered the lion’s share of headlines for years and nonprofits are increasingly the victims in these cases. Other exposures, however, are of a more cutting-edge nature and require expertise of insurance brokers and their carrier partners who are versed in the new realities of information and communication in today’s digital world.
SQL network injections, phishing, social engineering and malware infiltration are among today’s more common methods for gaining access to even the most secure computer networks. The effects of these methods are costing today’s organizations millions of dollars to rectify. And these are all things within the purview of internal IT infrastructure and management. What happens when the vast resources a church, diocese or nonprofit has spent on firewalls, intrusion detection programs, spam filters and other network defense parameters are rendered useless because the information has now left these friendly confines and rests in the hands of third- party business associates, document disposal or shredding companies, janitorial services or vendors or firms who may not have taken the same measures of due diligence to protect this information? Religious institutions are increasingly reliant on cloud providers, information processors, payment authorization companies, mobile platforms and Software as a Service (SAAS). While these relationships create efficiencies and serve critical business needs, they also open doors to risk that an organization cannot manage 100% on its own. As such, an effective risk transfer mechanism is essential.
What happens when a well-intended staff member sends an email containing benefits information for employees to the wrong distribution list? Worse yet, what happens when a disgruntled volunteer inflicts intentional harm through the abuse of his privileged access to critical information systems? What about when a laptop containing protected health information (PHI), such as immunization records for students attending a missions trip, is stolen from a youth pastor’s car? Religious entities and their nonprofit subsidiaries are holders of highly sensitive financial giving records, bank account information, credit card data, and background checks – all given with the expectation of privacy. But what happens when that privacy is breached, whether intentionally or unintentionally?
These are the questions that church administrators are facing and Cyber insurance has become a critical step to transfer risk when things such as this occur. Unique relationships exist between a church and its members, volunteers and employees; thus, the responsibility lies squarely on the shoulders of the organization to ensure that all protected communication within these relationships remains confidential. Outsourcing business processes does not absolve a church or nonprofit from its duties in this regard. As such, significant financial and reputational harm can occur if not properly managed through a combination of risk prevention strategies and appropriate risk transfer tools within a properly structured Cyber Liability insurance program.
Exposures and Solutions for Transferring Risk
While Cyber policies are diverse and cover a broad range of risk, they can most easily be broken down into four main risk categories, all important to religious and nonprofit entities: Privacy Breach, Online Copyright and Media Liability, Personal Injury in an Online Environment and Network Security Liability. Traditional insurance policies have not adequately kept pace with these risks in today’s environment, thus creating the need for these new products and specialists who are well- versed in sourcing coverage and building effective risk-transfer programs in these areas.
Privacy Breach Coverage becomes the cornerstone of a Cyber program as it addresses third-party claims against an organization for the unauthorized release of non-public personal or protected health information of its members/parishioners, volunteers and/or employees. Today’s news is rife with examples of data breaches that are taking place within religious and nonprofit circles every day. The plaintiff’s bar has become increasingly creative with class-action strategies for privacy injury suits.
The first-party expense (remediation) side of privacy breach can be among the costliest for nonprofits as this is what hits the bottom line first in the chronology of a data breach. The notion of goodwill does not extend far when it comes to a religious nonprofit having to notify clients of a massive data breach or when incurring the costs to notify large numbers of employees that their personal health information has been exposed. Regulatory proceedings and fines/penalties as a result of HIPAA violations can be significant, as can fines from non-governmental entities such as the Payment Card Industry (PCI) Security Standards Council when violations of a PCI Data Security Standard have been associated with a credit card breach.
Privacy remediation expenses such as member or client notification costs, legal assistance when navigating the regulatory requirements of breach response (this is even before any legal defense comes into play), IT forensics expenses associated with isolating the source of a network breach and ensuring it does not continue have been known to run as high as $600 per hour. Even a large, national nonprofit’s internal legal resources and IT departments are rarely versed in these disciplines and the costs to hire experts are astronomical without the benefit of having the proper Cyber insurance program in place. Credit monitoring, identity restoration services, call center hotlines and public relations and advertising assistance are all examples of expenses a religious nonprofit can expect to pay out of pocket in the event of a security breach. Direct costs alone from a security breach have been estimated at $59 per breached record (Source: 2011 U.S. Cost of a Data Breach – Ponemon Institute, March 2012). So, it is not difficult to see how a breach of 100,000 records can add up to a $5,000,000 problem.
