Cyber attacks are on the rise and it’s no longer a matter of “if” you will be attacked but “when”. Companies face revenue loss, liability costs, recovery expenses and more after a cyber attack. Learn how you can protect your organization.

Why are Nonprofits a target?

Nonprofits are a favorite target of cybercriminals because they often store sensitive information including donor details, financial records, and personal data of beneficiaries. Additionally, nonprofits usually operate with limited budgets and may have fewer resources dedicated to cybersecurity compared to larger organizations. This makes them more vulnerable to attacks as they may have weaker security measures in place.

Are board members personally liable for cyber breaches?

In the past, board members were typically free of any personal liability for cyber incidents and breaches because the board’s cybersecurity duties were not yet clear or set in stone. Fast forward ten years, if a company suffers a major data breach and it's found that the board of directors didn't establish a sincere cybersecurity oversight process, they can be held responsible.

What your Board can do to protect the Organization from a cyberattack

To reduce the risk, the Board should implement and maintain a cybersecurity plan. Here are a few suggestions to incorporate into your plan to reduce your cybersecurity risk:

• Perform a cybersecurity risk assessment- You should perform a Cyber Security Risk Assessment to evaluate your organization’s vulnerabilities and address them accordingly. Remember, often the most significant costs of a breach, (and not typically covered by cyber insurance), is the reputational harm you will incur.
• Train Your Staff: Training users on best practices and online hygiene can go a long way to reducing the risks of a cyberattack. User negligence and poor computer hygiene, such as weak passwords, are the leading cause of cyberattacks and data breaches. Many organizations have benefited from sending out regular “phishing” emails as part of security awareness training. This way your team can learn the warning signs.
• Review and understand the compliance regulations and laws- All organizations must abide by applicable statutory regulations and legal precedent. Directors must uphold their fiduciary duty by swiftly addressing data privacy vulnerabilities, breaches and maintaining strong cybersecurity measures.
• Document Your Protocols: Many nonprofits don’t have any cybersecurity documentation in place, leading to chaos if an attack occurs. Documenting protocols can provide teams quicker access to information that can help minimize the effects of an attack.
• Create and Test Backups and Redundancies: You should create multiple instances of your organization’s crucial data. System redundancies both in a physical server and the cloud, so if one instance gets compromised, you have backups ready to be deployed.
• Update Your Operating System and Patch All Software: Conduct regular updates to ensure you’re not vulnerable to hackers.
• Have a Dedicated IT Expert or Consultant: Having someone monitoring your system and network can help detect and fight threats as they arrive.
• Obtain Board Cyber Expertise: Having started in the public company arena via SEC regulation, the trend is for all organizations is to ensure that they have adequate Cyber expertise either by expanding membership to include such individuals or to obtain thorough training.

How can cyber liability insurance help?

In the unfortunate incident of a breach, it is helpful to have back up. Most standard commercial policies do not cover cyber risks (identity theft, business interruption due to a network being shut down, disclosure of sensitive information, etc.). To cover these risks, businesses should acquire a special cyber liability policy. Cyber liability insurance can provide valuable protection for nonprofit board members in the form of Legal and financial assistance, Data breach response, Regulatory compliance and Reputation protection. There are typically two types of coverage available:

1. First Party Coverage typically relates to the insured and encompasses costs directly related to the event. These costs could include:

• Forensic investigation of the security breach
• Legal costs relative to determining an organization’s notification and regulatory obligations
• Notification costs associated with the breach (i.e. think of those letters you have received from credit card companies, hospitals, retailers when they have incurred a security event)
• Credit monitoring for customers
• Public Relations expenses and;
• Lost profits and extra expenses incurred during the time that network systems were down. Generally, costs to upgrade systems to prevent future breaches or enhance security are NOT covered.

2. Third Party Coverage typically relates to interested or impacted parties of the insured (customers, banks, regulators, etc.) and may include:

• Legal Defense
• Settlement Payments
• Damages and judgments
• Liability for costs incurred by third parties (for example, liability to banks for having to re-issue credit cards) and:
• Regulatory fines and penalties.

Questions? Need help getting started with a cybersecurity risk plan or liability insurance? We can help.

Check out our affiliate Envision's latest installment of a recurring monthly guest column by COO, Jason Albuquerque, featured on Providence Business News. Cyber Sessions: What to know about insurance