Why Nonprofits Can’t Ignore Cyber Risk

Nonprofits underestimate the cyber threat, believing they’re less attractive targets than for-profit enterprises or external service providers.


Cyber breaches are more common than ever. Almost half of all global organizations will experience a data breach. The repercussions go beyond financial, as organizations suffering breaches can suffer reputational damage in the eyes of clients, donors, business partners and the general public.

For nonprofits, such repercussions can cause irreparable harm. Nonprofits tend to underestimate the cybercrime threat, believing they’re less attractive targets than major for-profit enterprises or external service providers performing IT-related functions.

Yet critical aspects of nonprofit business operations expose them to cyber risk, while often lacking the technology resources, infrastructure or staffing to manage it.

Consider the following:

  • Since the onset of the COVID-19 pandemic, many employees are working remotely with home networks, creating greater risk as these networks may be unsecure
  • Nonprofits have embraced cloud computing, software-as-a-service (SaaS) and warehousing data
  • Criminals routinely hijack online payment systems like those used for nonprofit donations
  • Third-party software used to manage and store donor CRM information can be hacked

The stakes have risen on PII

Nonprofit organizations solicit donations throughout the year, with the heaviest activity generally in the fourth quarter. They may store donor data containing personally identifiable information (PII), which are a tempting target for criminal elements. Even if an external party handles the data, the nonprofit is considered the owner and is liable for its safekeeping.

As many as 80% of all data breaches compromise personal identifiable information (PII), with the average cost of a breach $150 per record. These costs include civil liability, defense costs, regulatory fines and penalties and the cost of business interruption. A breach also raises immediate expenses, including the costs of investigation, consumer notification, credit monitoring and public relations.

Be a responsible, prudent steward in three steps

Nonprofit leaders are responsible for organizational assets entrusted to their care and are expected to exercise diligence and informed decision making. The following three steps will help a nonprofit organization start improving cybersecurity and reduce risk.

Step one: Assess exposure. Determine the approximate number of records the organization owns that contain protected information, and identify vulnerabilities in technology infrastructure, people and processes. Defenses include firewalls, antivirus protection, encryption and multifactor authentication, background screening, access restrictions, regular equipment inventories and physical security.

Step two: Build a team. Create a comprehensive information risk program, designating an employee or committee to champion cyber security. This team will help train employees and find ways to recognize, report and resolve vulnerabilities.

Step three: Determine insurance options. Explore the availability and cost of commercial risk transfer. Specialty insurance products have proliferated, offering coverage to address multiple risk exposures, from traditional information risk to media liability. Carriers will reward organizations with superior data risk management with better-than-average cyber insurance rates.

See also: COVID-19 Boosts Cyber Risks in U.S.

Transferring risk to cyber insurance

Traditional forms of insurance such as property, general liability, management liability and crime policies only provide fragmented protection against data breaches. In fact, mainstream underwriters are continually introducing new exclusions to shift the burden away from their policies and into specialty cyber solutions.

Cyber insurance is not one-size-fits all: Each policy must be tailored to the buyer’s needs, based on its unique risks and exposures. A robust cyber policy should cover the following:

  • The services of a privacy attorney to help navigate legal responsibilities after a breach
  • A forensic investigation to pinpoint the cause of a data breach
  • Coverage of the cost to notify potentially affected parties and provide credit monitoring services, as well as the cost of hiring a public relations firm to minimize reputational damage
  • Liability defense costs, claim settlements, judgments, regulatory fines and penalties
  • Damage to the policyholder’s own IT network and digital assets, including ensuing business interruption

Cyber risk management starts with quantifying an organization’s risk and the costs to address it and continues through adopting a thoughtful, holistic strategy that includes transferring risk to insurance coverage when possible. It’s a process that will pay major dividends — even if a nonprofit may not seem like much of a target for cybercriminals.

Scott Konrad

Profile picture for user ScottKonrad

Scott Konrad

Scott R. Konrad leads a vertically integrated nonprofit specialty practice for global insurance broker HUB International. His 44-year insurance career spans sales, operations and relationship leadership roles with global brokers and a niche nonprofit insurer.

Read More