Diane is the executive director of a small Virginia nonprofit that works to improve the lives of families and children, particularly those that have not yet entered school. Most of their resources go to support their work, so operational budgets are limited. While they thought they were doing all the right things in terms of cybersecurity, cyber insurance and safety, it wasn’t enough to avoid the damage from a hacker that knew how to manipulate their weak points. “We simply didn’t know what we didn’t know, and we found out the hard way,” said Diane.
“It all started when a new user suddenly showed up in our system,” Diane shared. The new user log-in was quickly removed, but then staff and external partners started getting phishing emails. They informed their outsourced IT company and new layers of security were added. The final straw was when an email was sent to an administrator that looked like it was from a supervisor, asking to change the bank account for an employee’s payroll deposit. Because it looked legitimate, the change was made. The employee, who had no idea that this change was made, received an email asking if she would be “ok” if her pay was delayed a few days from the same person posing as her supervisor. She immediately phoned her supervisor to ask if she had sent the email, and that is when they discovered something was very wrong. Unfortunately, the organization was unable to stop the deposit from going through, and their bank couldn’t do much to help either. Even though they had general, umbrella and directors and officers liability (D&O) insurance policies, these had exclusions for phishing attacks, business interruptions and email compromises, which is incredibly common for many policies.