Skip to main content

Nonprofits Aren’t Exempt From Cyberattacks

Blackbaud is a software company that provides customer relationship management cloud solutions to about 45,000 nonprofits. Its services include client data management, communications and fundraising solutions. 

Sometime between February and May 2020, when the world’s attention was elsewhere, ransomware code made its way through Blackbaud’s systems. That ransomware slowly corralled Blackbaud’s data and locked it down for ransom.

Once it learned of the hack, Blackbaud paid the ransom to have the data returned and then informed its clients. In turn, those nonprofit clients had to break the news to their donors, clients, service providers and vendors. It’s not a position you ever want to be in.

Your data is still your responsibility, even if it’s stored elsewhere

Nonprofits rely on donors, and that means data — lots of personally identifiable information (PII). Whether you store your data on-site, in the cloud or with a third-party host, your data is a target.

Some nonprofits mistakenly assume their data isn’t a target because it’s not bank or credit data. But hackers break into networks for many reasons, most of which have nothing to do with credit cards. Dark web data and PII sales are a huge business. A few critical pieces of data can go a long way in creating a whole new identity or spoofing your organization in a subsequent phishing attack. A phishing attack could lead to bank fraud, fake wire transfers or a total network failure. 

Third-party cyber liability in real life

MOVEit is a company that offers software solutions for managed and secure file transfers. Clients are from various industry sectors, including government, healthcare, education and financial services. Their platform reduces data transfer risks and complies with data protection regulations. 

In May 2023, a cybergang hacked MOVEit, impacting the data of thousands of companies and millions of individuals. The estimated cost of the hack is over $10 billion.

People relied on MOVEit for data transfer security, yet cybercriminals could still identify and exploit weaknesses. Victims whose data was exposed brought lawsuits against MOVEit and the companies that did business with them. The MOVEit hack exemplifies how third-party liability from vendors and partners can cause cybersecurity problems for anyone with data passing through their system.

Donor and client information is a liability risk

Nonprofits have gone digital. More than ever, donors and clients need to know they can trust you. And while no system is failsafe, you can show good faith by having a cybersecurity risk management plan. That plan should include cyber insurance.

Even if you don’t do a lot of fundraising online, you probably store your client data on a network. Smartphones and other smart devices are easy targets for hackers. Once in, they could send fake emails on your behalf (spoofing) to donors, volunteers, clients or employees. The email might ask for money donations using a fake link, resulting in thousands of dollars stolen. And almost as painful as the theft is the need to inform your community after the fact.

Post-hack responses are expensive, stressful and time-consuming

Depending on the extent of the hack and applicable laws, you may need to:

  • Defend yourself in a lawsuit
  • Pay for credit monitoring for all affected donors, clients and employees
  • Issue a public statement explaining the cyberattack
  • Rebuild your network data
  • Shut down all affected networks (social media, websites or others) until the compromise is corrected
  • Pay a ransom to have your network unlocked and data returned
  • Reinforce your network security
  • Report the data breach to law enforcement
  • Inform all affected donors, clients and employees
  • Respond to a public relations backlash
  • Reassure the community that your networks are secure
  • Create and issue a plan about how your organization will mitigate future cyberattacks
  • Notify your vendors in case their systems have been compromised

Cyber insurance can help with your response plan

Cyber liability insurance doesn’t prevent your data from being stolen, but it can help a lot in the aftermath. Your coverage may be able to assist with:

  • Notifying donors and clients of the breach
  • Restoring the personal identities of donors and clients
  • Recovering the compromised data
  • Reconstructing network systems
  • Paying the ransom request
  • Repairing damaged computer operating systems
  • Providing free credit monitoring to donors and clients
  • Handling public relations efforts and responses
  • Proactively mitigating risks
  • Minimizing the cost of business interruptions (if the breach requires you to shut down temporarily)

Call your agent for a quote

Give us a call today and let’s discuss your cyber liability insurance. We’ll ask about the technology and cybersecurity solutions you use so we can craft the right policy for your organization.