Case study: megachurch policy reviewRISK MANAGEMENT, Security Monday, July 28th, 2014
By Steven Robinson
Just because a church is big, doesn’t mean its cyber risks are covered
As an insurance broker who specializes in identifying cyber and media risks in church ministry, I learned long ago that just because a church is large, it doesn’t mean their insurance policies are adequately covering their risks.
Particularly in the case of rapidly growing churches whose growth and outreach have been fueled largely by the effective use of media in various forms — across many platforms — insurance coverage has not kept pace.
I’m going to share a few examples of this as it relates to a megachurch whose policies I recently reviewed. For the sake of this case study, I will simply call it “Church A.” Hopefully, by sharing some of my findings in this review, it will help your church take a more informed look at its own coverage related to privacy and communications in today’s electronic environment.
First, a bit of background.
This is just of several great articles from “Social Media Risk Management: A Starter Kit” — an in-depth eBook from Church Executive. Download the eBook (at no cost) here.
Church A has campuses in multiple states across the country, in addition to a vast digital footprint. To say the least, it has effectively harnessed the use of the internet to spread its message to thousands of people worldwide, attract members, support missions, raise money and provide resources to colleagues in ministry all over the world. This is no small operation.
Like many rapidly growing churches I see, Church A purchased its insurance from a local broker and has remained loyal to this relationship for years.
While this is admirable in one sense, unfortunately, the insurance the broker provided in 2005 has remained the same, while the church hasn’t.
Here are just a few examples of what I found in the areas of cyber and media risk:
“Cyber” coverage was being offered to Church A that contained numerous exclusions and a requirement for any “data breach” to be “electronic” in nature. What if a data breach occurred as a result of stolen paper records? What if it wasn’t actually “data” that was breached, but rather a church member’s right to privacy?
The media/website liability section of this policy carried no coverage for violation of intellectual property rights. This is a big deal for churches using various forms of online and offline media for promotion, worship services, events, etc.
The first-party coverage (expenses the church would have to incur itself to deal with a data breach) were not only missing important elements — such as Business Interruption, Call Center Services, Extortion, Data Restoration and many others — but several other critical data breach response coverages required that a lawsuit first be initiated before coverage would kick in. This was perhaps the most egregious requirement of this particular policy.
Coverage limits were disproportionately low. For instance, estimates for the per-record direct cost of a data breach vary widely, anywhere from $10 to $70. In this case, Church A had giving information on more than 100,000 individuals. At the low end, a complete data breach could cost as much as $1 million; yet, the church’s limit was $250,000, and the coverage was rife with exclusions.
Don’t let this happen at your church
Here are a few things to look out for to make sure your own church doesn’t find itself in the same coverage situation after a claim occurs:
In the website / media liability section of your cyber risk policy, make sure that “media material” is not limited to “websites owned by the insured.” (You do have a cyber risk policy, right?!) You want to make sure that your church’s use of websites it doesn’t “own” — Facebook, Twitter, Instagram, etc. — is covered for allegations against your church for personal injury.
It’s important to examine what some policies will refer to as “covered media activities.” Is it limited solely to websites, or are the definitions more broad to include publishing of written material, videos and so on? The broader, the better.
Check your limits. It’s becoming increasingly common for the limits in a cyber risk policy to be the same for both liability coverages and first-party, out-of-pocket coverages such as privacy breach notification, legal assistance, IT forensics, PR assistance, credit monitoring and e-business interruption.
These first-party coverages are the first to get tapped in a cyber event, so make sure they aren’t sub-limited to extremely low levels.
It’s essential to team with a broker that not only understands cyber risk policies, but also their application in the church environment. Covering these gaps doesn’t have to be terribly expensive — but the price of getting it wrong can be.
Steven Robinson is Area President, Technology & Cyber, at Risk Placement Services, Inc., an Arthur J. Gallagher & Co. division, in Cambridge, MD.
- Bring-your-own-device polices
- Are you “truly” covered online?
- Should your ministry “friend” job candidates on facebook?