Cyber breaches are more common than ever. Almost half of all global organizations will experience a data breach.1 The repercussions go beyond financial, as organizations suffering breaches can suffer reputational damage in the eyes of clients, donors, business partners and the general public.
For nonprofits, such repercussions can cause irreparable harm. Nonprofits tend to underestimate the cybercrime threat, believing they’re less attractive targets than major for-profit enterprises or external service providers performing IT-related functions are responsible for breaches.
Yet critical aspects of nonprofit business operations expose them to cyber risk, often lacking the technology resources, infrastructure, or staffing to manage it.
Consider the following:
- Since the onset of the COVID-19 pandemic, many employees are working remotely with home networks, creating greater risk as these networks may be unsecure
- Nonprofits have embraced cloud computing, software-as-a-service (SaaS) and warehousing data
- Criminals routinely hijack online payment systems like those used for nonprofit donations
- Third-party software used to manage and store donor CRM information can be hacked
The stakes have risen on PII
Nonprofit organizations solicit donations throughout the year, with the heaviest activity generally in the fourth quarter. They may store donor data containing personally identifiable information (PII), which are a tempting target for criminal elements. Even if an external party handles the data, the nonprofit is considered the owner and is liable for its safekeeping.
As many as 80% of all data breaches compromise PII, with the average cost of a breach $150 per record.2 These costs include civil liability, defense costs, regulatory fines and penalties and the cost of business interruption. A breach also raises immediate expenses including the costs of investigation, consumer notification, credit monitoring and public relations.
Be a responsible, prudent steward in three steps
Nonprofit leaders are responsible for organizational assets entrusted to their care and are expected to exercise diligence and informed decision making. The following three steps will help a nonprofit organization start improving cybersecurity and reduce risk.
Step one: Assess exposure. Determine the approximate number of records the organization owns that contain protected information, and identify vulnerabilities in technology infrastructure, people and processes. Defenses include firewalls, antivirus protection, encryption and multifactor authentication, background screening, access restrictions, regular equipment inventories and physical security.
Step two: Build a team. Create a comprehensive information risk program, designating an employee or committee to champion cyber security. This team will help train employees and find ways to recognize, report and resolve vulnerabilities.
Step three: Determine insurance options. Explore the availability and cost of commercial risk transfer. Specialty insurance products have proliferated, offering coverage to address multiple risk exposures, from traditional information risk to media liability. Carriers will reward organizations with superior data risk management with better-than-average cyber insurance rates.
