Nine ways your nonprofit can mitigate cyber risk.

Author: Brian Merriam


Of great importance is a discussion on what can be done to avoid a cyber event or lessen its impact. So important is this subject matter that the top U.S. national security advisors gathered with officials from 30 countries this past October to discuss how to combat the growing threat of ransomware and other cybercrime. So what are the things your nonprofit organization should "nevermore" do?

  • Nevermore should employee go untrained to recognize phishing emails (social engineering, ransomware, etc.).
  • Nevermore should your enterprise go without cyber policies and procedures (accounts payable, human resources, etc.).
  • Nevermore will your leadership leave undone a cyber risk assessment to identify vulnerabilities or exposures.
  • Nevermore will your institution fail to identify who has access to your network.
  • Nevermore will your specialists not review and implement cybersecurity measures, such as multifactor authentication.
  • Nevermore will you not purchase cyber insurance and review the services provided by your Insurer.
  • Nevermore will you not identify and appoint a "breach coach."
  • Nevermore will you not review your carrier's vendor panel (legal, forensic, public relations, crisis management).
  • Nevermore will your board fail to advocate an incident response plan and test it.

The essential matter here is to take cyber risk seriously before an event occurs. Insurance companies offer many great services, but once an event has occurred it will be difficult to get a reasonably priced insurance program to establish such a partnership. Therefore, it is imperative that you first have the protocols in place to stop (or at least greatly lessen) an event so that, once you apply for coverage, an insurance company is willing to come to the table and offer you their services. Nevermore will you allow your organization to be a vulnerable victim of cyber risk.

Of 1,200 executives who participated in the 2021 Travelers Risk Index survey, 25% said their company had already been a cybercrime victim, up 150% from 2015. And 59% of those surveyed said they worry about cybercrime.

Author Information


The information contained herein is offered as insurance Industry guidance and provided as an overview of current market risks and available coverages and is intended for discussion purposes only. This publication is not intended to offer legal advice or client-specific risk management advice. Any description of insurance coverages is not meant to interpret specific coverages that your company may already have in place or that may be generally available. General insurance descriptions contained herein do not include complete Insurance policy definitions, terms, and/or conditions, and should not be relied on for coverage interpretation. Actual insurance policies must always be consulted for full coverage details and analysis.

Insurance brokerage and related services to be provided by Arthur J. Gallagher Risk Management Services, Inc. (License No. 0D69293) and/or its affiliate Arthur J. Gallagher & Co. Insurance Brokers of California, Inc. (License No. 0726293).