Give your charity the best chance of surviving a cyber breach
There’s no denying that our reliance on technology is growing at a rapid pace as society evolves. And while there are opportunities for organisations of all types, including charities, to benefit from this evolution there is a dark side that warrants consideration and a bit of risk planning.
You don’t have to look too far back to a time before social media existed, for example. Some thought it was a bit ‘Emperor’s New Clothes’ but Facebook, Twitter and Instagram all now feature (alongside websites) in many a charity's marketing and donor communications strategies.
Even at the most basic level, charities like yours are using computer-systems of one kind or another as you carry out your regular activities including administering your Gift Aid scheme and supporter database. Like it or not we’re all edging nearer and nearer to connected living.
Proven risks for charities
Maybe your organisation already takes advantage of some of these technologies. Even the most tech-averse will likely, as a minimum, hold donor data electronically.
This dependence on systems and data means the consequences of failure and downtime are much greater than at any other time in our history. Sadly, therefore, some unscrupulous individuals - often linked to organised crime and terrorism - are keen to exploit that for their own financial gain.
But hang on, is a charity really that likely to experience a cyber-attack?
A report commissioned by the Department for Culture, Media & Sport (DCMS) found that as many as 22% of voluntary & community organisations have identified security breaches or attacks in the last 12 months - hackers often don't know what type of organisation they're targeting.
The Cyber Security Breaches Survey 2019 showed that for larger charities that figure rose to 52%.
It is arguable therefore that there is a greater chance of a charity suffering a cyber-attack than any other type of risk it faces.
The average cost of dealing with lost data or assets was estimated at over £9k.
Yet the research revealed that only 6% of small charities (45% of larger ones) have specific cyber insurance in place to protect themselves from these costs and losses. Of those with the cover in place 12% have needed to claim on the policy.
The human element
Of course, you could have the most robust IT security on the planet but if your volunteers or staff have been compromised, corrupted or conned into action there’s not much you can do. With systems being so advanced it’s often easier for hackers to target an employee.
Breaches can occur simply as a result of human error or impaired judgment too - forgetting to apply security patches and software updates or losing a device in a public place for example. Even following their most disruptive incident in the last 12 months, 29% of the charities consulted for the DCMS survey chose to take no remedial action to prevent or protect their organisation from further breaches!
So let’s just pause here. Cybercrime is not an IT issue – it’s a wider organisational issue because it can result in loss of time, charity income and hard-earned reputation. Think about the tech giants Carphone Warehouse and TalkTalk for example - major companies with whole departments devoted to IT security but who still came a cropper (in Carphone Warehouse’s case, twice).
A quick word about financial penalties for failings and breaches
The data regulator, the Information Commissioner’s Office (ICO), has the power to issue fines of upto €20m for major breaches under the recently implemented GDPR regulations. For more minor breaches that figure is halved. Regardless, what would a fine from the regulator do to your ability to continue operating – in financial terms and reputationally?
A robust financial, practical and reputational solution
Into this digital landscape comes a whole new breed of insurance under the banner Cyber Liability. Though it can come in various guises. For example, some charity insurance policies might include an element of cyber cover (usually as an extension under a different section) but this will likely be quite basic in terms of scope and indemnity limit (the maximum amount it will pay out), so caution needs to be exercised.
Robust protection comes in the form of dedicated Cyber Liability Insurance which offers all you’d need following a data loss or security breach. It typically covers things like the costs of forensic investigation, data recovery, PR & reputational damage limitation, losses to third parties as a result of the breach and even the defence costs of any ICO investigation and, crucially, the resulting civil fine.
You should involve your insurance provider in the conversation to make sure you’re getting the best advice for your own needs.
For your peace of mind, your chosen insurance expert should be able to exhibit a sound understanding of Cyber Liability cover and have a pragmatic approach when relating the risks to your organisation. They’ll also keep in touch with developments, updating their knowledge as any new exposures arise.
What does proper cyber insurance cover?
The various heads of cover can be broken down into 2 main provisions: 1) costs your charity may incur and 2) amounts you may be liable to pay to others.
1) Costs your charity may incur as a result of an incident
Breach Costs - Practical support in the event of a data breach (electronic or otherwise) including forensic investigations, legal advice, notifying data subjects or regulators, and offering support such as credit monitoring to affected donors.
Crisis Containment - In the event of a data breach, prompt, confident communication is critical to help minimise the damage to an organisation’s reputation. A leading public relations firm is engaged who can provide expert support, from developing communication strategies to running a 24/7 crisis press office.
Cyber Business Interruption - Compensation for loss of charity income, including where it is caused by damage to your reputation, if a hacker targets your systems and prevents you from receiving income - perhaps Gift Aid, donations or revenue derived from providing services or the hiring out of premises. How else would you survive this type of catastrophe?
Cyber Extortion - Protects you if a hacker tries to hold you to ransom with any final ransom paid, as well as the services of a leading risk consultancy firm to help manage the situation.
Hacker Damage - Reimbursement for the costs of repair, restoration or replacement if a hacker causes damage to your websites, programmes or electronic data.
Cyber Crime - Covers direct financial loss following an external hack into your computer or network. This could be theft of money, property, or your digital assets.
Telephone Hacking - Pays the costs of unauthorised telephone calls made by an external hacker following a breach of your computer network; includes traditional fixed-line telephony systems, as well as online systems (VoiP, Skype, etc).
2) Amounts you may be liable to pay to other parties
Privacy Protection - Pays to defend and settle claims made against you for failing to keep personal data secure including the costs associated with regulatory investigations and settlement of civil penalties levied by regulators where allowed.
Multimedia Liability - The policy includes protection if you mistakenly infringe someone’s copyright by using a picture online for example, or inadvertently libel a third party in an email or other electronic communication.
Cyber risks are very real and are only set to increase over time. As part of your overall risk planning you should consider the likelihood and implications of a cyber-attack or data breach (including the ICO’s fine levels) and whether your charity could survive that financially.
You’d be wise to consult your insurance provider and get the most up-to-date advice if you’re looking at arranging cover for the consequences of a loss. Just make sure that they know what they’re talking about, specifically in relation to your charity's own activities and how the cover would apply in real terms.
Don’t forget you’ll also benefit from those other specialist professional services that cover provides – expertise that is waiting in the wings and will step in to help you deal with the practicalities of such an event.
Comprehensive cover is available for your charity. Rest assured that it’s not just the larger organisations or those with deep pockets that can afford this cyber insurance protection.
To be the first to receive information like this in the future, plus occasional offers from UKCI, please subscribe to our updates - we promise not to overdo it and you can unsubscribe again at any time.