Nonprofits Aren’t Exempt From Cyberattacks
Blackbaud is a software company that provides customer relationship management cloud solutions to about 45,000 nonprofits. Its services include client data management, communications and fundraising solutions. Sometime between February and May 2020, when the world’s attention was largely elsewhere, ransomware code made its way through Blackbaud’s systems. That ransomware slowly corralled Blackbaud’s data and locked it down for ransom.
Once it learned of the hack, Blackbaud paid the ransom to have the data returned and then informed its clients. In turn, those nonprofit clients had to break the news to their donors, clients, service providers and vendors. It’s not a position you ever want to be in.
Your data is still your responsibility, even if it’s stored elsewhere
Nonprofits rely on donors, and that means data — lots of personally identifiable information (PII). Whether you store your data on-site, in the cloud or with a third-party host, your data is a target.
Some nonprofits mistakenly assume their data isn’t a target because it’s not bank or credit data. But hackers break into networks for many reasons, most of which have nothing to do with credit cards. Dark web data and PII sales are a huge business. A few critical pieces of data can go a long way in creating a whole new identity or spoofing your organization in a subsequent phishing attack. A phishing attack could lead to bank fraud, fake wire transfers or a total network failure.
Donor and client information is a liability risk
Nonprofits have gone digital. More than ever, donors and clients need to know they can trust you. And while no system is failsafe, you can show good faith by having a cybersecurity risk management plan. That plan should include cyber insurance.
Even if you don’t do a lot of fundraising online, you probably store your client data on a network. Smartphones and smart appliances are easy targets for hackers. Once in, they could send fake emails on your behalf (spoofing) to donors, volunteers, clients or employees. The email might ask for money donations using a fake link, resulting in thousands of dollars stolen. And almost as painful as the theft is the need to inform your community after the fact.
Post-hack responses are expensive, stressful and time-consuming
Depending on the extent of the hack and applicable laws, you may need to:
- Defend yourself in a lawsuit
- Pay for credit monitoring for all affected donors, clients and employees
- Issue a public statement explaining the cyberattack
- Rebuild your network data
- Shut down all affected networks (social media, websites or others) until the compromise is corrected
- Pay a ransom to have your network unlocked and data returned
- Reinforce your network security
- Report the data breach to law enforcement
- Inform all affected donors, clients and employees
- Respond to a public relations backlash
- Reassure the community that your networks are secure
- Create and issue a plan about how your organization will mitigate future cyberattacks
- Notify your vendors in case their systems have been compromised, too
Cyber insurance can help with your response plan
Cyber liability insurance doesn’t prevent your data from being stolen, but it can help a lot in the aftermath. Your coverage may be able to assist with:
- Notifying donors and clients of the breach
- Restoring the personal identities of donors and clients
- Recovering the compromised data
- Reconstructing network systems
- Paying the ransom request
- Repairing damaged computer operating systems
- Providing free credit monitoring to donors and clients
- Handling public relations efforts and responses
- Proactively mitigating risks
- Minimizing the cost of business interruptions (if the breach requires you to shut down temporarily)
Your insurance professional is a valuable resource
Talk to your insurance professional about creating a cyber protection plan. They’ll ask questions about the technology and security solutions you use, as well as your stakeholders and overall mission, so they can craft a policy that’s right for your organization.
This content is for informational purposes only and not for the purpose of providing professional, financial, medical or legal advice. You should contact your licensed professional to obtain advice with respect to any particular issue or problem.
Copyright © 2021 Applied Systems, Inc. All rights reserved.