“Does my insurance policy cover only the conference office or do my churches and schools need coverage as well?” Church administrators should ask this question as they consider how to defend their organizations from cyber threats.
The answer is that church organizations face cyber threats at all levels. Where there are computer systems, there are threats. A church administrator needs a cyber liability insurance policy that provides coverage for the organization’s assets and any liability. The administrator also needs to understand the risks and put preventative measures in place to manage them. Our church’s organizations must protect themselves against many cyber attacks whether the perpetrator is a cybercriminal or disgruntled employee.
"Church organizations face cyber threats at all levels."Here are several potential threats facing church organizations:
- Breach of privacy: The conference houses employee records. Do your churches and schools have directories with member names and contact information?
- Cyber extortion: Blackmailers hold data hostage unless you pay them.
- Cybercrime: This includes vandalism, sabotage of IT systems, etc.
- Cyber Sabotage: The use of IT systems to infiltrate infrastructure affecting communications and other vital systems.
- Legal liability as a result of network security breaches. Church organizations could be on the defense against lawsuits and compliance requirements, etc.
- Fraudulent money transfers: Illegal access to IT systems may result in unauthorized online payments.
- Computer virus attack: This could damage the IT systems, including software, and corrupt the data in the system.
Managing Cyber RisksA cyber liability insurance policy is customized coverage for church organizations. It ensures that the policy will be written based on your organization’s unique risks and systems. The application requires information from human resources, treasury, and information technology departments. When church leaders have completed the application process, many have said that the application questions made it clear that their systems were not up to the standards they needed to be. If that is the case, it is best to get insurance sooner rather than later!
"It is best to get insurance sooner rather than later!"Most policies require you to meet minimum requirements to avoid denial of coverage. These can include changing passwords on a regular basis and installing patches and updates within a certain number of days. It is your duty of care, and it is in your best interest to go beyond the requirement of the policy.
It is also important to remember that purchasing an insurance policy is not the only measure necessary to address cyber risks. Perhaps most important strategy is prevention. Putting policies and procedures in place to prevent the initial risk should be a top priority.
U.S. Homeland Security has some simple tips to get you started:
- Use and regularly update antivirus and antispyware software on all computers.
- Secure your Internet connection by using a firewall, encrypt information, and hide your Wi-Fi network.
- Establish security practices and policies to protect sensitive information. Educate employees and hold them accountable to the [company established] Internet security guidelines and procedures.
- Require that employees use strong passwords and regularly change them.
Found on: https://www.staysafeonline.org/re-cyber/creating-a-culture-of-awareness/
Another important reason to take any cyber risk seriously is the legal responsibility associated with this risk. There are laws that govern the rights citizens have over the privacy of their information. Fees and fines associated with the exposure or loss of data.
Data protection and breach notification laws vary in the particulars. These laws can include how data must be governed, whether a national law applies across borders, the rights that citizens have around their information, and the enforcement powers of the legal authorities.
Sometimes because of a breach to its data systems, an organization may find itself incurring large expenditures to remedy the situation as required by law. The 2015 Ponemon report from IBM revealed that in 2015 the average per capita cost of data breaches in the United States is $217 per compromised record. The average total organizational cost per breach was $6.53 million.
Costs often associated with a data breach include:
- Customer notification
- Consulting help for forensic research and data recovery
- Customer credit monitoring subscriptions
- Credit card re-issuance fee
- Legal fees
- Hotlines for customer support
Until a data breach occurs, it’s impossible to know the extent of the leak or financial devastation. Maybe that’s why so many organizations underestimate data security breach risks. When you stack up the potential costs brought on by such a breach, a risk management program with cyber insurance is more than good planning. It’s mission critical.
To learn more about cyber risks in the local church, visit ARM's Cyber Liability page.