Community IT Innovators Nonprofit Technology Topics

Nonprofit Cybersecurity Insurance Updates with Jenna Howard

Community IT Innovators Season 7 Episode 44

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 24:30

Carolyn Woodard explores how cybersecurity insurance has evolved for nonprofits with Jenna Kirkpatrick Howard, Senior Vice President at Lockton Companies, who advises nonprofit clients on risk, insurance, and mitigation strategies to protect their boards, missions, and people.

When Carolyn and Jenna first presented a webinar together on cyber liability insurance, it was a new product that many nonprofits had never considered. Today it is nearly always required, and the risks it covers have transformed. The conversation traces that evolution, from the forgotten laptop and rogue employee scenarios of the early days to the ransomware attacks, sophisticated social engineering fraud, and emerging privacy laws driving claims now. 

Jenna also shares what insurers are doing about AI, from underwriter questions about guardrails to new endorsements affirming coverage, and why early AI-related litigation should put every nonprofit on notice about keeping a human in the loop.

Jenna and Carolyn discuss:

  • How cyber claims have shifted toward ransomware and social engineering fraud, where attackers monitor an organization's email and intercept major transactions like grants, investments, or building purchases.
  • What affirmative AI coverage means, and why underwriters are starting to ask how your organization uses AI and what policies protect PII and confidential data.
  • Why copyright and media liability claims are rising for nonprofits, including AI-altered images and unlicensed music at events and on podcasts.
  • How dependence on third-party platforms like payroll systems, cloud providers, and learning platforms creates aggregation risk, and why insurers now ask about your major vendors.
  • Why increased partisan attention on nonprofits can turn employee statements, scholarship criteria, or governance issues into insurance claims.
  • Where to start if you are new to an organization or unsure of your coverage: lean on your existing advisors, build a risk tracker, and align your board on top risks.

Resources Mentioned:


_______________________________
Start a conversation :)

Thanks for listening. 


Carolyn Woodard

Well, welcome to the Community IT Innovators Technology Topics podcasts. I'm Carolyn Woodard, your host, and I'm really excited today to be here with an old friend, Jenna Howard, a friend I've been friends with a long time. So, Jenna, would you like to introduce yourself?

Jenna Howard

Of course, happy to. I am Jenna Howard. I work at Lockton Companies. It's an insurance brokerage firm. I spend the majority of my time with the nonprofit community advising clients on risk and insurance and mitigation tactics and strategies to protect their board, their mission, and their people.

Carolyn Woodard

And I wanted to have you on the podcast because we did a webinar together about cybersecurity insurance for nonprofits. And I was thinking about it before coming on today and just thinking that when we did that webinar, it was so new. It really wasn't required. And now things have changed so much. So it's pretty much always required. There's a lot more financial audits also require you to have the cyber liability. So

Carolyn Woodard

I just wanted to check in with you on what things have changed and what are nonprofit leaders thinking now about cyber insurance and what do they need to know?

Jenna Howard

What's evolved? Um the industry, the risk insurance industry, particularly around cyber technology, and I'm going to add AI, artificial intelligence and media to that conversation because it has evolved pretty dramatically over, I would say, in the last five to six years. We went through a really challenging market where insurance rates were going up and coverages were going up. And that was in the 2021-2022 timeframe, which was about the time we actually chatted. And then there took a sharp decline in the rates and the cost of that insurance, which for nonprofits became an opportunity to make this type of insurance and protection more affordable. And they could really be thoughtful about how much limit they bought and the right to carrier partner and the right coverage.

Jenna Howard

When we first started talking to clients about cyber risk, we really were talking about that forgotten laptop and a rental car or the rogue employee that took information. And while that risk may still exist, what we talk about today is far more focused on ransomware attacks, cyber attacks, uh, which for so long was heavily healthcare and retail, and now it's every industry everywhere. Um second leading in our claims activity is social engineering fraud, which is where you are being duped to send wire transfers and monies out to a third party because likely someone was living in your email system, tracking payments and duped a finance professional or someone in the organization to send money voluntarily out.

Jenna Howard

The third evolution is around privacy law. Um, we are seeing major changes to protection and privacy law. I think AI is only going to increase that. So there's lots and lots of emerging risks. The good news of today is that there are lots of insurance carriers in the cyber insurance marketplace. Many have robust support and services beyond just the insurance coverage. They'll do vulnerability testing, they'll do phishing training for you, they'll go in and do an incident response. So it's more than just an insurance policy that is today, it is a holistic approach to risk mitigation. And that's been a nice evolution for our nonprofit clients that maybe don't have all of that built into their structure and their staff today.

