Do nonprofits need cybersecurity insurance?

One the questions we get often at RoundTable is from organizations asking whether they should get (or increase) cybersecurity insurance. This post is meant to provide as clear of a response as we can provide to that question.

Understand the risks that would require insurance

The answer to the question, “Should we get cybersecurity insurance?” starts with gaining a clear understanding of risk.

There’s a cliche in sports about a great player that goes, “You can’t stop him, you can only try to contain him.” I’m not sure of the origin, but I first heard the phrase spoken about Michael Jordan. This also applies to risk: Risk is part of existence. You can’t stop it. But there are things you can do to manage or mitigate risk.

A common term in the risk management field is risk mitigation. For many years, I found the word “mitigation” annoying in this context because I was taught by my father to never deploy the word “utilize” when “use” would do just fine. To me, “mitigate” seemed synonymous with “reduce,” a simpler word everyone understands. I’ve since changed my mind on the word “mitigate.”

Consider the consequences that would come from the risks

Let’s think about the kinds of bad things that can happen in a cybersecurity context. If we think about things like ransomware, account breaches, data loss, and fraud, there are different consequences that may apply. These may include:

  • Downtime: We can’t work, or we have to spend time fixing (or remediating, in risk management parlance) the incident
  • Reputational Damage: Our organization may suffer reputational damage from the incident
  • Financial Loss: We may literally lose money through fraud or theft, or we may have to spend money on resources to help us contain and manage the incident

4 things you can do with risk

Let’s break risk down into 4 basic actions you can take in response to it. All 4 of these taken together is where the word “mitigate” comes in: Risk mitigation is looking at your risks and deciding which of these actions to take:

  • Avoid
  • Reduce
  • Transfer
  • Accept

Avoid

Avoiding risk is the first option and generally the best if it’s available. Let’s say you’re collecting social security numbers (SSNs) of clients, and you identify that as a risk because it’s sensitive information that you’re collecting and keeping. But you also realize that you don’t use the SSNs for anything, and don’t need to collect or keep them. You can easily avoid this risk by ceasing the collection of SSNs and deleting the ones you have. Risk avoided. ✓

Reduce

This is where most of cybersecurity work happens. If you’re concerned about the risk of your email account being breached, you can’t easily avoid this risk — because it would mean not having an email account. But you can reduce this risk by having a strong password and employing two-factor authentication (also known as 2FA) to increase the security of your account.

If I’m concerned about the data loss if my email account is breached and the attacker deletes all of my emails, I can implement a backup solution to automatically backup my email account. Cybersecurity measures (or safeguards in risk management parlance) such as backups, passwords, two-factor authentication, encryption, training, and incident response are all measures to reduce the risk of various incidents.

Transfer

This is where cybersecurity insurance fits in. Transferring risk means moving the consequences of a bad thing happening to someone else. It’s making it someone else’s problem.

One example is credit card processing: Most small organizations have a third-party processor handle the credit card transactions on their website. They understand that collecting credit cards comes with risk, and they can’t avoid this because they need to accept credit cards. Reducing the risk of accepting credit cards can be quite intensive, so many organizations choose to transfer this risk to a credit card processor (such as PayPal or Stripe).

It’s the third consequence listed above, financial loss, where cybersecurity insurance most often applies. What cybersecurity insurance can do is transfer the financial risk from various cybersecurity incidents to the insurer. You pay the insurer an annual fee — say $2,000 — and in exchange, they accept the transfer of $1 million of your financial risk.

It’s important to understand that you are only transferring the financial consequences of an incident. You can’t meaningfully transfer the downtime consequences or the reputational damage consequences. That’s not to say the money you could be reimbursed by your insurer couldn’t be used to limit the downtime or reputational damage consequences, but you still haven’t transferred those risks. You keep those yourself (lucky you!).

Accept

This brings us to the last thing we can do with risk: Accept it. Going back to our email example, I can’t avoid the risk of using email because it’s a business critical tool. I’ve already reduced the risk of a breach by using a strong password and two-factor authentication. I’ve transferred the financial risk of an email breach by purchasing cybersecurity insurance.

Even with all these “mitigations” in place, I still have risks of downtime if my account is breached or I forget my password. I still have the risk of reputational damage if my email account is breached and sensitive communications are exposed to people they weren’t intended for. 

At this point, I choose to accept those remaining risks. And here’s a key point:

We are all accepting all kinds of risks right now.

I could get hit by a meteor or a stray piece of space garbage at any minute. I could reduce this risk by living underground, but I’m not going to do that. I accept that risk. What I think is most important here is understanding the risks you face, understanding what options you have to manage (mitigate) those risks and then continuing on with life.

Life is risky. That’s what makes it fun, right?

Hey, what about the original question: Should we get cybersecurity insurance or not?

If you look at your risks and see a lot of financial risk that could be effectively transferred to an insurance company through cybersecurity insurance, then the answer is a resounding YES. But please check with your existing insurance carrier to see what cybersecurity insurance you already have.

If, on the other hand, you look at your risks and see mostly risks of downtime, data loss, and reputational damage, my opinion is that you’d be better served by investing time and resources in seeing how much effort would be required to meaningfully reduce or avoid those risks.

Where to start?

Joshua Peskay, who guest-wrote this post, is also our host for Whole Whale University 5: Nonprofit Cybersecurity. This course will help you build a solid foundation for literacy around digital security. The sessions focus on both strategy and tactics, helping you to learn foundational security skills that will apply for years to come, while also delving into the specific tactics and tools that are most relevant today.

Whether you are just starting on your cybersecurity strategy, looking to help make your organization more secure, or looking to develop literacy and skills around cybersecurity, access the course for 80% off with the code WWTIPS.