Cyber Risks No Longer Science-Fiction for Libraries
When the pandemic forced nearly all libraries in the U.S. to close for more than half of 2020, these long-time community institutions took the opportunity to adapt all or most of their programming to a digital format and grow their online presence. Now, as many operate in a limited capacity, libraries continue to evolve and blend physical offerings with virtual ones.
Just last year, the New York Times reported that libraries were offering patrons free Wi-Fi and social services, 3-D printers, sound studios for recording podcasts and mobile hot spot devices so those without internet access at home could get online. These offerings were all in addition to physical copies of books, DVDs and newer online services that we’ve come to expect.
Through online reading sessions for children, electronic book offerings, author speaking events, educational seminars, social media and more, these institutions have found ways to continue to serve the public and taxpayers who fund most of their programming. Yet another question looms: Does this shift to virtual programming leave libraries exposed to cyber risks that could affect their day-to-day operations and reputations?
Contrary to what many believe, libraries don’t store a tremendous amount of sensitive data. The only information library cardholders typically have to share are their name and address, as few libraries process any transactions online using credit cards or other financial information. However, in this day and age, a name and address may be all it takes for cybercriminals to invade one’s privacy and pose a threat to their finances and identity.
Regardless of the type of information libraries store online, data breaches and ransomware pose a serious threat. In 2019, a library in New York became the victim of a ransomware attack that forced it to shut down for 23 days. Even with its own security network in place, hackers were able to breach their systems from a computer stationed on the premises.
Libraries can be appealing to cybercriminals because most do not have a large security team for monitoring cyber threats. Additionally, hacking into a library’s database gives someone access to many residents in a given area, especially if the library is a fixture in the local community.
With approximately 99% of libraries publicly funded by local taxpayers, cyberattacks become a serious issue when a library faces cyber extortion. For instance, if ransomware is installed in a library’s network and cybercriminals demand $50,000 before they’ll return access to its online presence and remove the ransomware, the library board will have to make a decision. Do they pay the ransom using taxpayer money or do they reject the threat and attempt to have their IT team or cybersecurity professionals attempt to resolve the issue themselves? On top of dealing with the ransom demand, the board will likely have to inform all of their patrons of the cyberattack and let them know there is a chance their personal information has been compromised.
Scenarios like this are a good reminder that best practices for cybersecurity and securing the proper insurance can make all the difference when libraries are faced with cyber risks and the financial and reputational damage that comes with them.
Because libraries vary in size, library directors may be responsible for 10 employees or up to 200 employees. Fortunately, much of the work conducted at libraries is low-risk, with few transactions requiring financial information to be shared.
All libraries and their directors are responsible for training employees about cyber risks. This includes routine protocols like using password protections, a dedicated email address and authorized equipment to access the library’s network. Additionally, they should consider how the network is accessed remotely – ideally using a VPN – and consider putting protocols in place for when and how long they’re allowed to do so.
Also, since most libraries rely on third-party vendors to provide the hardware and cloud-based systems that are used by their patrons, it’s important for libraries to make sure these vendors are trusted and have both the proper certifications and insurance in place.
Adding Cyber Coverage
In addition to following best practices for cybersecurity and working with trusted vendors, libraries should also ensure they have insurance coverage for cyber risks and the business interruption that may come with it. Carriers handle cyber coverage in different ways, especially for businesses like libraries where these risks may not appear to be the greatest concern.
Cyber liability is typically excluded in a general liability policy, with many carriers offering cyber coverage as a separate policy. If it is bundled, the coverage and limits still stand-alone, so it’s important for agents and brokers to work with libraries to make sure they understand the coverage.
Limits for these policies often vary as well, as the insurance industry is still finding its sweet spot in determining the necessary coverage amounts and what limits they’re willing to set. Limits can vary from $25,000 all the way up to $10 million, depending on the business and perceived risk of cyber threats. Unlike most other lines of coverage such as auto and workers’ comp, there is no real standardized format for cyber. This means that while a policy from one carrier may have multiple sub-limits, including cyber that must be purchased separately, another carrier may have all of these sub-limits grouped into a single policy that can be purchased together.
Although cyber insurance isn’t required for businesses like libraries, it’s becoming an increasingly important coverage as we move further into the digital age.