Insurance Times lead researcher Savan Shah discusses the implications on brokers from Ecclesiastical’s research into the emerging risks and cyber attacks facing charities
David Britton is the charity director at specialist insurer Ecclesiastical. He is responsible for the continuous improvement of products and services and acts in an advisory role to the company’s broker network and partners.
He also actively contributes to the work of key third sector bodies and charities, providing insight on the opportunities and challenges facing the sector, particularly in relation to risk management.
While Ecclesiastical is a commercial business, it is owned by a charity and a significant proportion of the company’s profits go to its owner, Allchurches Trust, which donates these independently to good causes. Ecclesiastical also has its own extensive programme of charitable giving.
Ecclesiastical insures more than 45,000 charities and not-for-profit organisations in the UK. Why is this a time of transformation for charities that brokers should keep a close eye on?
A: Continued pressure on funding in the context of increasing demand for their services means that charities are having to become ever more innovative, and that means embracing and taking more risks. In 2017, we sponsored New Philanthropy Capital’s (NPC) ‘State of the Sector’ research*, which showed that many charities are recognising the need to make a step change in how they operate and that 74% of charities expect to explore a broader range of activities in the next three years. From digital fundraising to collaboration, corporate partnerships and diversifying their boards, charities are having to find new ways to make gains operationally, decrease costs, aid collaboration, increase awareness and engage with a wider audience in new ways.
One recent growth area has been charities getting involved in riskier fundraising events such as obstacle course races and extreme challenges. It is a charity’s responsibility to ensure they use appropriate experienced sub-contractors, bearing in mind the operational and reputational risks involved.
Similarly, if a charity is embracing digital to boost income through online donations, reduce costs, aid collaboration and drive engagement, it’s important to engage staff and volunteers with relevant experience, and provide training or ask for support from partners who can offer digital skills and advice. After all, with new regulation like the General Data Protection Regulation (GDPR) on the horizon in 2018, charities could be exposed to major fines in the event of data breaches – the fourth biggest risk that charities identified in our survey.
This increasingly positive attitude to risk in the third sector is an opportunity for brokers to talk to charities about how they are managing and mitigating risk and whether they have the appropriate level of cover in place.
The biggest concern amongst the 101 charities researched in the event of a cyber-attack was loss of data. However, just over half have cyber security plan in place. Why do you think this is?
A: Despite some recent high-profile incidents, awareness of cyber security risks among charities is still low, and often they may not have the expertise within the organisation to know what risks they are facing – and create effective plans to manage cyber security. Some charities may feel that they are less exposed to cyber risk, particularly if they don’t trade online or accept online payments. Many simply don’t think that it will happen to them, especially smaller charities, but our own sector research shows that 17% of charities have already experienced a cyber-attack**. It’s important to get the message across that if you’re a business, organisation or individual that uses the internet, e-mail and social media, or stores data, then you are potentially at risk. A cyber security plan is important in managing cyber risk. Managing the fall-out of a cyber-attack needs to be factored into business continuity planning.
When charities think about cyber-attacks, they think mainly about fines for data breaches and the loss of data. The short and long-term impacts of an attack can also include business interruption (services may need to stop temporarily), loss of income and third-party claims. Perhaps most costly of all, a data breach can cause reputational damage.
This is a consideration where charities are using donors’ data, but many charities also hold sensitive data on beneficiaries. Simple steps such as firewalls, backing up data, updated anti-virus software and providing training are all ways to begin tackling this challenge, and drawing up a cyber plan ensures everyone is clear about the steps to take in worst case scenarios.
In your experience with charities, how aware are charities of the challenges that lie ahead regarding GDPR and how can brokers assist the charities that may not be fully aware of the insurance risks?
A: There’s an awareness issue, particularly among smaller charities. Our own charity research revealed that more than a third of smaller charities do not know that GDPR is being introduced in May 2018**. While awareness of the new data protection regulation is high among charities with a turnover over £1.5m at 96%, nearly a quarter (24%) of mid-size charities are unaware of the forthcoming changes and that figure rises to 36% for charities with a turnover of less than £500k.
That’s alarming because it is smaller charities who may be least likely to be able to deal with the fall-out of a data breach; from paying the potential fine to informing those people whose data has been breached and recovering from the long-term reputational damage.
We still don’t have the complete picture of what the ramifications of GDPR will be, but it’s something that brokers should be talking to their charity customers about. The ICO have provided advice with 12 steps organisations can take now to prepare for the new regulation that brokers can share.
While cyber insurance will not cover the cost of the fine because it is a legal penalty, it can cover the costs of dealing with the impact of data breaches. The cost of notifying all parties of data breaches is £100 to £130 per record. That can really add up! It can also cover the costs of dealing with cyber liability claims, business losses from a cyber event and it can give charities access to expert advice and support, including IT, legal, forensic and media/public relations support when an incident occurs. This can help mitigate the financial impact of a loss or cyber event and any reputational damage.
Research revealed that more than half of charities said they are taking more risks than three years ago, how can brokers assist in alleviating these risks?
A: With many charities looking for alternative fundraising methods alongside exploring new operating models, they are facing new and unprecedented levels of risk. Brokers should be encouraging their charity clients to talk to them about any new events or activities they may be planning, as well as changes to their operations or business model they may be considering. Having this conversation as early as possible gives brokers to chance to assess with their client the changes in liability risk this may bring and seek advice from their insurer if necessary.
While there’s no substitute for good governance in managing risk, brokers should be talking to the charities they work with about ways of insuring against personal liabilities so that trustees can operate effectively, sustainably and safely, particularly in times of change. After all, although most trustees are not paid, they share the same level of personal legal responsibility a director of a private or public company faces when it comes to accusations of wrongdoing – whether that’s data or health and safety breaches of failures in duty of care. Trustees could also be personally liable for losses caused to a charity and can be held responsible for the actions of their co-trustees. Trustee liability insurance protects trustees against having to pay personally when legal claims are made against them in the capacity of their role.
What actions do you feel brokers should be taking in 2018 to assist the risks charities and non-profit organisations will be facing?
As well as staying informed about the opportunities and challenges facing not-for-profit organisations, it’s also important for brokers to keep up to date with the latest regulation affecting charities, and not just GDPR. While the continued pressure on funding was top of the list of risks identified by charities in our research, the impact of potential Government changes was in second place. This is perhaps unsurprising given that 2017 saw the introduction of the Fundraising Regulator, further funding cuts and tax changes such as the rate of Insurance Premium Tax (IPT) increasing to 12%. At Ecclesiastical, we’ve been working with the Charity Finance Group since January 2017 to raise awareness of the impact of continuing IPT increases on charities and we urged the Chancellor to consider making charities exempt ahead of the budget in November.
Being informed about the risks facing charities gives brokers good reason to talk to their charity customers, particularly around risk management. And that’s not just about whether they have appropriate cover in place should the worst happen, such as a data breach in light of new GDPR regulation and the increasing cyber threat, but also whether their business continuity plans are up to date and fit-for-purpose.
What has been your greatest achievement whilst working with charities of all shapes and sizes?
Being owned by a charity ourselves, the purpose of Ecclesiastical is to contribute to the greater good of society; so, our greatest achievement is undoubtedly the fact we’ve given more than £67million to charity in the last four years, benefiting more than 3,000 causes.
*Findings from NPC’s State of the Sector research http://www.thinknpc.org/our-work/projects/state-of-the-sector/
**FWD research of 101 charities commissioned by Ecclesiastical in October 2017