Author: Stephanie Snyder Frenier
Nonprofit organizations remain a target for cybersecurity attacks. Threat actors tend to target organizations that manage personally identifiable information, especially those whose budgets for implementing cybersecurity controls may not be robust.
Ransomware attacks have evolved from not only encrypting networks, but also exfiltrating data and extorting those victim organizations to prevent widespread release of that stolen data. Targets may also include the IT suppliers of nonprofits, which can have a vicious downstream effect including subsequent network outages and business disruption. While vigilance in cybersecurity controls can help to prevent attacks, the adage of "it's not if, it's when" still rings true.
How can Cyber insurance help protect nonprofits from financial loss?
Underwriting as a proxy for controls assessment
While nonprofit organizations realize that cyber security hacks happen, they may not think that they're exposed due to their nonprofit status. In fact, threat actors tend to target organizations with limited IT security budgets.
Many nonprofits use the Cyber insurance underwriting process to better understand what security controls to prioritize, and many leverage free or discounted proactive cyber security services made available by Cyber insurance carriers to improve their posture. A dedicated Cyber insurance broker can also help to "pre-underwrite" the risk and provide resources to help identify vulnerabilities and recommend appropriate limits.
Panel vendor relationships
Most Cyber insurance carriers have a pre-vetted panel of vendors to assist with breach remediation and recovery. These vendors are critical in the frantic hours that follow a ransomware attack. Breach counsel can assist with engaging incident response vendors under the protection of attorney-client privilege.
These experienced vendors can help negotiate with threat actors, assist with processing a cryptocurrency extortion payment if needed and conduct a detailed data forensic investigation of the breach. Other vendors that may be engaged include notification services, call center operations, credit monitoring, identity theft services and public relations.
Many nonprofits don't have existing relationships with these vendors, and the importance of having a trusted Cyber insurer vet vendors and the coverage for these services under the policy can't be overstated. Not only is it inefficient to corral this important part of the incident response process during a crisis, but it also could result in losing critical time while trying to remedy the breach while identifying and negotiating with suitable response vendors.
Getting Cyber coverage right
Cyber insurance isn't a commoditized coverage or off-the-shelf product, so there are inconsistencies between various carriers' coverage offerings in terms of insuring agreements, definitions and exclusions. The devil lies in the details of the insurance policy, and working with a broker that specializes in Cyber insurance is important to ensure that the policy performs as intended.
Most Cyber insurance policies require manuscript language, which means that the broker must request amendments to the carriers' policy terms. Brokers with specific Cyber insurance expertise understand the breadth of coverage available across the entirety of the insurance market and can negotiate the broadest possible language at the best possible price. That's why, when it comes to Cyber insurance, nonprofits should work with a specialist, not a generalist.
IT supply chain exposure
An evolving trend for cyber attacks is an attack on vendors in the IT supply chain. In 2024, numerous cyber attacks impacted nonprofits dependent on third-party vendors, which resulted in an outage or a disruption of nonprofit operations. Those incidents delayed many nonprofits from fulfilling their missions to the communities they serve.
Cyber insurance policies include coverage for dependent/contingent business interruption. This coverage indemnifies the nonprofit if a cyber attack on, or a technology failure of, a third-party vendor disrupts the nonprofit's operations. However, an untrained eye could miss nuances to this coverage. Some policies may contain sublimits, including some that attach to certain types of vendor loss triggers. Other policies may require that a contract is in place between the insured nonprofit and the third-party vendor for the policy to respond. Fortunately, due to improved market conditions and broker advocacy, many of these restrictions have been eliminated.
Nonprofits should prioritize Cyber insurance as a vehicle to protect against financial loss and ensure operational resiliency. A well-drafted Cyber insurance policy and the relationships surrounding the policy — with the broker, underwriter, panel vendors, and proactive cyber security service providers — should provide not only protection but also additional peace of mind to nonprofit organizations.
