Non-profit organizations are exposed to many of the same cyber risks as their for-profit counterparts, but they often underestimate their exposure to cyber threats, thinking they’re not significant targets like massive for-profit organizations or multinational global brands. Unfortunately, every business is at risk in today’s cyber risk landscape, especially with the proliferation of ransomware.
“Ransomware is so accessible and inexpensive for hackers and threat actors. They often fire out phishing emails or similar attempts across the web, and they just pick whoever is unfortunate enough to click on that phishing link,” said Jonathan Weekes (pictured), senior vice president and cyber practice leader at Hub International. “Non-profits might not seem like attractive targets, but quite often, they fall victim to [ransomware] because they were the unfortunate folks who clicked on the link.”
But unlike for-profit enterprises, non-profits might not have the same budgets or resources available to build robust cybersecurity infrastructure. The remote working shift during the COVID-19 pandemic has also significantly increased their exposure to data breaches and cyberattacks.
“Remote work expanded the attack surface for these organizations, creating greater risk,” Weekes noted. He said the top cyber exposure for non-profit organizations revolves around personally identifiable information.
“Non-profits collect, process, and store a substantial amount of personal data on behalf of members if we’re talking about an association group, or their donors if we’re talking about a charity,” explained Weekes. “If that data is entrusted to an external party, the non-profit owners are still responsible and liable for the safekeeping of that information.”
As non-profits tend to run relatively lean, investing in more robust information security controls or recovering from a data breach could have a greater material impact on them. But leaders can take several steps to mitigate their overall cyber risk.
The first step is to assess their actual exposure. This means determining the number of records they hold as an organization and identifying vulnerabilities among their workforce. Some questions to ask include: Are employees getting enough training? Do they know the risks associated with data and technology? Are their processes effective at protecting your organization against cyber exposures?
“The next step is to build out a team. We always encourage our non-profit clients to create a comprehensive information security program, which becomes the organization’s overarching policy around information security,” Weekes continued.
“But they should also designate an employee committee to champion cyber security. This team can be comprised of key stakeholders from several parts of the organization, and they should be tasked to help train employees and find ways to resolve vulnerabilities.”
At the same time, Weekes encouraged non-profits to build a parallel team to respond in case of an actual breach. This team can include external resources, such as breach counsel and incident response firms.
“The final step is to manage the risk overall as an organization. This includes determining whether cyber insurance is the right option or solution,” said Weekes. “Based on the findings from their risk assessment, they should build a roadmap to implement the necessary controls, such as multi-factor authentication, privileged access management, employee training for phishing and proper systems use, and so on.”
One fundamental weakness in non-profits’ cyber risk mitigation is an overreliance on third-party technology providers. Many organizations outsource their information security and operational software to vendors but don’t take the necessary steps to tighten their cyber risk controls.
Weekes advised brokers and their non-profit clients to do their due diligence before partnering with technology firms. “We often see the text and language within these contracts waive all liability in favour of the technology firm. So, our clients are essentially left almost entirely exposed if a breach occurs, sometimes even if it was the fault of that third-party provider,” he warned.
Non-profits should consider the limitations of liability in contracts and asses their vendors for cyber risks as they assess themselves. “Ask the providers if they align with a known and respected information security framework and what steps they take to protect your organization’s data,” Weekes added.
No two non-profits have the same exposures, which means that cyber risk management programs must address each organization’s specific risks. Likewise, agents and their non-profit clients should know that not all cyber insurance policies are created equal.
“Cyber insurance truly is one of the best ways organizations can address the residual risks left once they’ve implemented the appropriate controls,” Weekes told Insurance Business. “But policies can focus on different exposures. Some are heavier on private exposures; others are more targeted to operational exposures. We encourage our clients to take steps to assess and manage their risks in a way that works best for them."