A common, and potentially significant, resilience weakness in many organisations including charities is that they do not have the correct or adequate insurance cover in place. Often this is because insurance proposal forms and policy wording are long and complex, making it difficult and time consuming to understand. On other occasions insurance gaps are attributable to a failure to fully identify the risks and vulnerabilities facing the organisation as part of a comprehensive risk management approach.
Many organisations at policy renewal time simply pay the premium for what they already have in place without properly reviewing whether the existing cover is still adequate for their needs, or whether there are new policy requirements in place which need to be met in order for the policy to cover certain types of claims. Yet the implications of not having the correct insurance cover in place may be significant or even potentially catastrophic in terms of uninsured financial losses to the organisation.
The criticality of having correct and adequate insurance cover in place forms a central part of R4C’s approach to resilience, essentially forming three main steps. The first thing we do is to help an organisation correctly and comprehensively identify its key risks and potential vulnerabilities. These are then mapped on to existing insurance cover to identify any existing gaps as part of a comprehensive risk management approach. The next two steps are then to understand what specific measures need to be put in place for particular aspects of insurance cover to be valid (such as policies, protocols, financial checks and controls) and, where helpful, to work with the organisation to put these in place including where they do not have the capacity and/or expertise to do so.
There are a number of recurring themes in terms of where organisations, including charities, typically have incorrect or inadequate insurance and/or do not meet all insurance cover requirements, the implications of which have become more pronounced for many in the current Covid-19 pandemic context. Some of the main ones, including things to be checked, include:
- Home working. Increasingly, many organisations permit their staff to work from home part or full time. By necessity, this way of working has increased exponentially since the Covid-19 lockdown measures were imposed in late March - often with little or no prior contingency planning - and is set to continue for some time to come.
Key things to check: that staff ensure that their home insurance policies cover use of their own premises for business activities; that employers ensure that all health and safety requirements are met, such as undertaking risk assessments for homeworking and putting adequate measures in place for lone working; ensuring that any of the organisation’s equipment, such as laptops, are insured away from office premised and are kept secure in accordance with insurance requirements.
- Data/cyber breach. A common vulnerability is a failure by organisations to realise the potential financial implications to them of a data breach, whether this is caused through e.g. human error or a cyber incident. In the case of the latter, even where the personal data is being held on a database managed by a third party provider, under data protection law the organisation processing the data – i.e. you – remain liable in law for any breach, such as the wrong disclosure of personal data as the result of a cyber incident. One of the potentially significant financial implications of this to the organisation is that it may be necessary for it to pay for personal credit monitoring to be available to all of those affected, potentially hundreds or thousands of people for a period of time (typically a minimum of 12 months). This could result in unexpected costs to the organisation, potentially in the region of many £thousands or £tens of thousands. In the current tough financial climate, such unplanned expenditure – together with reputation harm affecting funding streams - could tip the balance for smaller organisations especially regarding their very survival and sustainability in the short and/or longer term. It is especially important to manage these risks effectively in the current Covid-19 home working context in which the likelihood of a cyber event occurring, including due to organisational IT security vulnerabilities, has increased significantly. See further e.g. the National Cyber Security Centre’s Home Working guidance.
Key things to check: in addition to checking whether data breach and cyber risk insurance are in place (due to the electronic format of most data held these days, both forms of risk are often inherently linked), it is important to ensure that all insurance cover requirements are satisfied. Typically, this requires that the organisation has a data protection policy, cyber security policy and business continuity policy/plan in place which appropriately identify and manage the related risks.
- Cyber crime and viruses. Another commonly overlooked area of insurance cover relate to cyber crime, especially financially related. For instance, a common example is for an organisation’s email system to be hacked into and to send out emails purporting to be from the organisation, e.g. with an invoice, with false banking details belonging to a criminal gang, resulting in financial loss. Another common area of vulnerability is that an organisation’s IT system may become infected by a virus which it unwittingly shares with another organisation – e.g. through an email sent – resulting in the second organisation’s IT system becoming infected, potentially with significant business disruption and resultant financial losses as well as costs to resolve for which the first organisation would be responsible to fix.
Key things to check: in addition to ensuring that cyber cover is in place, again all policy requirements must be met, such as ensuring that robust cyber security protocols are in place (e.g. how to recognise and deal with phishing emails, respond quickly in the event of a suspected hack or virus). Cyber security training of staff can be further evidence of due diligence in the event of any claim being made.
Katja Samuel is the founder and CEO of GSDM(R4C), with broad ranging resilience experience and expertise.