INDUSTRY GUIDE

Cyber insurance for the nonprofit industry

See how a new approach to cyber risk can help nonprofit organizations protect their clients and causes from costly and disruptive attacks.

Thumbnail: Page > Industry - Nonprofit > Hero

Why cyber insurance is critical for nonprofit organizations

Nonprofit organizations play a valuable role in advocating for their clients, improving communities, and positively impacting the lives of many. They also face unique cyber risks due to their handling of sensitive individual data and reliance on donations. The financial and personal data typically handled by nonprofits make them an attractive target for attackers seeking to exploit the valuable data for monetary gain.

Nonprofits often have limited resources and tight budgets, which can hinder their ability to invest in comprehensive cybersecurity solutions and staff training. As a result, they may not have the necessary expertise or systems to detect and respond to cyber threats effectively.

A cyber attack targeting a donation system or website can severely impact a nonprofit's ability to raise funds and even expose donors to becoming victims of scams or fraud. Cyber incidents involving technology could expose sensitive data and lead to costly data breaches, not only damaging the reputation and credibility of the organization but also resulting in significant financial losses, reinforcing the importance of cyber insurance to protect their organizations.

How bad could one small security incident be?

Icon: Light Duotone > Money Circle

$98,000

Average cost of a cyber claim for nonprofit organizations

Icon: Light Duotone > Email Circle

58%

Percentage of cyber attacks originating from email inbox

Icon: Light Duotone > Skull Circle

$172,000

Average ransomware loss for nonprofit organizations

Unique exposures for nonprofit organizations

How essential technologies can create cyber risk

Client intake and case management software

Many nonprofits provide services directly to their clients and use tools to determine eligibility, needs and track services delivered and progress over time. These types of systems are not only essential to the operations of the organization but often contain sensitive personally identifiable information about clients receiving services.  

Donor management systems (DMS)

BIM software is used to create 3D models and help with planning, coordinating, and managing project costs. While BIM software can improve efficiency and reduce errors, the data it relies on exposes organizations to cyber risk in the event of a breach. 

Online fundraising platforms

These platforms enable nonprofits to collect donations online, which is vital to the health of an organization. However, if a platform is compromised, cyber attackers can gain unauthorized access to donor information and potentially steal funds.

Mobile applications

Some nonprofits deploy mobile apps to reach wider audiences, facilitate donations, and raise awareness. If the applications are not secure, they can provide an entry point for hackers to access user information or perform unauthorized transactions.

Social media

Nonprofits utilize social media platforms for outreach, fundraising, and creating awareness. However, cybercriminals can exploit this increased online presence of nonprofits through social engineering techniques to steal sensitive information or launch phishing attacks.

Websites

Nonprofit websites provide information about the organization's mission, its projects, and collect user data. But if they lack proper security, websites can become vulnerable to hacks and expose sensitive user information.

How sensitive data can increase business liability

Board member information

Cyber attackers may target data pertaining to board members or other nonprofit leaders to gain unauthorized access to personal details, including contact information, professional backgrounds, or financial holdings. This information can be used for spear-phishing attacks or extortion attempts.

Donor information

Nonprofits typically maintain records about their donors, including names, addresses, contact information, and donation history. This data can be targeted and used for identity theft or sold on the dark web.

Financial data

Nonprofits may handle financial information, such as bank account details, credit card information, and transaction records. Cybercriminals can exploit vulnerabilities to gain unauthorized access to these records and conduct fraudulent activities.

Grant applications

Cybercriminals may target grant applications to gain access to sensitive information about a nonprofit’s plans, finances, or projects. This data can be used for corporate espionage or sold to competitors.

Volunteer information

Nonprofits often collect personal information about volunteers, including names, addresses, and background checks. Cyber attackers may use this information for identity theft or to glean additional details about people affiliated with the organization.

For more insights, download our complete guide:

Business impacts for nonprofit organizations

What to expect after a cyber incident

Direct costs to respond

Responding to a cyber event typically requires numerous direct costs, also known as first-party expenses. If a nonprofit organization experiences a data breach involving PII, it will require a prompt response and the need for additional legal counsel, forensic investigation, victim remediation, and notification to comply with regulatory requirements. Simple investigations can cost tens of thousands of dollars, while more complex matters can increase costs exponentially.

Liability to others

Navigating the patchwork of laws and regulations after a security incident or data breach is especially difficult for organizations that operate in a highly regulated industry. A data breach or security failure can trigger liability to third parties and cause bodily harm or injury, even if the management of financial records is outsourced and the organization is otherwise in compliance with applicable regulations.

Business interruption and reputation damage

A cyber event that impacts essential technology can have a significant impact on a nonprofit's ability to operate and can be highly visible to donors, beneficiaries, and other stakeholders. Even short periods of disruption can lead to direct loss of revenue and inhibit an organization's ability to champion a cause, negatively impacting not only donor retention but also the delivery of essential services.

Cybercrime

Beyond ransomware and data breaches, cyber events can result in financial theft for a nonprofit or its supporters — often without an actual breach. If an attacker dupes someone in the billing department to alter payment instructions, an organization can lose tens or hundreds of thousands of dollars almost instantly. Attackers can also gain access to email accounts and send fraudulent invoices or payment instructions to donors, beneficiaries, and other third parties.

Recovery and restoration

After a cyber event, resuming operation is no easy task. If an attacker damages or destroys essential technology, data, or physical equipment, an organization may need to bring in external support or purchase new equipment to re-secure systems. Full remediation, restoration, and recovery can take a significant amount of time, when possible, and may require purchasing new software, systems, and consultants to rebuild the network.

Gray BG

CYBER INSURANCE BUYER’S GUIDE

Choosing the right
cyber coverage for your business

Cyber insurance is an essential aspect of modern risk management, offering coverage for the losses associated with data breaches, cyber extortion, business interruption, and other cyber-related incidents. 

Coalition created a Cyber Insurance Buyer's Guide to help businesses navigate the complex cyber insurance market and confidently select the right coverage for their business.

Cyber Insurance Buyer's Guide

Get an Active Insurance quote

Ask your cyber insurance broker about Coalition Active Cyber Insurance. Not connected with a broker? We’ll connect you with one of our trusted experts.

Already a policyholder?

Log in or activate your Coalition Control account, our policyholder risk management platform, to manage your business’s risk profile.