These costs do not account for other indirect costs such as the loss of future donations opportunities or damage to a church or nonprofit’s brand. At the end of the day, these organizations have a brand to protect just as any business does. Churches and nonprofits rely on this brand every day to manage relationships with current and future members, volunteers and donors. How inevitable incidents like these are handled goes a long way in keeping the strength of that brand intact.
As more and more tithes and offerings and annual giving are conducted online and information distribution is more widespread, instantaneous and easily accessible, increased focus must be given to Online Copyright and Media Liability exposures. Whether it is unauthorized linking within church or nonprofit websites, live streaming of church services, or copyright infringement exposures from the use of licensed music or videos, today’s media, while making the member experience much more interactive and engaging, also opens religious and nonprofit institutions to significant legal exposure that is often uncovered by traditional insurance policies. Today’s churches are using the internet for the publication of promotional videos about their programs, often times neglecting to take the proper measures for securing usage permissions for brands, likenesses, intellectual property, published works, etc. In a 2012 study conducted by charityDYNAMICS and NTEN (Nonprofit Technology Network) “Nonprofit Donor
Engagement Benchmark Study – Insights Into Donor Engagement Behavior and Preferences”, we find that “donors are engaging with their favorite charity on the web and by email frequently.” More findings from the study - The nonprofit’s website is donor’s top choice for learning about their favorite charity. Forty percent of donors in the study indicated that they receive information from email and eNewsletters more than a few times per year and 35% of donors reported visiting their favorite charity’s website from “a few times a year” to “daily.” The study also states that 22% of donors “Liked” or commented on the nonprofit’s Facebook page and 16% received a tweet from the charity. A properly constructed Cyber program will take these website, media liability and intellectual property exposures into account and help transfer risk accordingly.
As social media plays an increased role in connecting churches and other nonprofits to their members, parishioners, volunteers and donors, new avenues are created for libel, slander, defamation and other forms of disparagement. Common General Liability policies have specific exclusions for personal injury when conducted in certain types of online “chat rooms” or “bulletin boards”. While the policy language may seem archaic, the intent is clear - General Liability was not designed to cover this exposure in the world of social media. Insurance carriers take varying approaches to covering (or not covering) this risk. It is important to select a broker who understands the differences between available policy forms and can provide appropriate protection.
Lastly, Network Security Liability rounds out the risk categories of Cyber coverage. Often referred to on its own as “Cyber Liability”, it covers religious and nonprofit entities for liability to third parties when a network under the organization’s control is responsible for disseminating a virus, malware or other harmful code to a third party network. These exfiltrations can occur through public computer terminals in youth centers, via Wi-Fi zones on a church campus and through a meteoric rise in mobile devices containing apps to help communicate with members and facilitate donations. David Balcom, Managing Director of Digital Platforms for the American Cancer Society (ACS), in 2012 at a Nonprofit Mobile Day in Washington, DC stated that there are “almost as many mobile subscribers as there are people and mobile devices are rarely farther than four feet from the owner.” Balcom underscored the dramatic rise in mobile device usage in nonprofits by sharing the fact that mobile users accounted for 7 to 8% of traffic to cancer.org in early 2011. By January 2012, the number had risen to more than 17% of traffic to the website.
With mobility and convenience comes increased security risk for nonprofits. Many times, the organization is unaware for days or weeks that their network has been used for purposes of carrying out attacks against others. A lack of knowledge does not absolve the organization from liability associated with failing to secure their networks in a proper manner. Once again, properly crafted coverage can help mitigate the exposure in this area.
Summary
Religious and nonprofit entities are highly unique in that under a single umbrella they represent some of the most significant risk categories that Cyber liability policies can address. From the very nature and volume of information that is under their control to the
inherent assumption of trust that is pervasive in their cultures, to the human element that is represented by volunteers with access to this data and the business associates who assist with critical business functions, religious nonprofits need this coverage to better protect their members, their employees, their volunteers, their donors, their reputations and their bottom line.
It is critical to partner with a broker who has experience not only in the marketplace for Cyber coverage, but who has also a track record of successful placements. Arthur J. Gallagher & Co. leads the way in experience, access to markets and value to our clients in the religious and nonprofit sector.
