Jump directly to the Content

The Growing Need for Cyberliability Insurance

How increased online and electronic activity exposes congregations to new risks.

Last Reviewed: April 7, 2020
The Growing Need for Cyberliability Insurance
Image: Westend61 | Getty

For consumers, recent news stories are frightening—and increasingly familiar:

  • A massive data breach involving the credit reporting agency Equifax exposed millions of Social Security numbers, driver’s license numbers, names, and dates of birth.
  • The web service provider Yahoo acknowledged that a data breach touched 3 billion of its accounts—three times as many as originally revealed.

Not long before the Equifax and Yahoo headlines, national retailers such as Target and Home Depot suffered major data breaches that involved millions of stolen credit card numbers.

On top of this, consider these insights from The Kiplinger Letter:

Demand for cyber insurance is zooming as the number of cyberattacks rises. Cyber policies cover financial losses from a range of attacks, from data theft to digital extortion. The average total cost for a data breach was more than $7 million in 2017. The rising financial toll is prompting more companies to purchase policies. . . . Look for the global cyber insurance market to hit $20 billion by 2028, up from $2.5 billion today.

Experts warn that large national companies are not solely susceptible. Smaller organizations—including churches—increasingly fall victim to cybercrimes and other online mishaps.

Churches at Risk

Most congregations handle rising volumes of sensitive personal data about staff, volunteers, and members—from payment information tied to e-tithing to Social Security numbers obtained to run background checks.

And the types of threats targeting that sensitive information continue to increase.

One of the biggest risks involves phishing emails and ransom viruses, said Frank Sommerville, an attorney and a senior editorial advisor for Church Law & Tax . “Phishing emails appear to be coming from someone in authority at the church,” he explained. “They typically request that the church wire funds to a missionary, but the receiving account is fraudulent. Ransom viruses are installed when someone clicks on a link in an email or website. The ransom virus holds the data on the computer hostage until the church pays a ransom for releasing their data.”

Churches also stream intellectual property on their websites, use email and social media to interact with both members and nonmembers, and publish or distribute prayer requests electronically that sometimes reveal confidential details of people’s lives.

All of this electronic activity potentially exposes congregations to greater liabilities, be it a copyright claim for a song distributed through online streaming or a libel claim after a disgruntled staff member uses a church-owned social media platform to reveal damaging information about someone.

Given these heightened liabilities, insurance carriers have responded by developing special cyberliability coverages—beyond prototypical general liability policies—to cover technology-related claims and damages.

And the liabilities and other potential issues are compounded by the ever-expanding area of cyber law, said Lisa Runquist, an attorney and a senior editorial advisor for Church Law & Tax. All the more reason to make sure a church has an insurer who understands the constantly changing cyber landscape and who can help anticipate possible problems that could arise in the present or develop in the future.

It only takes one incident for the policy to pay for itself,” Runquist said. “In addition, some insurance companies may even help the church do a risk assessment to reduce the potential of liability.”

Understanding the possible risks and vulnerabilities to a church’s website is extremely important, said Susan Fontaine Godwin, president and founder of Christian Copyright Solutions, noting that the emergence of cyber insurance makes sense because of such vulnerabilities and risks. Godwin, who writes about such issues at TheCopyrightCoach.com, stressed that it’s far too easy to overlook some of these risks. “You’ve thought you’ve gotten everything taken care of, and then somebody posts something that leaves you at risk,” she said.

“Many churches are waking up to the importance of taking adequate steps to protect themselves,” said Peter Persuitti, managing director of the religious practice at Gallagher, a global insurance broker.

Brian Gleason, who serves as senior risk manager for loss control for GuideOne Insurance, agreed that the need for cyber protection in churches has been gaining traction in recent years.

“Given the publicity of several high-profile breaches, we are seeing more and more interest from churches in protecting their online assets,” Gleason explained. “As we become more dependent on our online tools to conduct business, there is a corresponding need to protect those tools. The last thing a church needs is someone holding their website and members’ personal information for ransom.”

He stressed that “cyberliability policies and their associated services help to respond to these types of situations.”

Steve Robinson, area president at Risk Placement Services, also said he sees increased interest among churches for cyberliability coverage. However, he noted, “I would still put the number of churches who have purchased it at probably less than 20 percent.”

