If you are a Church and Charitable Protection Plus client with Robertson Hall Insurance and have Non-Profit Directors and Officers Liability coverage included in your policy, you will also automatically have coverage for insurable Privacy (Data) Breach claims up to $250,000 for Privacy Breach Liability, inclusive of up to $25,000 for first party Privacy Breach Expenses for required notifications and costs under applicable privacy laws.
As a client organization you will also have the option to increase this coverage to as much as $1,000,000 for Privacy Breach Liability and $250,000 for Privacy Breach Expenses, subject to a completed and approved application based on your IT security protocols and an additional premium starting at $500, depending on the number of employees and the amount of personal information you retain on your computer system.
For Privacy Breach coverage in excess of $1,000,000, or for cyber insurance protection against other cyber-crime risks including the following other coverages:
Plus the following coverage and assistance:
We have access to specialty cyber insurers who can provide a quote and coverage for a wider array of cyber risks and higher coverage amounts for your organization.
Please contact our office today and speak to one of our Church and Charity Customer Service Brokers for more information about your policy, and the optional insurance protection available to your organization to cover against the risk of cyber-crime.
With the dramatic rise in recent cyber incidents affecting not-for-profits, including privacy breaches, ransomware attacks, and social engineering claims, it is now more important than ever for organizations to review their IT security protocols and to consider optional cyber insurance protection.
Cyber insurance is a specialty coverage. Most insurance companies either exclude all coverage for cyber-crimes or provide only modest coverage amounts of $10,000 or less, and only for certain risks. Specialty cyber insurers including Lloyds underwriting syndicates offer more comprehensive cyber protection, subject to minimum IT security protocols being in place for preventable cyber-crime.
Another crucial part of the equation in obtaining cyber insurance coverage is having a professional cyber breach response service on board to assist your management team and board. Most cyber policies include access to a 24/7 emergency response team, with access to experts when it matters most.
Cyber policies include professional support for your organization, whether it’s obtaining proactive advice and training to avoid claims in the first place, providing you with a cyber incident mobile app to report a cyber-crime instantaneously, or providing a robust and timely response within hours of a privacy breach, cyber-attack, or fraud.
Having a professional cyber incident response will also assist your organization to minimize the damage from a cyber-crime by:
Reprinted from the Canadian Centre for Cyber Security – Cyber Security Guidance
What does a phishing attack look like?
Step 1: The bait
The scammer tailors a message to look like a legitimate one from a major bank or service. Using spoofing techniques, the message is sent to numerous recipients in the hope that some will take the bait and fall for the scam.
In phishing and whaling attacks, the scammer first gathers details about the target individual or company. For example, the scammer can harvest information from social media profiles, company websites and internet activity to create a customized message.
In “vishing” attacks, the scammer might use a computerized auto dialer (robocall) to deliver the fraudulent message to many victims.
Step 2: The hook
The victim believes the message is from a trusted source and contains information that entices them to take urgent action e.g. to resolve issues with their account.
If the victim clicks the link in the message, they will unknowingly be re-directed to the scammer’s fake version of the real website. The victim provides sensitive information (e.g. login credentials) which is sent to the scammer.
If the victim opens an infected attachment, a malicious code may get executed and infect their device.
In a vishing attack, if the victim responds by pressing a number from selected options, then they may get connected directly to the scammer.
Step 3: The attack
Credentials stolen—The scammer can now access the victim’s account, e.g. email account to send more phishing emails to the victim’s contacts. If the victim is an IT professional with privileged access, then the scammer can have access to sensitive corporate data or critical systems.
Malware installed—The scammer can use the malicious software to gain control of the victim’s device, to steal their data, or lock access to their files until a sum of money is paid (as in ransomware attacks). Over the past 15 years, ransomware has become one of the most popular types of cybercrime.
According to the Canadian Centre for Cyber Security, the most effective ways to protect your systems and information include: Step 1: The bait
The scammer tailors a message to look like a legitimate one from a major bank or service. Using spoofing techniques, the message is sent to numerous recipients in the hope that some will take the bait and fall for the scam.
In phishing and whaling attacks, the scammer first gathers details about the target individual or company. For example, the scammer can harvest information from social media profiles, company websites and internet activity to create a customized message.
In “vishing” attacks, the scammer might use a computerized auto dialer (robocall) to deliver the fraudulent message to many victims.
Step 2: The hook
The victim believes the message is from a trusted source and contains information that entices them to take urgent action e.g. to resolve issues with their account.
