An All-Too Common Scenario
At this point in 2019, the scenario is becoming all too familiar. Cybercriminals use social engineering to bypass technology safeguards and security protection to infiltrate email systems, bank accounts, credit card accounts, member databases, and other areas containing sensitive data. The criminals then utilize the data to steal money and identities, create access for future attacks, or in the case of obtaining compromising personal data, as the basis for extortion attempts. And the financial results can be devastating.
How Does This Happen?
In a widespread social engineering scenario, hackers may first get into someone’s email account and start watching conversations for things like due dates on project payments or bills, amounts owed, and the specific discussions in the emails. Then, because they have obtained such precise information, they can represent themselves as a trusted person making a request that seems absolutely legitimate. They may utilize fear as a trigger to induce the person “to act right now” to avoid consequences for the church or the employee. For example, “Since you haven’t paid your bills, we are going to penalize you, expose your negligence, or impose embarrassing delays or restrictions, etc.”
Earlier this year, a Catholic church in Ohio who fell prey to this exact type of attack and was induced to send $1.75 million to cybercriminals. Amid a large construction project, the church was contacted by the general contractor, who expressed concern that the church had missed its last two monthly construction payments. The church staff in charge of the project was horrified as they were very conscientious in paying everything on time and even had proof that the disputed wires had gone through. FBI investigators later were able to discern that the hackers had penetrated the church’s email system and were able to then pose convincingly as the construction company principals. In this place of trust, the hackers communicated to the church that their bank routing and account information had changed. Accordingly, the church sent the money to the criminals’ accounts rather than to those of the general contractor.
What happens when a church suffers this type of loss? Sadly, most general liability and professional liability policies do not cover this type of increasingly common injury. This is where Cyber Insurance comes into play.
What Is Cyber Insurance?
Cyber insurance, also referred to as cyber risk insurance or cyber liability insurance, is a policy designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event. Malware, ransomware, and distributed denial-of-service (DDoS) attacks are conventional methods used to compromise networks and sensitive data sources.
Does My Church Need Cyber Insurance?
Yes, most likely, you do.
Cybercrime is on the rise; this is no mystery to anyone today. The frequency and ingenuity of cybersecurity incidents are increasing exponentially. As churches utilize an increasing number of applications, devices, and other technology components and services to enable ministry, they become more vulnerable to attacks. Just like businesses insure against business problems, natural disasters, and physical risks, churches need insurance coverage for cyber threats as well. And if you are like many churches, your General Liability and Professional Liability policies likely do not address the exposure that you have to cyber risks.
In the church context, Errors and Omissions Insurance (also known as Professional Liability Insurance or Malpractice Insurance) is designed to protect church staff or pastors accused of errors and negligent acts committed in the course ministry activities. Because this type of coverage is not offered under a general liability policy, E&O is vital to churches looking for protection from incurring the full cost of defense and damages that may arise in a lawsuit. But merely obtaining a standard E&O policy may not be sufficient.
Typically, E&O insurance in the church context is provided to insure against exposure in such areas as pastoral liability (damages that may arise from pastoral counseling such as sexual misconduct, invasion of privacy and defamation), counselor’s liability (neglect or omissions that may occur due to vocational counseling, educational or even learning disability therapy), or abusive acts liability (coverage for staff or volunteers who are acting on behalf of your church or religious organization that may be accused of actual or threatened abuse.
It is important to note, however, that many E&O policies do not cover types of cybercrime exposure that is becoming increasingly common. Church leadership must confer with their insurance counsel to ensure that they have obtained proper coverage for the types of cyber-attacks to which they vulnerable.
In this Enable blog series, we have covered numerous ways to protect your staff, systems, and data. If implemented conscientiously, items such as multi-factor authentication, password management, security training for staff, enforcement of security policies, email security practices, business continuity, managed firewalls, disk encryption, consistent patching, and sophisticated SIEM tools can all significantly reduce the likelihood that a church is going to fall prey to the kind of cyber-attacks we have been discussing. Nevertheless, in the rapidly changing environment of cybercrime in which we all now operate, we believe that churches who desire to be faithful stewards must consider the available cyber insurance options carefully.
Some Practical Considerations
Most insurance providers can individualize policies based on need and size.
- Theft and fraud – Covers loss of the policyholder’s data as the result of a criminal or fraudulent cyber event, including theft and transfer of funds.
- Forensic Investigation – Covers the legal, technical, or forensic services necessary to assess whether a cyber attack has occurred, to determine the impact of the attack, and to stop an attack.
- Business Interruption – Covers lost income and related costs where a policyholder is unable to conduct business due to a cyber event or data loss.
- Extortion – Provides coverage for the costs associated with the investigation of threats to commit cyber attacks against the policyholder’s systems. The coverage extends to payments to extortionists who threaten to obtain and disclose sensitive information.
- Computer Data Loss and Restoration – Covers physical damage to, or loss of use of, computer-related assets, including the costs of retrieving and restoring data, hardware, software, or other information destroyed or damaged as the result of a cyber attack. Many carriers have an absolute exclusion in their policy form for the replacement, reproduction, and restoration of data lost or damaged during a security breach or other error or omission
- There are many additional coverage options as well, e.g., rogue employee coverage, privacy liability, media liability, privacy notification costs, etc. Some of these may apply to your specific church situation, and some may not. Your insurance counsel should be able to guide you into those choices that make sense for your circumstances. As with all financial decisions, stewardship demands a prayerful consideration of the costs and benefits derived.
Comparing Policy Forms and What to Look Out For
- Identify your unique risks. The first step in buying cyber insurance is to understand the nature and the extent of the risks facing your organization.
- Identify the limit structure (coverage, aggregate policy, sub-limits imposed).
- Are data breach expenses inside or outside the policy limit? Are they included?
- Is there coverage for inadvertent disclosures (i.e. cell phone or laptop with unencrypted data)?
- Understand the “triggers.” It is essential to understand what activates coverage under your cyber policy.
- Is there coverage for violation of the insured’s privacy or data handling policies?
- What coverage restrictions are imposed?
- What are the proposal’s subjectivities or conditions (underwriting requirements)?
- Does the application contain a warranty statement?
- Available risk management services: what loss prevention tools are available? Are there any fees associated with these services?