Shielding Your Organization: The Vital Role of Cyber Insurance in Combating Modern Threats

It seems like at least once a month we hear a story of a major corporation being hacked, resulting in valuable data being stolen, but it often feels disconnected from our day-to-day lives. Recently, though, I watched as a friend dealt with a cyber attack on their organization and used it to get the inside scoop on how the organization handled the situation, ultimately bouncing back. Out of respect for the organization and the privacy of those affected, I won’t share identifiable information, but I will share some general learnings and things all organizations should consider as I reflect on what the organization experienced. 

Hackers are becoming more sophisticated daily, using multiple tactics to gain entrance into organizations and businesses. In IBM’s 2024’s Threat Intelligence report, they reported that 30% of data breaches occur when hackers use phishing to access an organization’s technology. My friend’s story is no different, with hackers sending an email marked as urgent and getting their victim to click on a link, ultimately providing their login credentials on a fake login screen. Now that the hackers had the user’s login information, they gained access to the organization’s servers, email histories, donor records, accounting software, files, and so much more. Then, they encrypted everything-it was all locked down by hackers with a demand for money before they would give them access to their data! 

In the immediate aftermath, the organization took steps to shut down everyone’s access to their systems, but they had something else up their sleeve-a cyber insurance policy! This organization has been a target of attacks because of the sensitive information it has to maintain. Two years ago, the organization worked with its insurance broker to get a cyber insurance policy that would cover them against cyber criminals. When they discovered the breach, the insurance company got to work, helping to get a new server stood up so that the employees could get back to work, making sure that no sensitive data was obtained by the hackers, and negotiating with the hacking organization itself on the terms of payment to get the data back. 

What does this experience mean for your organization, and is it time to consider a cyber insurance policy? Cyber attacks are not going away anytime soon, and nonprofits are particularly vulnerable because of a lack of tech resources and the use of outdated technology. When looking for a cyber insurance policy, we encourage you to research beforehand and familiarize yourself with what a policy could and should include and what language will be used. The Federal Trade Commission has extensive resources available for small businesses to be cyber-aware, and they have created an easy-to-follow, plain-language guide of what to look for when shopping for cyber insurance

The next step is to work with an insurance broker you trust to price out plans and find something that makes sense for your organization. Ask lots of questions, including if the insurance company will have experts available 24/7 and if they will help your organization get ahead of weaknesses before an attack. Keep in mind that many insurance companies will require organizations to have at least some security practices in place, like mandatory two-factor authentication or mandatory cybersecurity training for all employees. This is very common and will help keep your organization and data more secure.

What if your organization can’t get a cyber insurance policy at this time or you want to take immediate steps to be secure? Here are a few things your organization can start with:

  • Create a Cybersecurity Incident Response Plan. CISA, the Cybersecuirty and Infrastructure Security Agency, has advice on how to create your own and things to keep in mind
  • For all critical platforms and software your team logs into, ensure that multi-factor authentication is mandatory. Almost all email providers now offer to “text a code” to validate you are the correct person logging in, this simple step could be what stops someone that gets ahold of your login credentials from being able to actually get to your data
  • Use a password manager as an organization and never let employees send passwords for shared logins via email or messaging apps. Most password managers are relatively inexpensive and will ensure your logins are shared in a secure manner.
  • If you have a central wifi for your organization, make sure that it is encrypted, secure, and hidden. A lot of your organization’s data will be accessed on that network, and being certain that no bad actors gain access to it can go a long way. 
  • Review any contracts with the vendors and tech platforms you work with to make sure that they protect your data. There should be language in your contracts that speaks to what the other organization does to ensure data protection. 

Ultimately, for my friend’s organization, having an insurance policy in place before their attack meant the organization had a roadmap in place if they had a cyber attack. The organization could move quickly to prevent further damage and had experts who took over getting business back to normal. It saved the organization a considerable amount of money because they did not have to hire outside IT specialists and lawyers, and the insurance company negotiated a much lower payout to the hackers than they had originally requested. 

We want to encourage all organizations to have open and honest conversations about threats they have witnessed or been a part of and share when there are concerns. Together, we are a stronger community when we share and collaborate.