Like most organizations, ministries leverage technology to communicate their mission and take care of operations, while often times not fully aware of the significant risk of cybercrime and potential losses due to weak cybersecurity networks and security practices. With massive data breaches at Experian®, Geico®, Facebook®, Estee Lauder® and dozens more, cybersecurity has emerged as a hot button topic for industries across the board — this is especially true for insurance companies in the past ten years. The relevance of cybersecurity best practices and insurance coverage for ministries is no exception, but often solutions for nonprofits are overlooked in the larger conversations of cybersecurity.
In response to this, GuideStone® released a cybersecurity liability white paper, How to Protect Your Church or Ministry Against Cyberattacks. In it, we found that 43% of all cyberattacks target nonprofits in the U.S. and Canada. The threat is real, but historically it has been challenging to understand and explain how churches and ministries should respond to these risks. To begin the important process of assessing your own ministry’s cyber risk, consider these four practical steps.
1. Churches and ministries should understand some general facts about how their cybersecurity should function alongside their daily operations.
- 90% of cyberattacks can be avoided because they are due to human error. It starts with training employees to implement safe passwords, spot potentially malicious emails and understand the risk of using public Wi-Fi, among other security best practices. Your organization may want to consider installing firewalls on networks with updated security patches. The impact of proper security awareness among employees cannot be understated and is the best line of defense against security breaches due to human error.
- The legal landscape of cybersecurity extends further than church or ministry property. Certain laws govern what an organization must do when a data breach occurs. These are primarily at the state level; however, since the internet extends everywhere, an organization based in Texas could have a lawsuit filed against them for a data breach that affected a person living in California. Those laws often include regulations for notifying all affected or possibly affected individuals whose personal information has been compromised.
- Most state laws require any entity that maintains personal information to protect the privacy of that information. When entities fail to keep the personally identifiable information (PII) private, they will be subject to penalties and fines and will likely suffer a significant impact to their reputation. Organizations should implement and maintain reasonable procedures to protect the privacy of the information.
- Cyberattacks can arise from computer viruses unintentionally spread through emails and websites. Imagine a church or ministry member opening an email from your ministry with a virus or malware that shuts down their work computer or network indefinitely. His or her trust in your ministry will be broken simply because of weak cybersecurity, potentially affecting the reputation and goals of your mission.
- Ransomware may be a huge problem for any Organization that uses computers. Cybercriminals use ransomware to restrict the use of systems or threaten the leak of personal information — unless the victim organization pays a ransom. If your organization becomes a victim of ransomware, you could forfeit years of ministry data or even the financial information of employees, donors and recipients.
2. Churches and ministries should know that their response to a security breach can be just as important as prevention.
When it comes to cybercrime, authorities are generally looking for the prevention basics:
- Regularly updating passwords
- Updating virus and malware protection on devices
- Requiring Wi-Fi sign-in or password credentials
- Following other common-sense approaches to security
However, when your organization moves from prevention practice to a proactive response because of a serious data breach, your next steps are crucial from a lawsuit and liability perspective. Having a partner in your insurance company that provides coverage and case management breach services is essential to fulfilling each state’s law(s) on cybersecurity.
3. Churches and ministries should take time to evaluate their cyber liability protection insurance needs.
Many believe that only huge companies like Amazon®, eBay®, Bank of America® and Experian would need liability insurance for their online presence. In reality, 43% of all cyberattacks target nonprofits and ministries. Your church should consider adding cyber liability coverage if any of the following apply to your ministry:
- You digitally store PII, including names, addresses and donation records.
- You have a website and/or social media presence where you post photos, broadcast services or share prayer requests.
- You collect and digitally store health information for participants of church or ministry-related activities.
- You send and receive emails.
- You collect money or retain copies of deposited personal checks digitally. If your ministry regularly conducts any of these activities, you should consider adding cyber liability coverage to your property and casualty insurance package.
4. Churches and ministries should ask these ten questions when choosing cyber liability coverage.
The good and bad thing about cyber liability protection insurance is that not many players or carriers write it, limiting your coverage options but making it less complicated than some other forms of insurance.
Ask these ten questions when shopping for cyber liability protection insurance:
- Is it affordable?
- Does it cover lawsuits filed against your ministry for computer use such as web postings, copyright infringement or unintentional transmission of viruses and malware?
- Does it cover damages by unauthorized electronic funds transfers (EFTs)?
- Does it include coverage for emotional injury connected to electronic (computer) privacy violations?
- Does it cover case management to rectify a data breach?
- Does it cover costs incurred in response to electronic discovery requests?
- Does it cover costs incurred with a response to subpoenas, regulatory actions and injunctions resulting from computer use, e-commerce or data breach errors?
- Does it include coverage for fines, penalties and/or punitive damages (if permitted by law)? If so, what are the limits?
- Does it include coverage for ransomware attacks and other coercive online fraud schemes?
- Does it include coverage to rebuild your computer data and media in the case of a virus or hack and replace the computer hardware if the virus or hack causes it to be destroyed?
Asking these ten questions as you look at your cyber liability protection insurance options and evaluate your ministry’s risk is essential. Remember, GuideStone is here to help as your partner in ministry-focused risk management and wellness.
For more information, contact us at CSR@GuideStone.org or (214) 720-2868, Monday through Thursday, from 7 a.m. to 4:30 p.m. CT and Friday, from 7 a.m. to 4 p.m. CT. To learn about coverage options and get a quote, complete the form here.