In its recent report on charities and cyber-crime, the UK’s National Cyber Security Centre (NCSC) has warned charities that “cybercriminals pose the most serious threat to the charity sector” and that charities and not-for-profit organisations of all sizes are falling victim to cyber-crime with some facing devastating consequences.
In addition to the report, the NCSC has published a guide to highlight the growing risk and to help small charities protect themselves from the most common types of cyber-attack. Among its recommendations, the guide advises charities to:
- back up your data and protect it with strong passwords
- protect your organisation from malware
- keep your smartphones and tablets safe.
A wake-up call for the charitable sector
Just like businesses, charities rely more and more on computer networks, online platforms and digital information to run their day-to-day operations. So, losing access to these systems and data as a result of a cyber-attack could be ruinous both financially and reputationally.
According to the NCSC the degree to which charities understand the risks that cyber-crime poses, how well they approach the growing threat, and how seriously they are investing in cyber-security measures varies significantly across the sector.
Some charities, particularly the larger organisations with better-funded resources, are aware that their data is sensitive, valuable and vulnerable to malicious cyber-activity. However, the NCSC is concerned that there are charities, especially smaller ones, that do not regard themselves as targets and are not taking sufficient measures to protect themselves from a data breach.
Confusion, scepticism and poor uptake of cyber-liability insurance compound risks
Equally concerning is the low adoption rates of cyber-liability insurance among charities to cover financial loss, business interruption and third-party claims should a serious breach occur. According to a survey by the Department for Digital, Culture, Media & Sport completed earlier this year, just 4% of charities say that they have some kind of specialised cyber-liability insurance in place to cover attacks on their digital and online operations. While 17% of charities say they are unaware of the existence of cyber-liability insurance.
The same survey reports that the most common reason given by charities for not having a cyber-liability insurance policy is that they don’t regard the risk of a cyber-attack as likely or sufficiently damaging to warrant the cost of additional insurance. The survey also highlights that, more often than not, in a charitable organisation the individual or team responsible for cyber-security is not involved in arranging the charity’s insurance, with the result that cyber-crime often gets overlooked, or is simply not prioritised in risk assessments.
Furthermore, mixed perceptions about the cyber-liability insurance market mean that there is a degree of scepticism and confusion about exactly what this insurance covers and how effective it would be in the event of a claim. In several cases, individuals noted that these were only their perceptions, not based on first-hand experience, but that they had been discouraged from taking on cyber-liability insurance for these reasons.
How insurance brokers can help charities insure against online threats
In light of this, there is a clear role for insurance brokers to educate their clients about the risks posed by cyber-crime and to help them assess whether their current insurance provision adequately covers them against malicious cyber-activity.
In many cases, traditional insurance policies may not cover losses involving information systems, and not all cyber-liability insurance policies are the same. Equally, not all cyber-threats can be anticipated or prevented. Nonetheless, it goes without saying that an effective cyber-insurance policy combined with a range of cyber-security solutions must be part of any charity’s risk management process.
So what type of risks can cyber-liability Insurance cover?
Cyber-liability insurance can cover the costs associated with security breaches, loss of third-party data and cyber-extortion. Additionally, specific cyber-insurance can offer charities access to expert advice and assistance such as IT support, cyber forensics, legal advice and media/public relations in the event of an attack.
Certain types of cyber-liability insurance may also cover the cost of certain financial damages, penalties and fines arising from a regulatory investigation (up to agreed limits), where insurable under UK law. This can help cushion the financial impact of a cyber-attack, get an organisation back on its feet and mitigate any reputational damage that may result from negative publicity.
Here are some examples of cyber-liability insurance cover:
- Cyber business interruption cover – this insurance can make up for loss of income if, for example, a hacker accesses your network and causes damage to your systems or data, leaving you unable to operate and earn revenue.
- Breach costs – this cover may include practical support following a serious data breach. This can involve providing IT support, cyber-forensic investigators, legal advice, as well as informing clients or regulators about the data breach.
- Hacker damage cover – this insurance can meet the costs of repair, restoration or replacement of websites, programs or electronic data following a computer hack.
- Cyber extortion – this insurance covers the extortion money you might have to pay in the event a cyber-criminal tries to hold your organisation to ransom. It may also provide the services of a risk consultancy firm to help manage the situation.
- Crisis containment - this cover offers expert support to mitigate damage to an organisation’s reputation following a cyber-attack.
- Privacy protection cover – this insurance enables an organisation to defend and settle claims made against it in the event personal data is lost or stolen following a data breach. It will also pay the costs connected with regulatory investigations and settle civil penalties imposed by regulators, where allowed by UK law.
Charities need to do more to protect against cyber-crime
Faced with these findings from the NCSC and the Department for Digital, Culture, Media & Sport there can be no doubt that charities urgently need to do more to protect themselves from online threats. Certainly, there is a growing recognition that more skills and training are needed to combat the ever-increasing number of cyber-attacks against charities and that awareness of cyber-crime generally among charity personnel needs to improve markedly across the sector.
Charity Commission chief executive, Helen Stephenson CBE, has said that the potential damage of a cyber-attack is too serious to ignore, risking financial loss, reputational damage, and a charity’s ability to operate.
“Charities need to do more to educate their staff about this threat and ensure they dedicate enough time and resources to improving cyber security. We want to make sure charities are equipped to do this, and we encourage them to use the advice on our Charities Against Fraud website. We also continue to work closely with the Department for Digital, Culture, Media and Sport to help charities protect themselves online.”
Where you can find cyber-security advice and insurance
Some free online resources also exist to help charities and not-for-profit organisations find the advice they need to help them manage cyber-risk and protect their most critical assets: