Highlights:
- Increased use of online giving and communications platforms exposes churches to a variety of potentially serious liabilities.
- Insurance carriers offer cyberliability policies that cover tech-related damages and claims.
- Policies can include coverage for negligence related to the release of personally identifiable information as well as coverage for costs associated with recovering that information, business interruptions, and the like.
- Policies can range anywhere from the tens of thousands into the millions.
Churches at Risk
Most congregations handle rising volumes of sensitive personal data about staff, volunteers, and members—from payment information tied to e-tithing to Social Security numbers obtained to run background checks.
And the types of threats targeting that sensitive information continue to increase.
One of the biggest risks involves phishing emails and ransom viruses, said Frank Sommerville, an attorney and a senior editorial advisor for Church Law & Tax . “Phishing emails appear to be coming from someone in authority at the church,” he explained. “They typically request that the church wire funds to a missionary, but the receiving account is fraudulent. Ransom viruses are installed when someone clicks on a link in an email or website. The ransom virus holds the data on the computer hostage until the church pays a ransom for releasing their data.”
Churches also stream intellectual property on their websites, use email and social media to interact with both members and nonmembers, and publish or distribute prayer requests electronically that sometimes reveal confidential details of people’s lives.
All of this electronic activity potentially exposes congregations to greater liabilities, be it a copyright claim for a song distributed through online streaming or a libel claim after a disgruntled staff member uses a church-owned social media platform to reveal damaging information about someone.
Given these heightened liabilities, insurance carriers have responded by developing special cyberliability coverages—beyond prototypical general liability policies—to cover technology-related claims and damages.
And the liabilities and other potential issues are compounded by the ever-expanding area of cyber law, said Lisa Runquist, an attorney and a senior editorial advisor for Church Law & Tax. All the more reason to make sure a church has an insurer who understands the constantly changing cyber landscape and who can help anticipate possible problems that could arise in the present or develop in the future.
“It only takes one incident for the policy to pay for itself,” Runquist said. “In addition, some insurance companies may even help the church do a risk assessment to reduce the potential of liability.”
Understanding the possible risks and vulnerabilities to a church’s website is extremely important, said Susan Fontaine Godwin, president and founder of Christian Copyright Solutions, noting that the emergence of cyber insurance makes sense because of such vulnerabilities and risks. Godwin, who writes about such issues at TheCopyrightCoach.com, stressed that it’s far too easy to overlook some of these risks. “You’ve thought you’ve gotten everything taken care of, and then somebody posts something that leaves you at risk,” she said.
“Many churches are waking up to the importance of taking adequate steps to protect themselves,” said Peter Persuitti, managing director of the religious practice at Gallagher, a global insurance broker.
Brian Gleason, who serves as senior risk manager for loss control for GuideOne Insurance, agreed that the need for cyber protection in churches has been gaining traction in recent years.
“Given the publicity of several high-profile breaches, we are seeing more and more interest from churches in protecting their online assets,” Gleason explained. “As we become more dependent on our online tools to conduct business, there is a corresponding need to protect those tools. The last thing a church needs is someone holding their website and members’ personal information for ransom.”
He stressed that “cyberliability policies and their associated services help to respond to these types of situations.”
Steve Robinson, area president at Risk Placement Services, also said he sees increased interest among churches for cyberliability coverage. However, he noted, “I would still put the number of churches who have purchased it at probably less than 20 percent.”
Types of Cyberliability Coverages
To help people understand the types of cyberliability coverage available, Robinson said he speaks in terms of a “left side of the policy” and a “right side of the policy.”
Left side:
This deals with the basic question of “What if we get sued and have to defend ourselves?”
This would include the liability a church incurs because of its negligence in the release of personally identifiable information. “It provides a level of coverage for that privacy and data breach security liability,” Robinson said. “This would be for intellectual property infringement or personal injury in the electronic environment, social media, or website environment, where that would typically be excluded in regular policies also.”
Right side:
This includes what is known as the “first-party costs.”
“These are the out-of-pocket expenses the church would have to incur to make a problem go away,” Robinson explained. “Examples of that would be a lawyer who specializes in privacy law and breach response. … They’re the ones that align all the resources on behalf of the church, if they need to hire an IT forensics firm to determine where the breach occurred and how.”
Other possible first-party costs include notifying victims of the breach, providing credit monitoring, hiring a public relations firm, and navigating crisis management.
“And there’s various other coverage also, like business interruption,” added Robinson. “A good example of that would be a church is relying on their website to collect online donations, and if that website is hacked, and as a result of that, they’re out revenue—it could replace that revenue.”
Costs and Coverage Levels
Church Mutual offers cyberliability and data breach response coverage with aggregate limits ranging from $50,000 to $1 million and 5,000 to 100,000 notified individuals for all coverages provided. Premiums vary per customer depending on limits selected and the level of risk insured.
Brotherhood Mutual Insurance Company offers cyberliability coverage ranging from $50,000 to $6 million. But for coverage over a $1 million, a church must fill out a detailed questionnaire to show whether or not it qualifies for such higher coverage, said Steve Smith, Brotherhood’s assistant vice president of underwriting.
GuideOne has data breach liability coverage ranging from $100,000 to $1 million. “Coverage limits and premiums for cyber insurance can vary greatly depending on the number of records over which an organization has control and the revenue of the organization,” GuideOne’s Gleason said. “For churches that utilize a third party to handle online giving and keep very few sensitive personal records, premiums may be as low as a few hundred dollars per year.
The costs increase as the amount of sensitive data increases.
“Organizations that hold and maintain more sensitive financial and personal information like banking and credit card information will need higher limits and may see the annual premium grow to several thousand dollars,” Gleason explained. “As databases get larger and more complex, the need for higher limits increases, which drives higher premiums.”
Robinson agreed that costs for cyberliability coverage vary widely: “The coverage can be as inexpensive as $750 for a church whose annual revenue is $500,000, and they want a $1 million limit. Premiums will be higher for a church whose revenue is maybe more like $25 million, and they want a $1 million dollar limit. . . . Premiums could be more than $5,000 a year for a policy like that.”
What to Ask an Insurer
When looking for an insurance carrier, it’s important to ask what services are provided in the event of a breach or even a suspected breach.
Ed Hancock, Church Mutual Insurance Company’s chief underwriting officer, suggested asking the following questions when looking for cyberliability insurance:
- Does the company have any tools to help make the church’s system more secure?
- Is training available to help educate employees about privacy and data security risks?
- Are sample incident response plans provided by the insurer?
- Are both electronic and paper data covered?
- What limitations does the policy have?
“The average organization needs a partner with the expertise and services to guide them through a well-coordinated breach response,” Hancock said. “It is a technical and complicated experience that can be costly to the organization, not only in terms of money but also reputation.”