Churches and ministries may leverage technology to communicate their mission and manage operations, but they are often not fully aware of the significant risk of cybercrime and potential losses due to weak cybersecurity networks and security practices. The relevance of best practices and church cyber liability insurance for ministries and nonprofits is sometimes overlooked in the larger conversations of cybersecurity.
In response, GuideStone® released a cybersecurity white paper, How to Protect Your Church or Ministry Against Cyberattacks. We found that 43% of all cyberattacks target nonprofits in the U.S. and Canada.1 The threat is real, but historically, it has been challenging to understand and explain how churches and ministries should respond to these risks.
Consider these four practical steps to assess your ministry’s cyber risk.
1. Understand how cybersecurity should function alongside daily operations.
- 90% of cyberattacks can be avoided because they are due to human error.2 It starts with training employees to implement safe passwords, spot potentially malicious emails and understand the risk of using public Wi-Fi, among other security best practices. Your organization may want to consider installing network firewalls with updated security patches. Proper security awareness among employees is the best defense against security breaches due to human error.
- The legal landscape of cybersecurity extends further than church or ministry property. Certain laws govern what an organization must do when a data breach occurs. These are primarily at the state level; however, since the internet extends everywhere, an organization based in Texas could have a lawsuit filed against them for a data breach that affected a person living in California. Those laws often include regulations for notifying all affected or possibly affected individuals whose personal information has been compromised.
- Most state laws require any entity that maintains personal information to protect the privacy of that information. When entities fail to keep personally identifiable information (PII) private, they will be subject to penalties and fines and will likely suffer a significant impact on their reputation. Organizations should implement and maintain reasonable procedures to protect the privacy of the information.
- Cyberattacks can arise from computer viruses unintentionally spread through emails and websites. Imagine a church member opening an email from your ministry with a virus or malware that indefinitely shuts down their work computer or network. His or her trust in your ministry will be broken simply because of weak cybersecurity, potentially affecting the reputation and goals of your mission.
- Ransomware may be a problem for any organization that uses computers. Cybercriminals use ransomware to restrict system use or threaten the leak of personal information—unless the victim organization pays a ransom. If your organization becomes a victim of ransomware, you could forfeit years of ministry data or even the financial information of employees, donors and recipients.
2. Your response to a security breach can be just as important as prevention.
When it comes to cybercrime, authorities are generally looking for the prevention basics:
- Regularly updating passwords
- Updating virus and malware protection on devices
- Requiring Wi-Fi sign-in or password credentials
- Following other common-sense approaches to security
However, when your organization moves from a prevention practice to a proactive response because of a serious data breach, your next steps are crucial from a lawsuit and liability perspective. Having an insurance company that provides coverage and case management breach services is essential to fulfilling each state’s cybersecurity law(s).
3. Take time to evaluate cyber liability protection insurance needs.
Consider adding cyber liability coverage if any of the following apply to your ministry:
- You digitally store PII, including names, addresses and donation records.
- You have a website and social media presence where you post photos, broadcast services or share prayer requests.
- You collect and digitally store health information for participants of the church or ministry-related activities.
- You send and receive emails.
- You collect money or retain copies of deposited personal checks digitally.
4. Ask these 10 questions when choosing cyber liability coverage.
These questions will help you shop for church cyber liability insurance:
- Is it affordable?
- Does it cover lawsuits against your ministry for computer use, such as web postings, copyright infringement or unintentional transmission of viruses and malware?
- Does it cover damages by unauthorized electronic funds transfers (EFTs)?
- Does it include coverage for emotional injury connected to electronic (computer) privacy violations?
- Does it cover case management to rectify a data breach?
- Does it cover costs incurred in response to electronic discovery requests?
- Does it cover costs incurred with a response to subpoenas, regulatory actions and injunctions resulting from computer use, e-commerce or data breach errors?
- Does it include coverage for fines, penalties and/or punitive damages (if permitted by law)? If so, what are the limits?
- Does it include coverage for ransomware attacks and other coercive online fraud schemes?
- Does it include coverage to rebuild your computer data and media in the case of a virus or hack and replace the computer hardware if the virus or hack causes it to be destroyed?
You’re Not Alone in Risk Management
GuideStone is here to help in ministry-focused risk management so you can focus on the Lord’s calling in your life. For more information, contact us at InsuranceSolutions@GuideStone.org or (214) 720-2868, Monday through Thursday, from 7 a.m. to 4:30 p.m. CT and Friday, from 7 a.m. to 4 p.m. CT.
This article is for informational purposes only. It is not intended to be construed as legal advice. Readers should use this article as a tool, along with best judgment and any terms or conditions that apply, to determine appropriate policies and procedures for your church's risk management program.
1FSiStrategies.com/industry/nonprofit-organizations
2TechRadar.com/news/90-percent-of-data-breaches-are-caused-by-human-error