Carolyn Woodard

Yeah, I we were so excited when they changed that financial audit to include looking, like you said, holistically at all of the risks that you could pay someone, you know, wire the money to something that seemed legit and it wasn't, it would just take all your money.

Jenna Howard

Exactly. Exactly. And for a while it was like send gift cards, and everybody's like, no, we all know that's not it. Um, it is very sophisticated now when there has been a major transaction. You're purchasing a building, you're investing in a new program, you're providing grant monies, they are living in your system watching as it plays out, and the day of the transaction, they are looking to modify bank wire information. I mean, it is a far more sophisticated effort than the text message that says your CEO out, CEO is in a meeting, send, go buy gift cards at the local drugstore.

Carolyn Woodard

Exactly, exactly. And I feel like you mentioned AI just briefly, but are you seeing new types of scams with AI? And are there new types of insurance to cover those?

Jenna Howard

This is the number one question we're getting from our clients. Um, what about AI? What is insurance responding to AI? And up until recently, it was the insurance carriers are monitoring. We haven't really seen the cases yet, we haven't seen the claims yet, but they they are all saying that your use of AI is covered under the cyber insurance policy. Um, and for nonprofits in particular, they started to ask questions of how do you plan to use it? Um, are you writing grants? Are you writing letters? Do you have an internal co-pilot or chat GPT or Gemini structure because they want to make sure that there are guardrails. There, no one's naive that that no one's going to use AI in the organization.

Jenna Howard

So, how do you create policies that enhance your operations but protect the PII, the personal identifiable information or any health data or any confidential information you have? So we started to see underwriters more ask questions around the use of AI in addition to your cybersecurity controls, but no necessarily seeing changes in the coverage. Then just recently, some of the insurance carriers have come out with an endorsement that defines AI and is and is stating affirmative coverage. That sounds great. And we love that. When they state affirmative coverage, what that tells me is we are on a path where they have now defined it. They've now affirmed coverage, it's no longer silent.

Jenna Howard

So we're entering an opportunity to determine that it could be excluded for some organization. So not seeing that yet, but we are seeing it as a defined term, which holistically everyone was silent. But there is recent claims activity around the use of AI, specifically around nonprofits that are in the healthcare industry, where they are using AI to sum up doctors' notes and make them more efficient after patient visits. Well, there are some laws, particularly in California, the mandatory AI disclosure and the human in the loop requirement that basically says you can't just rely on AI. There needs to be a human review. And so we're starting now to see some cases and some very expensive attorney bills that come with that. So I do think we will we will see a trend of AI litigation um in the cyberspace, and that may change our landscape. But today, all eyes are just watching it as an emerging risk.

Carolyn Woodard

That's so interesting because yeah, you can see someone like you operated on the wrong leg because you know the AI notes were wrong or something like that.

Jenna Howard

Well, even something we we have seen this in the nonprofit space where an organization was going to write thank you notes to donors. Um and they went out outside of their own uh firewalls, went out to the the free chat GPT and said, so-and-so donated, blah, blah, blah. Go take we want to make the letter more personal. And now you have um a donation and a donor's information shared uh publicly. And so back to what are the rules and the policies and the procedures and the training internally with your staff on how to use AI.

Carolyn Woodard

So we've been saying, really advocating very strongly for having those AI policies, acceptable use policies in place. But I just saw a statistic like a day or two ago that 80% of nonprofits don't have those policies and they don't make a distinction between you can see the appeal, right? The what they call the freemium tools, where it's free. You just go to Chat GPT and have it write your thank you note versus having the paid version, even the lowest tier that you can pay, or if you're using Microsoft or Google uh workspace, that you use the Gemini or the co-pilot that's included in your license, so it's internal to your firewall around your cloud environment. So do you are you expecting to see if they're affirming coverage of AI use, they're going to be requiring the client to have the that policy?

Jenna Howard

Yeah, I would say that's probably coming. What we see now with in the cyber underwriting, we we've lived through the world where now MFA was not required at one point, and now you can't imagine anyone not doing um the MFA or endpoint detection. And so the questions that you saw underwriters focused on were based on their claims experience, what was happening that they identified as a vulnerability, and then started asking clients questions around their cyber controls. We will see the initial questions around AI is how are you using it? How have you set up guardrails? We will evolve this like very likely, and and I'm gonna guess in short order, that if we're going to affirm coverage for AI, it is in this distinct scope of usage, and anything outside of that would not be covered. Um, or we do not do it and intend to afford coverage. We're not there yet, but it uh I would imagine it's coming.

Carolyn Woodard

And do you think in that case, like one of the things I think a lot of nonprofits are struggling with is there's no um, you know, accepted acceptable AI use policy. So they all kind of have to come up with it on their own. And I would imagine there's a huge variation, and just also there's going to be variations between if you're a healthcare nonprofit or an education nonprofit with student information, or you're an advocacy group or you're like saving the snails or something like that, where it's you have less personal um information.

Jenna Howard

So if you're a purchaser of cyber insurance, though, that oftentimes affords you some vendor um legal advice and some vulnerability advice. And now I think we're starting to see not just incident response and how to report cyber breaches, but also some advice on these types of policies and procedures. So there are resources out there, but I won't say there is a standard. Uh there's in this framework, so much driven by cyber, um, we we don't yet have that on AI.

Carolyn Woodard

I had another question, just to switch gears a little bit, because it's come up in a couple of conversations that I've had, and that's around um copyright. If you're using AI and you're creating like your own materials, but do you like have you seen clients worried about when they have to be transparent and acknowledge that AI was used, when they're using, you know, maybe images that were copyright, but then the AI is altering them. And then, you know, how how is that working? Are you seeing anything like that?

Jenna Howard

Copyright. Um so copyright typically falls under our media liability, which for most organizations, particularly nonprofits, oftentimes is paired on the same policy with cyber. Sometimes it's separate. Um, we are seeing a lot of increases around copyright law, not always AI driven, just not citing the right um source, but AI will change that. And there, that is why the human in the loop concept is so incredibly important that the editorial process should not be abandoned when using AI. Uh, one of the most common can uh claims we are seeing in this space, particularly with nonprofits, is the use of music or unlicensed music at on podcasts and at events. Um and so that copyright sort of extends to everything they do and uh back to your AI policy. If you're not necessarily making sure that their editorial process is extended to both the use of AI, you will find yourself in trouble with those copyrights because they're uh where many organizations that are go or that are in law firms that are looking for uh copyright violations, AI has made that much easier as well. Uh search for such.

Carolyn Woodard

I feel like that's another area where there's so much variety in the nonprofit sector. So, in my experience, it seems that nonprofits that are working in the arts community, for example, are really, really aware of artists' concerns over copyright and AI stealing their art. Whereas nonprofits in other areas might just be like, oh, this is such a cute image. I'll just use this in the style of this artist that I like, and then they get into trouble.

Jenna Howard

Or what's your favorite walk-up song at that big event? And now that big event turned into a podcast, and and now it's it's out there for everyone to hear, and you have not authorized or licensed that that music. I mean, we're seeing things that seem so benign in the moment um become quite an expensive legal issue for the organization. Yeah, yeah. One of the other things we're seeing that I think is worth noting, and the Canvas breach is a good example.

Jenna Howard

Canvas is a learning platform used by 9,000 higher ed and education institutions. Um, and they publicly said there was a cyber breach, no one had access to the platform. Um in the middle of exams. In the middle timing is always good with cyber attacks. Um and it does appear that a ransom payment was issued or that um to get the platform back up online, but it has raised the question, and there's been many, many cyber attacks that have identified your dependency as an organization on a third party has become a big risk to the organization, whether it's your payroll system, your learning platform, um a cloud provider, those dependent vendors has created an aggregation risk for cyber insurers. Because they are looking to underwrite a nonprofit organization and ask about your controls. They do now ask about some of your major dependent vendors because when a Canvas goes down, it becomes 9,000 insurance claims for um all of those institutions rather than a single claim for Canvas. So that has become a very heightened issue of how dependent are you on other organizations and do you understand their protocols?

Carolyn Woodard

Yeah. And I think that case, because we always, of course, recommend that you have your backups, that they're recent, and that they're in a separate system, so that if your system gets a ransomware and is locked down, I mean it's a pain in the butt, but you have everything. But I think in the Canvas um case, the ransomware attackers had the student data, right? That's what they were threatening to do is to put that data, make that available.

Jenna Howard

Correct. And they and from my understanding, what's publicly available about their demand is that they wanted all of the institutions to go tell students and parents that their that their data had been compromised before there was really known fact. So then it lends to there is a notification requirement, but when is notification triggered and how much do I know? Uh it's a complicated web. It's not as simple as, oh, our system is down. It's our system is down. Why is it down? Who needs to be notified? What what system is down? Is there a redundancy? It's um it that takes some time to source and figure out.

Carolyn Woodard

And I think you told me in our previous webinar that that is often something that your insurer can help you with, that they have an instant response plan when you have to go to the FBI, when you have to do the different things who you need to call.

