Nonprofit organizations handle such sensitive data as emails and records on clients and donors, staff information, phone numbers and addresses, credit card data, and possibly other financial data. In February 2016, the Urban Institute's National Center for Charitable Statistics was the victim of a malicious attack that compromised 600-700 organizations. Later that year, a survey of 470 nonprofit executives conducted by U.S. accounting firm CohnReznik, revealed that while 57% of respondents counted cyber security among their top 10 concerns, only 29% said that their organizations were planning to increase spending for cyber security, and a mere 11% reported that their organization had either a risk committee or an IT committee.

 Even though these organizations see cyber security as a concern, they don't put a price on not being able to operate. Their IT spending is often spent on areas such as communications, which are considered a key to fundraising, rather than cyber security. Few organizations purchase cyber insurance. However, the costs of a breach are both human and financial, since without the ability to provide services the nonprofit cannot fulfill its mission to its clients, and the costs to pay a ransom or recover systems, data, and donors following a breach could lead to a cessation of these services. In addition, there are hidden costs of a breach, including such items as forensic investigations, payment of lawyers to handle notifications, reputational and trust issues, etc. The total costs of a cyber-attack go well beyond the amount a hacker requests as a ransom.

 The report of the survey released by CohnReznik made some key organizational recommendations that remain viable today and bear repeating:

 ·Nonprofits should create an IT committee, making sure to include IT professionals;

·The IT committee should have clearly established objectives and monitoring responsibilities; and

·Updates on risk management and cyber security issues should be regular board meeting agenda items.

 In addition, carriers and agents need to be proactive and collaborate as much as possible to educate insureds about cyber security and the true costs of a cyber-attack. With the prevalence of cyber-attacks and the vulnerability of nonprofit organizations, cyber insurance should be at the top of recommended coverages an agent offers his clients.

 In addition to the purchase of cyber coverage, here are some tips to share for how a small business or nonprofit can respond to cyber security threats:

 Prioritize Data Security

Make data security a priority for the entire organization. The more costly a breach could be to continuing services, the greater the need to prioritize data security.

 Upgrade Computers

If computers are using Windows XP or earlier versions, these computers are running outdated software and are more vulnerable to hackers and cyber-attacks.

 Train Employees On Cyber Threats

Train employees on how to spot malicious or suspicious emails, to not open links in emails, and how to utilize pop-up blocker on websites. The organization should develop strict policies on the use of the internet, installing new programs, and downloading documents, and prevent use of personal computers and cell phones for organization work.

 Inform Volunteers Of Potential Threats

For anyone having access to the organization's computer systems, they should receive the same training and adhere to the same policies as employees.

 Password Management

Provide training on creating strong passwords, such as using long phrases and mixing in numbers, letters, and symbols; or use a password manager app.

 Update Software or Technology

Understand that the organization's data is only secure to the extent it is protected by the organization itself and its connected third parties. Handle donor information and financial data using reputable, dependable technology systems to secure data. Consider using third party services specially designed for nonprofits, such as Network for Good or Razoo.

 Secure Cloud Data

When storing data in cloud-based services and storage applications ensure that the data is secure and encrypted, such as restricting the data to authorized users only and encrypting data before entering it into the cloud. In the encryption process, data is turned into ciphertext, which is nearly impossible to figure out without decryption.

 Keep Informed

With privacy being of vital importance in nonprofit organizations, it is imperative that the organization be informed when there are changes in privacy policies and evaluate how these changes will affect the organization's data security.

  Karen L. Sorrell, CPCU is an editor with FC&S®, the premier resource for insurance coverage analysis. She has an extensive background in commercial insurance underwriting. Karen may be reached at [email protected]. Additional information about FC&S Online is available at www.NationalUnderwriter.com.