If the victim clicks the link in the message, they will unknowingly be re-directed to the scammer’s fake version of the real website. The victim provides sensitive information (e.g. login credentials) which is sent to the scammer.
If the victim opens an infected attachment, a malicious code may get executed and infect their device.
In a vishing attack, if the victim responds by pressing a number from selected options, then they may get connected directly to the scammer.
Step 3: The attack
Credentials stolen—The scammer can now access the victim’s account, e.g. email account to send more phishing emails to the victim’s contacts. If the victim is an IT professional with privileged access, then the scammer can have access to sensitive corporate data or critical systems.
Malware installed—The scammer can use the malicious software to gain control of the victim’s device, to steal their data, or lock access to their files until a sum of money is paid (as in ransomware attacks). Over the past 15 years, ransomware has become one of the most popular types of cybercrime.
According to the Canadian Centre for Cyber Security, the most effective ways to protect your systems and information include:
Something may be “phishy” if:
Watch out for unsolicited communication with:
Ensure that your leaders, employees, and volunteer workers are aware of cyber threats and are provided with initial and refresher training. One effective way to do so is through sample case studies that help illustrate how easily anyone can fall prey to a cyber-crime, including allowing access to the organization’s computer system by opening an email or clicking on a link.
At a minimum, training should include the following topics:
Including case studies or examples of publicly known cyber security incidents in training material can help demonstrate vulnerabilities, threat actor techniques and mitigation measures.
Do periodic phishing simulations to test and evaluate your organization’s cyber exposures and vulnerabilities to cyber-attacks.
Although financial loss or damage resulting from many risks, including cyber-crimes, can be effectively addressed through insurance solutions, social engineering fraud is often the exception. There are several interrelated reasons for this:
First, because it is increasingly difficult to obtain this type of coverage for nonprofits, or for any business or organization, without robust internal controls. If insurance is available for this risk, it is often only a very modest amount of protection.
Second, because even cyber insurance policies that include a more substantial amount of coverage for this type of claim also commonly contain what is known as a “call-back” provision requiring strict verification protocols by the organization, and resulting in claim denials when a policyholder fails to follow their internal payment verification procedure for paying third parties.
Third, and directly related to the second, is because the solution to avoid fraudulently induced transfer claims is often quite simple, effective, and may not require insurance. It involves strict internal procedures and training of staff or volunteer workers about your organization’s digital and financial protocols, including:
* Implement a second authorization protocol for any payment requests from outside parties; no payment of invoices until they are approved by whomever in your organization orders the goods or services, never pay on the basis of a rushed email request, and never pay from a statement – always ask for original itemized invoice from supplier or third party including authorization for goods or services. Rushed or last-minute payment requests are a common strategy used by fraudsters, so train staff to always follow your established fraud prevention protocols!
* For any email or text requests from internal parties to transfer funds or to disclose or send sensitive information, including requests by an executive director, manager, board member or officer, require that the individual receiving the instructions pick up the phone and contact the sender to verify it is legitimate and to document the confirmation, prior to releasing sensitive data or sending money, whether by e-transfer, wire transfer, or cheque.
* Never make changes to a third-party supplier’s or vendor’s banking information based on an email request or telephone call. Always verify the change by contacting them directly at the existing email address or the telephone number on your file, and not at the contact details in the email requesting the change. Call the sender to verify legitimacy (e.g. if you receive a call from your bank, hang up and call them). * With respect to preventing e-transfer fraud perpetrated against a church or charity’s members and valued donors, it is important that email addresses provided by a charity to donors in hard copy, digitally or on their website to promote e-transfer donations are carefully checked for accuracy, and for the organizations leaders or IT department to be vigilant in regularly checking to ensure that they have not been fraudulently tampered with. Or alternatively, to not promote or offer e-transfer donations directly to the organization and its banking institution, or to do so only through a reputable third-party giving platform with an e-transfer option.
Reducing the risk of cyber-crimes is crucial; not only to prevent loss of personal information, charitable funds, and your organization’s good reputation, but also because having protocols, security and training in place is a prerequisite for your organization to be eligible for cyber insurance protection.
The most important first step to prevent a cyber-crime, especially a privacy breach, is to identify and assess the personal information stored digitally on computers, and in hard copy.
