International charity Save the Children was hacked twice by cyber scammers in 2017, losing more than $1 million through a sophisticated email scam. According to The Boston Globe, hackers used the email of a US employee to create false invoices and other documents to fool the organization into sending nearly $1 million to a fraudulent entity in Japan. While this case hit the headlines because of the global nature of the Save the Children brand, similar breaches at non-profits of all shapes and sizes go under the radar every day.
All non-profit organizations that store any personal data have a cyber exposure, explained Frank Tarantino (pictured), of Charity First Insurance Services, Inc., a program manager servicing non-profit, religious and social service organizations. The healthcare sector and educational institutions are at the top of the list because of the data they store, but it’s a risk that all non-profits need to be wary of.
“Healthcare related organizations store vast numbers of medical records, social security numbers and credit card details,” Tarantino said. “This information is very valuable to hackers to either sell on the black market, or to use the information themselves to apply for credit cards, loans, or to participate in any other type of fraudulent activity.”
Most non-profits accept and process donations, meaning they retain financial and personal data in a database or an online payment system. This makes them a target for cyber breach. But there are best practices that non-profit organizations can follow to mitigate and limit their cyber exposures.
The first step, according to Tarantino, is to make data security a priority for the whole organization. That includes regularly updating computers and software, having strict policies on the use of the internet, and restricting the usage of personal cell phones and computers for work-related tasks. It’s also important to educate and train employees on good cyber hygiene and how to spot malicious and suspicious emails.
Another thing organizations can do is purchase cyber insurance. Charity First offers a variety of coverages that address the cyber exposures challenging non-profit organizations today, including: privacy liability, security breach response, security liability, cyber extortion, multimedia liability, business income and digital asset restoration, and payment card industry data security standard.
“We’re beginning to see an increase in requests for this coverage among non-profit entities; partly because breaches are in the media almost daily, so the conversation is out there more,” Tarantino told Insurance Business. “Although there are many non-profits that may think they lack the funds to buy this coverage, it is becoming more affordable.
“With this shift in pricing comes an increase in purchasing, which provides more data on the exposures and a better understanding of how to underwrite them. Another factor is that it’s becoming a more competitive marketplace, which certainly has an impact on pricing. Lastly, retail agents are becoming more familiar with the coverage and they’re doing a better job of educating their clients.”
The first thing retail insurance agents should do when helping non-profit clients manage their cyber risk is conduct an in-depth risk assessment, according to Tarantino. This will help agents understand the data a client collects and why it’s collected, as well as the risks associated with holding that data.
“Many small business clients may believe they don’t have data that can be compromised. It’s up to the retail agent to assist in identifying their exposures,” he added. “For example, do they keep credit card data on file, along with addresses and phone numbers? A determined hacker could infiltrate their computer system and obtain information on hundreds of customers, leaving the business at risk.” Every organization is at risk in today’s volatile cyber crime environment.