Types of Cyberliability Coverages

To help people understand the types of cyberliability coverage available, Robinson said he speaks in terms of a “left side of the policy” and a “right side of the policy.”

Left side:

This deals with the basic question of “What if we get sued and have to defend ourselves?”

This would include the liability a church incurs because of its negligence in the release of personally identifiable information. “It provides a level of coverage for that privacy and data breach security liability,” Robinson said. “This would be for intellectual property infringement or personal injury in the electronic environment, social media, or website environment, where that would typically be excluded in regular policies also.”

Right side:

This includes what is known as the “first-party costs.”

“These are the out-of-pocket expenses the church would have to incur to make a problem go away,” Robinson explained. “Examples of that would be a lawyer who specializes in privacy law and breach response. … They’re the ones that align all the resources on behalf of the church, if they need to hire an IT forensics firm to determine where the breach occurred and how.”

Other possible first-party costs include notifying victims of the breach, providing credit monitoring, hiring a public relations firm, and navigating crisis management.

“And there’s various other coverage also, like business interruption,” added Robinson. “A good example of that would be a church is relying on their website to collect online donations, and if that website is hacked, and as a result of that, they're out revenue—it could replace that revenue.”

Costs and Coverage Levels

Church Mutual offers cyberliability and data breach response coverage with aggregate limits ranging from $50,000 to $1 million and 5,000 to 100,000 notified individuals for all coverages provided. Premiums vary per customer depending on limits selected and the level of risk insured.

Brotherhood Mutual Insurance Company offers cyberliability coverage ranging from $50,000 to $6 million. But for coverage over a $1 million, a church must fill out a detailed questionnaire to show whether or not it qualifies for such higher coverage, said Steve Smith, Brotherhood’s assistant vice president of underwriting.

GuideOne has data breach liability coverage ranging from $100,000 to $1 million. “Coverage limits and premiums for cyber insurance can vary greatly depending on the number of records over which an organization has control and the revenue of the organization,” GuideOne’s Gleason said. “For churches that utilize a third party to handle online giving and keep very few sensitive personal records, premiums may be as low as a few hundred dollars per year.

The costs increase as the amount of sensitive data increases.

“Organizations that hold and maintain more sensitive financial and personal information like banking and credit card information will need higher limits and may see the annual premium grow to several thousand dollars,” Gleason explained. “As databases get larger and more complex, the need for higher limits increases, which drives higher premiums.”

Robinson agreed that costs for cyberliability coverage vary widely: “The coverage can be as inexpensive as $750 for a church whose annual revenue is $500,000, and they want a $1 million limit. Premiums will be higher for a church whose revenue is maybe more like $25 million, and they want a $1 million dollar limit. . . . Premiums could be more than $5,000 a year for a policy like that.”

What to Ask an Insurer

When looking for an insurance carrier, it’s important to ask what services are provided in the event of a breach or even a suspected breach.

Ed Hancock, Church Mutual Insurance Company’s chief underwriting officer, suggested asking the following questions when looking for cyberliability insurance:

  • Does the company have any tools to help make the church’s system more secure?
  • Is training available to help educate employees about privacy and data security risks?
  • Are sample incident response plans provided by the insurer?
  • Are both electronic and paper data covered?
  • What limitations does the policy have?

“The average organization needs a partner with the expertise and services to guide them through a well-coordinated breach response,” Hancock said. “It is a technical and complicated experience that can be costly to the organization, not only in terms of money but also reputation.”

Bobby Ross Jr. is an Oklahoma City-based journalist.

Related Topics:
  • November 1, 2015
  • Last Reviewed: April 7, 2020

Related ResourcesVisit Store

Church Issues: Waivers and Release Forms and Church Liability
Church Issues: Waivers and Release Forms and Church Liability
What these documents do—and don't do—based on statutes and court decisions made nationwide.
Understanding Pastoral Liability
Understanding Pastoral Liability
Know the situations in which a pastor is personally liable for wrongdoing.
Understanding Church Insurance
Understanding Church Insurance
Understand your church's insurance needs to be assured you have adequate coverage.
Your Complete Guide to Virtual Church Meetings
Your Complete Guide to Virtual Church Meetings
A toolkit for legal and compliant business meetings