Remember, PIPEDA applies to both private and nonprofit organizations that collect, use, or disclose personal information in the course of their activities. Furthermore, the provisions of the act stipulate that such information can only be collected for legitimate purposes and can only be retained for as long as necessary for those purposes. The organization must also appoint designated individuals to ensure compliance with the provisions of PIPEDA.
Many charities unnecessarily collect information that is not required, or retain information collected initially for legitimate purposes, but for longer than necessary, unnecessarily exposing the organization to a privacy breach and resulting notification costs, fines, penalties, or a costly and often uninsured lawsuit launched by individuals who suffer financial or reputational damage from the breach of their personal information.
Not only does identifying and permanently expunging unnecessary personal information from an organization’s computer system open up more storage and lessen the threat and scale of a privacy breach, but it also helps quantify and limit the amount of insurance coverage needed to pay for first-party expenses, notifications, and credit monitoring, as may be required by privacy law for affected individuals.
The only notable exceptions to culling personal information are where an organization is required by law, a regulator, common law precedent, or their insurer, to retain such information for a legitimate purpose. For example, applications and criminal record checks associated with employees or volunteers working with minors or vulnerable adults, where a future abuse claim may be exempt from the usual statute of limitations and a lawsuit made years or decades after the fact, often requires the organization to defend a lawsuit and demonstrate due diligence by providing evidence of documentation of their screening measures.
Keep in mind that your legal obligation under privacy law and your potential legal liability under common law to individuals or organizations from which you collect personal information includes the collection or storage of such information on your behalf by other third parties, or with whom you do business. Therefore, there is also a duty of care in ensuring that those other parties with whom you share sensitive personal information also have cyber security protocols in place that meet your own organization’s standards, and that they have cyber insurance coverage too.
Ensure that sensitive information stored on your computer and systems is well protected with encryption and security protection software that is kept updated. Do periodic audits and have your IT consultant conduct penetration tests (“pentests”) and vulnerability assessments.
Reduce the amount of personal information you post online (e.g. phone numbers and extensions for employees).
Institute multi-factor authentication (MFA) protocols for access to your computer system, including not only for access through network desktops, but also via connected devices such as laptops, tablets, and smartphones. Remember, your security protocols are only as strong as the weakest link, including connected devices. These connected devices are often the achilles heel for any organization’s IT security!
Avoid sending sensitive information over email or texts.
Your charity has assets that criminals value. These include money and sensitive data. Most charities use digital systems such as computers and the internet to:
Any of the above, and many other digital activities, make your charity an attractive target for cyber criminals. Cyber-attacks can have a huge impact on your organization. Your charity could lose donated money or sensitive data, which may not only impair your ability to operate and provide services to those you serve, but also cause irreparable damage to your organization’s reputation!
Social engineering fraud, also known as fraudulently induced transfer, is an increasingly disturbing trend affecting nonprofits and charities. It involves cybercriminals tricking organizations into voluntarily part with money or valuable information by hacking legitimate emails or creating fictitious emails and impersonating a key trusted individual (board member, executive, customer or supplier) to induce staff or volunteers to unwittingly disclose sensitive data, or part with money – usually via e-transfers or wire transfers – under false pretenses.
For example, a bad actor using a targeted approach researches a charity’s website, identifies key personnel, then poses as an executive director or other trusted leader and requests that someone else in the organization forwards sensitive information, or transfers money to a third party organization or numbered company who they identify as a qualified donee or an agent to carry out the charity’s work in Canada or in another country. Often the fraudulent request includes a rush deadline, to avoid time for detection.
Usually, the cyber-criminal begins by requesting a small amount of information or money, and if successful, ask for increasingly larger amounts. This scenario has already played out in numerous Canadian charities, including even relatively large, sophisticated organizations, resulting in the loss of tens, or hundreds of thousands of donor dollars that cannot be recovered.
Another social engineering fraud scenario is a cybercriminal posing as an organization’s trusted vender, supplier or agent requesting payment of a bogus invoice or of a legitimate hacked invoice. The criminal creates a fictitious email that looks similar to the vendor’s or vendor’s employee’s email address and requests payment, usually via an e-transfer. This has already happened to charities remitting payments to third parties that their employees or volunteer workers thought were their utilities, food suppliers, contractors, lawyers, and even their insurance providers!
