Cyber Risk for churches
There’s no denying that our reliance on technology is growing at a rapid pace as society evolves. And while there are opportunities for organisations of all types, including churches, to benefit from this evolution there is a dark side that warrants consideration and a bit of risk planning.
You don’t have to look too far back to a time before social media existed, for example. Some thought it was a bit ‘Emperor’s New Clothes’ but Facebook, Twitter and Instagram all now feature (alongside websites) in many a church's outreach and communications strategy.
Even at the most basic level, churches like yours are using computer-systems of one kind or another as you carry out your regular activities. From administering your Gift Aid scheme and membership database through to song projection and running multimedia services - like it or not we’re all edging nearer and nearer to digital living.
Risks for churches
Maybe your church already takes advantage of some of these technologies. Even the most tech-averse will likely, as a minimum, hold members' data electronically.
This dependence on systems and data means the consequences of failure and downtime are much greater than at any other time in our history. Sadly, therefore, some unscrupulous individuals - often linked to organised crime and terrorism - are keen to exploit that for their own financial gain.
But hang on, is a church or a charity really that likely to experience a cyber-attack?
A report commissioned by the Department for Culture, Media & Sport (DCMS) found that as many as 22% of voluntary & community organisations have identified security breaches or attacks in the last 12 months.
The Cyber Security Breaches Survey 2019 showed that for larger charities that rose to 52% - hackers don't often know what type of organisation they're targeting.
It is arguable therefore that there is a greater chance of a church suffering a cyber-attack than any other risk it faces.
And the average cost of dealing with lost data or assets was estimated at over £9k.
Yet the research revealed that only 6% of small charities (45% of larger ones) have specific cyber insurance in place to protect themselves from these costs and losses. Of those with the cover in place 12% have needed to claim on the policy.
The human factor
Of course, you could have the most robust IT security on the planet but if your church staff have been compromised, corrupted or conned into action there’s not much you can do. With systems being so advanced it’s often easier for hackers to target an employee.
Breaches can occur simply as a result of human error or impaired judgment too - forgetting to apply security patches and software updates or losing a device in a public place for example. Even following their most disruptive incident in the last 12 months, 29% of the charities consulted for the DCMS survey chose to take no remedial action to prevent or protect their organisation from further breaches!
So let’s just pause here. Cybercrime is not an IT issue – it’s a wider organisational issue because it can result in loss of time, church income and reputation. Think about the tech giants Carphone Warehouse and TalkTalk for example - major companies with whole departments devoted to IT security but who still came a cropper (in Carphone Warehouse’s case, twice).
A quick word about financial penalties for failings and breaches
The data regulator, the Information Commissioner’s Office (ICO), has the power to issue fines of upto €20m for major breaches under the recently implemented GDPR regulations. For more minor breaches that figure is halved. Regardless, what would a fine from the regulator do to your ability to continue operating – in financial terms and reputationally?
Into this digital landscape comes a whole new breed of insurance under the banner Cyber. It can come in various guises. For example, some church insurance policies might include an element of cyber cover (usually as an extension under a different section) but this is quite basic in terms of scope and indemnity limit (the maximum amount it will pay out), so caution needs to be exercised.
You should involve your church insurance provider in the conversation to make sure you’re getting the best advice for your own needs.
For your peace of mind, your chosen insurance expert should be able to exhibit a sound understanding of Cyber Liability cover and have a pragmatic approach when relating the risks to your church. They’ll also keep in touch with developments, updating their knowledge as any new exposures arise.
Robust protection comes in the form of dedicated Cyber Liability Insurance which offers all you’d need following a data loss or security breach. It typically covers things like the costs of forensic investigation, data recovery, PR & reputational damage limitation, losses to third parties as a result of the breach and even the defence costs of any ICO investigation and, crucially, the resulting civil fine.
What does cyber insurance typically cover?
The various heads of cover can be broken down into 2 main provisions: 1) costs your church may incur and 2) amounts you may be liable to pay to others.
1) Costs your church may incur as a result of an incident
Breach Costs - Practical support in the event of a data breach (electronic or otherwise) including forensic investigations, legal advice, notifying data subjects or regulators, and offering support such as credit monitoring to affected members.
Crisis Containment - In the event of a data breach, prompt, confident communication is critical to help minimise the damage to an organisation’s reputation. A leading public relations firm is engaged who can provide expert support, from developing communication strategies to running a 24/7 crisis press office.
Cyber Business Interruption - Compensation for loss of church income, including where it is caused by damage to your reputation, if a hacker targets your systems and prevents your church from receiving income - perhaps Gift Aid, offerings or revenue derived from the hiring out of premises. How else would you survive this type of catastrophe?
Cyber Extortion - Protects you if a hacker tries to hold you to ransom with any final ransom paid, as well as the services of a leading risk consultancy firm to help manage the situation.
Hacker Damage - Reimbursement for the costs of repair, restoration or replacement if a hacker causes damage to your websites, programmes or electronic data.
Cyber Crime - Covers direct financial loss following an external hack into your computer or network. This could be theft of money, property, or your digital assets.
Telephone Hacking - Pays the costs of unauthorised telephone calls made by an external hacker following a breach of your computer network; includes traditional fixed-line telephony systems, as well as online systems (VoiP, Skype, etc).
2) Amounts you may be liable to pay to other parties
Privacy Protection - Pays to defend and settle claims made against you for failing to keep personal data secure including the costs associated with regulatory investigations and settlement of civil penalties levied by regulators where allowed.
Multimedia Liability - The policy includes protection if you mistakenly infringe someone’s copyright by using a picture online for example, or inadvertently libel a third party in an email or other electronic communication.
Cyber risks are very real and are only set to increase over time. As part of your overall risk planning you should consider the likelihood and implications of a cyber-attack or data breach (including the ICO’s fine levels) and whether your church could survive that financially.
You’d be wise to consult your insurance provider and get the most up-to-date advice if you’re looking at arranging cover for the consequences of a loss. Just make sure that they know what they’re talking about, specifically in relation to your church's activities and how the cover would apply in real terms.
Don’t forget you’ll also benefit from those other specialist professional services that cover provides – expertise that is waiting in the wings and will step in to help you deal with the practicalities of such an event.
Comprehensive cover is available for your church and rest assured that it’s not just the larger churches or those with deep pockets that can afford this cyber insurance protection.
To be the first to receive information like this in the future, plus occasional offers from UKCI, please subscribe to our updates - we promise not to overdo it and you can unsubscribe again at any time.