While large-scale cyber attacks against businesses typically grab the headlines, churches are not immune to cyber risk. Threats can be from both external and internal sources. Smaller churches that typically do not have IT professionals on staff may be at risk from third party vendors. And regardless of size, many churches do not have cyber security policies in place to ensure that data security procedures are implemented and followed.
Data breaches are not the only type of cyber danger that can threaten a church. Other cyber risks include malware and viruses that can hold a church’s data hostage until a ransom is paid and phishing emails that cyber criminals use to defraud unknowing victims who will receive an email that appears to be coming from a church authority but is in fact from a criminal. In 2019, an Ohio church was the victim of a hacker who illegally accessed the church’s email system and then posed as a contractor asking for payment. That church lost $1.75 million as a result.
Cyber Liability Insurance
Cyber liability insurance can protect churches from the fallout of a data breach. Coverage typically includes expenses for notifying those affected by a data breach, defending against litigation from victims or state regulators, credit monitoring, compensable losses from identity theft, and any associated fines or penalties. In addition, cyber liability insurance will cover losses from computer fraud, data destruction or loss, business interruption losses, and cyber extortion.
Cyber Security Tips
Hand-in-hand with having the proper cyber liability insurance is ensuring that church staff and volunteers are trained on ways to reduce the risk of a data breach or cyber attack. Here are some tips:
- Establish policies to protect from attack, data breach, and data misuse,
- Identify responsibilities and assign roles to management,
- Verify qualified persons are retained to monitor privacy and security,
- Establish periodic reviews of internal and external risks, and regulatory compliance,
- Establish policies to respond to an attack or breach, 6) Provide adequate budgeting to allow sufficient response to risks,
- Conduct annual audits to determine the effectiveness of controls, and
- Evaluate the adequacy of insurance coverage.
It is important to note that even though a church may outsource its IT support functions, it is still incumbent upon church leadership and managers to provide and enforce policies to protect from cyber attack or security breach. Vendor contracts need to be scrutinized for data security protection measures, insurance, and indemnification for losses associated with compliance costs, theft of intellectual property, cybercrime and operational downtime.
The Church Law Center of California advises religious and secular nonprofits on governance and risk management matters. To find out how we can assist your organization, call us today at (949) 892-1221 or reach out to us through our contact page.
