Non-profits can’t afford to ignore cyber risk
“Ransomware is so accessible and inexpensive for hackers and threat actors. They often fire out phishing emails or similar attempts across the web, and they just pick whoever is unfortunate enough to click on that phishing link,” said Jonathan Weekes (pictured), senior vice president and cyber practice leader at Hub International. “Non-profits might not seem like attractive targets, but quite often, they fall victim to [ransomware] because they were the unfortunate folks who clicked on the link.”
But unlike for-profit enterprises, non-profits might not have the same budgets or resources available to build robust cybersecurity infrastructure. The remote working shift during the COVID-19 pandemic has also significantly increased their exposure to data breaches and cyberattacks.
Read more: HUB International opens new nonprofit specialty practice
“Remote work expanded the attack surface for these organizations, creating greater risk,” Weekes noted. He said the top cyber exposure for non-profit organizations revolves around personally identifiable information.
“Non-profits collect, process, and store a substantial amount of personal data on behalf of members if we’re talking about an association group, or their donors if we’re talking about a charity,” explained Weekes. “If that data is entrusted to an external party, the non-profit owners are still responsible and liable for the safekeeping of that information.”
Strengthening non-profits’ cybersecurity
As non-profits tend to run relatively lean, investing in more robust information security controls or recovering from a data breach could have a greater material impact on them. But leaders can take several steps to mitigate their overall cyber risk.
The first step is to assess their actual exposure. This means determining the number of records they hold as an organization and identifying vulnerabilities among their workforce. Some questions to ask include: Are employees getting enough training? Do they know the risks associated with data and technology? Are their processes effective at protecting your organization against cyber exposures?
“The next step is to build out a team. We always encourage our non-profit clients to create a comprehensive information security program, which becomes the organization’s overarching policy around information security,” Weekes continued.
“But they should also designate an employee committee to champion cyber security. This team can be comprised of key stakeholders from several parts of the organization, and they should be tasked to help train employees and find ways to resolve vulnerabilities.”
At the same time, Weekes encouraged non-profits to build a parallel team to respond in case of an actual breach. This team can include external resources, such as breach counsel and incident response firms.
“The final step is to manage the risk overall as an organization. This includes determining whether cyber insurance is the right option or solution,” said Weekes. “Based on the findings from their risk assessment, they should build a roadmap to implement the necessary controls, such as multi-factor authentication, privileged access management, employee training for phishing and proper systems use, and so on.”
Risks from third-party providers
One fundamental weakness in non-profits’ cyber risk mitigation is an overreliance on third-party technology providers. Many organizations outsource their information security and operational software to vendors but don’t take the necessary steps to tighten their cyber risk controls.
Read more: Cyber incidents – new report examines the scale of the threat
Weekes advised brokers and their non-profit clients to do their due diligence before partnering with technology firms. “We often see the text and language within these contracts waive all liability in favour of the technology firm. So, our clients are essentially left almost entirely exposed if a breach occurs, sometimes even if it was the fault of that third-party provider,” he warned.
Non-profits should consider the limitations of liability in contracts and asses their vendors for cyber risks as they assess themselves. “Ask the providers if they align with a known and respected information security framework and what steps they take to protect your organization’s data,” Weekes added.
No two non-profits have the same exposures, which means that cyber risk management programs must address each organization’s specific risks. Likewise, agents and their non-profit clients should know that not all cyber insurance policies are created equal.
“Cyber insurance truly is one of the best ways organizations can address the residual risks left once they’ve implemented the appropriate controls,” Weekes told Insurance Business. “But policies can focus on different exposures. Some are heavier on private exposures; others are more targeted to operational exposures. We encourage our clients to take steps to assess and manage their risks in a way that works best for them.”