As church boards and pastors work to train staff members—and themselves—to spot cybersecurity scams before they take hold, cyberliability insurance may become part of the conversation.
And churches that assume general liability policies cover cyber-related claims could be in for a rude awakening.
It’s why insurance coverage for cyber-related incidents is a growing, albeit imperfect, coverage area. Church Mutual, for instance, offers cyber liability coverage limits that typically range from $50,000 to $1 million for a claim, according to a company spokesperson.
Cyberliability insurance is expensive
However, leaders should note that the long-term sustainability of cybersecurity insurance remains in question.
The costs for insurers to provide coverage continue to climb, and so monthly premiums are climbing, too.
Marsh, one insurance broker, reported premiums jumped 28 percent at the end of 2022. They jumped another 11 percent at the beginning of 2023, according to business news site Raconteur. As rates climb and become less affordable, insurers are scaling back the scope of policies, according to the article.
Meanwhile, the federal government is considering federal insurance for organizations that maintain minimum security standards, according to the article.
About one-quarter of all cyber-insurance claims do not receive full coverage, due to policy exclusions, according to Today’s General Counsel.
Stay on top of coverage changes
As a result, churches should regularly review what is and isn’t covered with their cyberliability coverage, said Jonathan Smith, technology director for Indiana multi-site church Faith Ministry, and an advisor-at-large for Church Law & Tax
Smith, who also advises other churches and nonprofits in technology cybersecurity issues, said carriers also have been known to push back on claim coverage dates.
One church, in particular, ran into problems regarding whether the carrier would cover a claim based on the date the breach occurred or the date it was discovered, which was months later.
The losses suffered by the church between those dates were sizable, he added, so the carrier’s initial reluctance was a major concern.
Carrier also require policyholders to demonstrate cyber readiness and security to get coverage. Any shortcomings can jeopardize coverage of a future claim, noted Rusty Goodwin.
Goodwin is an organizational efficiency expert who co-presented a July 2023 webinar for the Evangelical Council for Financial Accountability (ECFA).
Churches also should review their directors and officers insurance, Goodwin said.
The reason: claims brought against a church after an incident sometimes name the individual church leaders as defendants.
Create a culture of compliance
Prioritizing cybersecurity goes beyond insurance, though. Training and technology play a part, too.
Churches should view cybersecurity as a matter of urgency, and such urgency starts with church leadership, Goodwin said during the ECFA webinar.
Churches become more secure when their boards prioritize it, and failure to do so may even constitute a breach of fiduciary duty by board members, he said.
Sometimes church leaders protest the perceived costs associated with building a stronger “human firewall,” and beefing up technology, said Jay Cordova, Goodwin’s co-presenter.
When that happens, Cordova reminds leaders of the actual costs should a cybercriminal ransom a church’s most sensitive data.
While no organization can guarantee 100-percent safety, “compliance as a culture” can harden the defenses of churches, Goodwin said.