Cyber criminals can be surprisingly creative in enticing and inducing the voluntary transfer of funds, even posing as a foundation or other financing source who claims to have researched the charity, likes what they do, and offers to provide funding subject to certain requirements, which involve the voluntary disclosure by a board member, executive, employee, or volunteer of sensitive financial or personal information as part of an overall scheme to defraud the organization of funds. Another emerging threat is AI generated deep fake voices and video images of bad actors imitating known personnel to induce transfer of personal information and funds.
A risk related to social engineering fraud is inducing individuals, such as an organization’s members or donors, to voluntarily part with their intended donations for the organization, to cybercriminals. This is done either through email phishing containing fictitious but compelling emails to promote e-transfer donations, or by hacking into a charity’s website and changing legitimate email addresses for e-transfers to bogus ones. The address may be similar to the organization’s email, with one letter off, or with a dot in the wrong place.
Banking institutions through which these fraudulently induced e-transfers are sent to, or received from, are not legally liable for and do not take responsibility for reimbursing customers sending money to the wrong party, nor for bank customers for whom the funds were intended. These claims are also often uninsurable, even in cyber insurance policies!
Aside from privacy breaches, malware attacks, and social engineering fraud claims, non-profit organizations can also be exposed to the following cybercrimes:
Sensitive data stored digitally includes Personal Information (PI), which is defined under Privacy Laws in Canada as data about an “identifiable individual.” It is information that, on its own or combined with other pieces of data, can identify youas an individual.
The definition of personal information differs somewhat under PIPEDA or the Privacy Act, but generally it can include information about an individual’s:
Of the above information, the most sensitive and potentially damaging personal information in a data breach claim is financial, health, medical or employment practices data. Breaches of personal information can result in financial and reputational harm including identity theft for those individuals, and consequently, lawsuits against the organization for damages suffered. Keep in mind that information that is otherwise available publicly or online about an individual is generally not considered to be PI.
Under privacy law, a breach is required to be reported to the Office of the Privacy Commissioner of Canada (OPC) and can result in significant cost for a charity to provide the required notifications to those individuals whose data has been breached, including credit monitoring to ensure that financial information that may have been compromised is not being used by criminals to incur debt and impair personal credit ratings.
These notifications, normally through third-party consultants, can cost between $75 to $100 per person whose data has been breached. For a church keeping sensitive data for 500 members, a privacy breach can trigger a $50,000 bill, even without a lawsuit!
Malware is malicious computer software. Criminals infect digital devices with malware to:
A common type of malware is ransomware and can often begin with phishing to trick an email recipient into visiting malicious websites via a link in an email or text message. The criminal can then use the website to steal sensitive data such as bank details, usernames and passwords, or install malicious software (“malware”) onto your charity’s digital devices. It can also spread across an entire computer network, blocking all computers and preventing users from accessing the system.
Criminals also use ransomware to stop you accessing the data on your digital devices. For example, by encrypting (locking) files on your computer. This form of extortion means an attacker can then threaten to destroy or sell your data if you do not pay a ransom.
Ransomware can also be installed on a website to lock, corrupt or destroy data, and to prevent the business or organization from doing commerce through their website.
Ransomware attacks are especially damaging to businesses who have significant online sales and could face potential loss of revenue into hundreds of thousands or millions or dollars in short order! Fortunately, the average church or charity faces little or no reduction in revenue resulting from ransomware attacks, as tithes, offerings and donations are rarely transacted through its website.
However, that does not mean faith-based charities and nonprofits do not face some risk of damage from ransomware. An example might include a trustee or treasurer receiving an email asking them to update the password for their organization’s email account. They click on the link, which then takes them to a blank webpage. They close the page and delete the email. The next day, the charity is unable to access its online data, including bank details for their donors. Criminals used the blank webpage to install ransomware on the individual’s computer, then locked the charity’s data. The criminal then threatened to sell the charity’s data online unless they pay a ransom.
Ransomware attacks can be prevented through a combination of heightened security measures including ongoing cyber security training and awareness to recognize phishing emails and the steps the organization expects its board members, employees and volunteers to take if they receive a phishing email. Not only are these and other measures a good idea to prevent attacks, they are also a requirement of cyber insurers in underwriting and approving coverage for the organization!
External secure platforms can be a solution as charitable giving digital solutions including for church members, such as Tith.ly, Planning Center, and PushPay. However, charitable boards and management should still be cautious and demonstrate due diligence when using vendors for giving, to ensure they are secure solutions including being compliant with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and to make reasonable inquiries about their security protocols, including utilizing such features as SSL encryption, reCAPCHA protection, and the use of a reputable host server.
