Considering church cyber insurance
Last December, I was meeting with an executive pastor when we discussed the issue of cyberliability. At the time, I was hearing all kinds of warnings in the media and in the insurance industry about the threat of cyberliability — but I didn’t really buy all the hype.
C’mon, what real exposures does a church have?
It’s the ‘big guys’ getting hacked, not the typical church on the corner.
Every nickel that comes through the church is a sacrificial gift. Why should we go out and spend more money on insurance when budgets are already strained?
Long story short, I really didn’t see the need for buying cyberliability insurance … but the pastor challenged me. As his partner in ministry, he asked me to really get a good grasp on the topic.
So, I committed that 2016 would be the year that I would get a better understanding of the risks, how churches can protect themselves through training, and what church cyber insurance is all about. I sat through conferences on cyberliability, subscribed to cyber theft alerts, read all the emails and blogs on the topic, and even traveled to Lloyds of London (the birthplace of insurance) to really understand what churches need.
When the editors at Church Executive asked me to write these three articles, I thought: Here’s my chance to shout from the mountaintops and be a church cyberliability ‘evangelist’!
What it all comes down to is this …
The threat is real — but not in the way you might think
In the event that your church suffers a breach, you probably aren’t going to get hit with a major lawsuit from the congregants. This is what happens to the ‘big guys.’ There are attorneys out there who are setting up class action lawsuits following a breach. Who wins in these situations? Most likely, the attorneys.
So, what is going to happen to your church?
• You will be distracted from your ministry.
• You will spend hundreds of hours and thousands of dollars — that should be spent on ministry! — doing damage control, conducting a forensic investigation, notifying everyone about what happened, paying for credit checks, and figuring out what went wrong.
In one case, a church’s HR director clicked on a link that gave a hacker access to all her employee data. It cost $15,000 just to investigate the extent of the damage … [and] repairs and response will run another $25,000, at least.
Responding to a cyber breach
It doesn’t matter if you’ve outsourced financial processing or if you don’t handle that much financial data. In the event of a breach, the laws require you to respond.
And, your response isn’t something you can leave up to volunteers, your computer geek or the church administrator. It isn’t something that can be handled on a work day. Although, by law, how you respond varies by state, the experts that need to be called in to assist your ministry are some of the top computer experts in a very specialized field. Their fees will prove this — and it will likely break the church’s budget.
Cyberliability insurance pays these costs, hires the experts you need, and guides you through the process. But, don’t go out and buy the same cyberliability insurance policy that a financial institution or a for-profit organization needs; you’ll want something that will help cover the costs to hire the experts for you. Yes, there is a chance attorneys might sue you for damages — but the insurance that every church needs covers the cost to respond, research and repair the damage to your computer systems.
Likelihood of encountering a breach
According to the recent Cost of Data Breach Study by IBM Security, there are more than 91 million security events every year. The likelihood that your ministry is next, isn’t too far-fetched.
A cyber breach is more likely than a terrorist attack … but most churches have security teams. It’s also more likely than a D&O lawsuit — but your church probably has D&O coverage.
We are seeing more than one church cyber breach every month. In one case, a church’s HR director clicked on a link that gave a hacker access to all her employee data. It cost $15,000 simply to investigate the extent of the damage — and that’s just the beginning. Repairs and response will run another $25,000, at least.
The biggest thing I’m learning about cyberliability is that it’s a growing problem. You’ll need to keep up on the topic, train your ministry teams on how to prevent it from happening, and have an insurance partner who will help you should it happen at your church. A good place to start — with free resources for training your employees — is www.churchcyberliability.com.
(And yes, since I started writing this, I have found a virus on my computer.)
Charlie Cutler is the Managing Partner of ChurchWest Insurance Services in Redlands, CA, an insurance agency that specializes in insuring churches. ChurchWest currently insures more than 3,000 faith-based organizations.