Museums don’t just have eight mischievous female criminals to fear these days, as hackers can prey on cultural institutions from a great distance and do just as much damage. However, it’s not the million-dollar artwork hanging on the walls and sitting behind glass cases that’s most threatened when cybercriminals attack.
“Their biggest concern is the personal information of their donors,” said Richard Mercado (pictured), vice president of commercial insurance for Huntington T. Block, an operating unit of Aon plc. He also added that many museums do online marketing and sales, which puts credit card information at risk. “Those are really what they’re most concerned about, and how that would impact their business if there was a cyberattack on their systems. Part of that is the public image, and if important confidential information of their clients, especially donors, is exposed.”
Public relations are a huge concern, considering that museums often need private funds to keep their institutions up and running.
“Museums primarily rely on huge donors,” said Mercado. “Some of the largest museums rely a lot on private donations, although some do get money from the government. That is definitely an area of most concern to them if they are hacked, [and] the consequence of donors not having as much confidence in the museum, [which] ultimately would drop donations for the institutions.”
With cybercrime losses on the rise, risk managers at museums are paying more attention to the evolving risk and how to prepare for it, should an incident throw their networks into turmoil and put donor data at risk. Many museums today have chief information officers or in-house IT managers who oversee the safeguarding of their systems.
Read more: Cyber claims data shows worrying trend
“They know that it’s not really a matter of whether they will be attacked, but it’s more of when they might be attacked and how catastrophic it might be if they do not contain it or prevent it,” explained Mercado.
While there haven’t been any major instances of museums being hacked yet, Mercado has seen threats of social engineering, where a cybercriminal has attempted to dupe a museum director or another officer in the organization to release funds via an email where they impersonate another higher-ranking employee.
“From a social engineering perspective, one of the best things that everybody has learned to do is call back. If you get an email from supposedly the president of the museum or the director of the museum instructing you to wire $50,000 somewhere to Africa, the best thing to do is just call up the person wherever they might be and ask if they actually sent this order or not,” explained Mercado. “Museums are also becoming more wary and more careful if they don’t need social security or information of an individual or their donors. They are really trying to minimize storing and even obtaining confidential information if they don’t have to.”
The largest museums are already making their systems more secure, whereas mid-sized and smaller museums, sometimes because of limited resources, may not have all the necessary tools to protect themselves, and those are the ones that usually do not think that they are vulnerable, according to Mercado.
Similarly, crafting a cyber insurance policy for a museum also depends on the size of the institution.
“Museums with operating budgets of less than $10 million are much easier to underwrite in the sense that we can easily provide those coverages under their commercial package policy as an additional coverage,” said Mercado. “But for the larger museums, with $10 million or $50 million and above of operating budget, normally the underwriters really want to write them separately and more expensively, because of the volume of data and records that might be exposed.”