Jenna Howard

The most critical person or group in a cyber claim is your breach counselor, which is oftentimes a law firm. And it's specific teams that know and understand all of the triggered laws, all of the notification, all of the legal and government agencies, and then how to pull in the right forensics team, because one forensics team that's inundated in the canvas breach today, and you have a ransomware over here, do they have the capacity to take on? So that that breach counselor, whether you identify that through your insurance policy, which is ideal, or you have a working relationship that you know that's your person, that key to the incident response is huge because you need them um informed and on the ground ready as soon as possible within hours.

Carolyn Woodard

Yeah. And I heard the advice have their number printed out somewhere or in your phone. So it's not in your system that is now locked and you can't get in.

Jenna Howard

I mean, it is on more than one occasion, even more than a handful of occasions. I've gotten the call from a client that says, I know I have cyber insurance and I have a plan, but it all lives on the system that I have no access to. Help me.

Carolyn Woodard

Well, I I have one more question. I I've been thinking about this a lot lately, and I just wanted to get your take on it. It seems like we have a couple of perfect storms like converging at the same time. So if we were only dealing with AI and the very rapid changes that AI is making, that would be a lot to deal with. But we know in the past, you know, year, year and a half, there's been, you know, kind of a change also in the environment around nonprofits. And a lot of nonprofits that, you know, were merrily going along their way, were never controversial before. Suddenly there's a lot of partisan interest in your nonprofit, you know, no matter what it is you do. And so we're seeing that a lot. Are you seeing that kind of adversarial uh impact on attacks, insurance? You know, me you talked about media insurance, but what about just like for the staff who might say something controversial online?

Jenna Howard

Yeah. Uh oh, really great questions. There's a lot of directions you could go with that. If you are a scholarship organization, um there's a lot of scrutiny and advocacy groups that will go after your criteria in um in certain scholarships. If you are accreditation, how you view accreditation and what you say about accreditation. Um, and sometimes that comes through a government regulatory investigation, sometimes that comes through an advocacy group or a law firm, um, and and other times it can come from your employees through a reverse discrimination suit or a public forum where there is an op-ed.

Jenna Howard

I had a client that, you know, that one of their employees wrote an op-ed outside of their scope of work, but it's easily found where this individual worked. And so distinguishing what was in the scope of your employment and what is your own personal opinion shared online, um, it can get very murky. And in that particular case, the institution, the the uh nonprofit organization, did actually have to hire an attorney to get themselves out of the litigation that came from the employee statement, but they still felt protective of the employee and um supporting them through the process.

Jenna Howard

So again, it goes a lot back to policies and procedures when you have particularly a high-profile individual and a nonprofit that is speaking, um, what is to be said within the scope of work and what's not, because there is far more attention on advocacy and um and attacks on nonprofits that we've just never ever have seen before. And they oftentimes will turn into directors and officers' insurance claims, the mismanagement or um of a firm, um, and even some cyber events can turn into a governance issue, which turns into a cyber claim. So it's a tangled web we lead and a lot of insurance implications that can come from it.

Carolyn Woodard

Yeah, it's just uh we've just seen so many changes recently. And you know, yes, it's often the the directors or the executive director, the executives, the board members, but sometimes it can be just the person on the staff who has the identity that's most likely to be attacked. So having that those protections in place is so important. So are there any you know final words of wisdom you can give us going forward? Like if you are not sure you have insurance and you're an executive director at a small organization or new at an organization, where do you start?

Jenna Howard

Well, start with the staff that you have in place. Really look at what policies, procedures, insurance program you have. Reach out to the advisors on the within the organization. Oftentimes, your bank, your accountant, your insurance broker, your HR consultant, your um IT consultant, everybody in your spectrum will have a perspective on how well managed and protected their piece of the pie is. So really getting a good gauge of um tracking your risk and sharing that with your board, um, creating a risk tracker and having an enterprise risk management, no matter the organization or how much it's sophisticated, how sophisticated it is, it is very important that at least the senior leadership team and the board are aligned to understand what their top risk are.

Jenna Howard

High risk doesn't mean you don't do it. It could be your program, it could be your endowment, it could be things that keep your mission going, but that just means it needs to be well managed and thoughtful and have the right uh procedures and and uh policies in place. And I have yet to see a risk tracker or a board not put cyber in that top category. Um I will say five years ago, it likely didn't live in that space unless you were healthcare or retail or some of the higher profile industries, but this day and age, top five cyber lives somewhere in it.

Carolyn Woodard

Well, thank you so much for your time today, Jenna. I really appreciated reconnecting with you and learning, kind of catching up on what's happened to insurance since we spoke last. Thank you so much. It's always a delight to spend time with you.

Jenna Howard

Happy to do it.