Subscribers | Charities Management magazine | No. 114 Early Summer 2017 | Page 6
The magazine for charity managers and trustees

Cyber and data breach insurance for charities

ROBERT BATES of broker ALLIED INSURANCE SERVICES says what a cyber and data breach insurance policy should cover a charity for.

Compared to any other organisation which holds data, charities face the same, if not more, risks to their operation should they experience a cyber attack or data breach. The recent cyber attack on the NHS and subsequent attacks elsewhere with more sophisticated ransomware shows how even the most well protected systems can have their security breached and how detrimental and destructive this can be to an organisation.

By their very nature, charities are very likely to hold sensitive records with details on all their service users. These could include details of vulnerable adults, children and their medical records. In addition, there may be in-depth service user’s financial details and those of donors too.

It is essential in the current climate that charities ensure they have in place relevant and adequate cyber and data breach Insurance to cover them, should the worst happen.

Cyber related losses are now the largest recorded offence in the UK, overtaking physical crime, and data is now more valuable to criminals than physical assets.

Cyber losses currently cost the UK economy around £27bn per year, with the average cost of a cyber breach for a small business reaching anywhere between £75,000 - £311,000.

Main threats for charities

There are many cyber threats currently facing charities, with the main threats including the following:

  • Systems interruption by malware.
  • Phishing (attempts to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication).
  • DDOS (Distributed Denial of Service).
  • Cyber extortion.
  • Rogue or disgruntled employees.

Could this happen to you?

Charities are not immune to cybercrimes. Indeed it could be true that some are more at risk than other organisations, due to the volume of sensitive personal data they may hold and the importance of their reputation.

The real life examples below happened over the last few years; could this sort of thing happen to your charity and are you covered if it does?

Ransomware attack

The NHS experienced a crippling ransomware attack that affected large swathes of the NHS across the UK. The disruption and effect of this attack is still being felt by many organisations. In total, the attack hit 200,000 victims in 150 countries around the world.

The main reasons that the NHS fell victim to this attack were computers across the NHS had not been updated and they were still using the outdated Windows XP operating system.

Similar to the NHS, many charities simply don’t have the resources to provide their organisation with up to date systems and regular system updates. Therefore, they too are at risk from potential attacks.

Hidden viruses

A number of Irish hospitals were suspected of being hit by the recent international cyber attack on the NHS. It was uncovered, however, that these hospitals had been targeted by a different, older virus, where around 52,000 PCs and 2,350 servers in Ireland's Health Service Executive had been attacked. In response, to both the older attack and the threat of the global ransomware attack, they all had anti-virus software deployed by a team of IT experts, to counteract the threats posed and this fast acting response prevented further damage and disruption.

Following a download

A third party payment provider experienced a significant cyber attack when two employees opened an infected word document which downloaded Crypto Locker Malware onto the business' network.

This damaging data breach affected 5,000 customer records. Users within the business were prevented from accessing their own data and the entire network was down for over 32 hours, incurring a claim totalling £48,000.

Denial of Service

A business suffered a persistent Denial of Service cyber attack which affected all its websites. The wider issue became apparent once the websites were back up and running. As soon as the customers logged on to their accounts, they could view another customer’s details including all their financial information. This incurred a claim totalling £62,000.

Key insurance areas

All charities need to ensure that they have the following cover, should an attack happen:

FORENSIC RESPONSE. There should be a forensic team to provide a rapid response and quick action. This is critical as a hacker may still be on your network, extracting data, without your knowledge. The forensic team should monitor and rectify this to protect your business quickly and effectively.

LEGAL RESPONSE. There should be legal advice to provide support and protect your charity following an attack. With legal cover provided within your insurance policy, you are ensuring that you can get the legal advice you need, when you need it.

PUBLIC RELATIONS RESPONSE. A charity's reputation is a vital asset and needs protecting. By ensuring that your cover includes public relation support and advice, you are ensuring that any impact on your charity's reputation is covered.

Event management

Following a cyber-attack or data breach you will need ongoing support to get your systems back up and running and to safeguard you against future attacks. This is known as "event management".

IT systems are critical for performing day to day business activities, but any downtime due to a cyber attack is not covered by a standard business interruption insurance policy. Make sure that your policy includes the following:

  • Notifications to other parties.
  • Credit monitoring.
  • Data restoration.

Other elements you need to be covered for include:

  • Network Interruption.
  • Loss of Income and operating expenses.
  • Fund transfer fraud.
  • Theft of personal funds of officers of the charity.

Right data breach cover

Charities need to ensure they are protected and covered against any potential data breaches. Data is often one of a charity's most valuable assets, but it is also one of the most uninsured exposures.

Adequate data protection and cover will become even more pertinent, when the General Data Protection Regulation (GDPR) comes into force in May 2018. With heavy fines reaching up to a maximum of 20 million euros or 4% of worldwide gross revenue, and with the introduction of mandatory breach notifications, it is essential that charities have the right cyber and data breach insurance in place.

The GDPR will be forcing businesses and organisations to closely examine how they prepare for and respond to data breaches. It is essential that your charity is covered for the following, as soon as possible:

  • Failure to protect personally identifiable information.
  • Failure to protect against wrongful disclosure of private or confidential information.
  • Violation of privacy regulations.
  • PCI-DSS (Payment Card Industry Data Security Standard) non-compliance.
  • Criminality.

When is cover triggered?

Let's say your charity is adequately covered, but exactly when would the cover be triggered? It would be triggered if there is a data breach, if the network is hacked and data is stolen, if a negligent employee puts private data out into the public domain, or if a disgruntled employee does the same deliberately.

Your cover would also be triggered if your network is hacked and data is corrupted, or if ransomware is introduced and the hacker threatens to corrupt the data unless you pay up.

Finally, your cyber liability cover is triggered if cyber attackers swamp a company’s website, making it impossible for donors to make donations.

How much will cover cost?

This is very much like the old saying, “How long is a piece of string?”, and this is where a trusted and reputable insurance broker is invaluable.

It is essential that your broker takes the time to understand the exact nature of your work. It needs to understand the type of service users that you work with, the number of records that you hold and the details they contain, along with the turnover or revenue of the charity.

Only with this level of detail can you be provided with an accurate and comprehensive package of cyber and data breach insurance cover.

It is often the case that charities are only insured for their hard assets. But now, more than ever before, they need to consider the worth of their data and the records they hold.

You may feel your computer systems are well protected, but let’s make a quick comparison with material property. You may have a burglar alarm and a fire alarm installed on your building, but this does not mean that you don’t insure the building and its contents. So, why would you install cyber security measures across your network, but not ensure that you have the right insurance cover should an attack happen?

END OF ARTICLE

Return to top of page

NEXT ARTICLE

Next Article