Potential Pitfalls for Nonprofit Organizations
Nonprofit organizations and not-for-profit organizations have similar insurance needs to other commercial entities, but they also have some insurance needs that are more complicated than other commercial entities because of the nature of their exposures and the ways that they operate.
Most businesses have a primary goal of making a profit for someone, usually an owner. In today’s business world, the owner of a business might be an individual, a family, a mass of stockholders, the employees, another company, or any combination of these. But there are commercial entities that are businesses, but not in that sense. They don’t exist to make a profit, but to bring some other benefit to society, rather than the owners. These are nonprofits and not-for-profit organizations.
What Is a Nonprofit?
According to Investopedia, a nonprofit organization is “is business that has been granted tax-exempt status by the [IRS] … A nonprofit designation and tax-exempt status are given only to organizations that further religious, scientific, charitable, educational, literary, public safety or cruelty-prevention causes or purposes.”
A not-for-profit is treated differently under the tax code such that donations, gifts, and fees paid to a not-for-profit are not generally tax deductible.
Here, we will stick to the formal definition of a nonprofit and try not to muddy the waters any more than necessary.
What Can Go Wrong With a Nonprofit?
As someone who has worked with a few nonprofits, let me tell you what can go wrong.
Everything.
A large issue that nonprofits face is turnover of the board of directors. In many nonprofits, the board of directors serves for a minimum of one year. Some boards limit terms to only one while others allow board members to serve consecutive terms until they choose not to serve. Some boards allow for certain members to overlap terms so that a board doesn’t fully turn over every year, or at least they seek to limit that possibility.
There are many reasons this could be an issue, but consider the loss of institutional knowledge that can happen when an entire board rolls over after the big organizational business meeting. The whole new board potentially steps in and only knows what each member knows about the internal operation of the organization.
Maybe it’s not that extreme, but what if one board member rolls off the board and they happen to be the person that handled the books and no one knows the financials of the organization, and by the time they figure it all out, the former treasurer has a new name and a new address in Bermuda.
To help manage this risk, many nonprofit organizations have an employee whose role might be the executive director. Their biggest job is to know everything that the next board might need to know to maintain the institutional knowledge so that things don’t go slipping through the cracks or so the board doesn’t have to relearn everything every year.
A board has certain duties, including the duty to follow the by-laws of the organization, be a fiduciary of the organization’s assets, and continue the perpetuation of the organization. These duties (in fact, the existence of the board) creates certain directors and officers exposures, which means the board needs a D&O policy in place.
The D&O policy is not there to protect the board of directors or the officers of the organization. While the members of the board are going to be insured by the policy, the policy needs to be put in place to protect the organization from claims against the board.
That’s exactly what it sounds like. It’s insurance to protect the group from the people in charge of it. Don’t overthink this one. Just let it be.
Here’s some policy language from an example D&O policy to illustrate the point.
If during the Policy Period or the Discovery Period any Claim is first made against any Insured Persons for a Wrongful Act, the Insurer shall pay on behalf of the Insured Persons, Loss and Costs of Defense resulting from such Claim, except for any Loss and Costs of Defense which the Organization or any Subsidiary actually pays as indemnification.
Short version: The policy covers claims and defense costs related to wrongful acts that are covered by the policy, as long as the claim is made during the policy period or discovery period.
Right. This is a claims-made policy, which is common in this line. What that means to the insured and to the policy is a topic for another day, but we do have to deal with the idea of a wrongful act. Here’s how the policy defines that term.
Wrongful Act shall mean: any of the following by the Organization, … and/or any Insured Persons acting in their capacity with the Organization or a Subsidiary: actual or alleged error, misstatement, misleading statement, act or omission, neglect or breach of duty; …
There’s more to the definition, but again it’s more than what we need to deal with here. The point is that the policy uses a few simple words to speak to the directors’ and officers’ liability coverage and exposure. The coverage includes errors, misstatements, acts, omissions, breaches of duty. Can you imagine the errors, misstatements, etc. that can happen when a board rolls over and doesn’t have access to all the history of the board?
Let’s move on to another exposure the board might have that also comes back to the D&O exposure.
What Could the Cyber Exposures Be?
Let’s broaden our discussion a little by addressing another exposure that nonprofits face that is similar to just about every other business out there — the cyber exposure.
Just think about how you keep the records of your customers. You have some kind of customer relationship management system that you use. Behind the interface and within its confines, is a database with all of the information your office knows about all of your customers.
A customer relationship management system, agency management system, excel spreadsheet (if you still manage your customers like this, we really can’t have a conversation about that), or whatever you’re doing to keep track of your customers usually holds more information than you often think about. Now think about it from a nonprofit’s standpoint.
A nonprofit likely has a kind of membership management system. This is in place so the organization can keep an up-to-date list of active members, prospective members, donors, child organizations, and more.
It may also create a members’ area of the organization’s website where members can perform certain actions. This might be where they pay for their membership, make a donation, buy swag, and more.
So, it’s a place online where the organization might store and maintain information about their members. It’s also a place where the organization might receive payment information from their members.
It seems that it would be important to have a cyber policy in place that at least covers accidental release of information, security breaches, and hacking at a minimum.
But there’s one more item to consider.
How Can Cyber Exposures Create a D&O Exposure?
Failure to procure the appropriate insurance coverage could be an error or an omission.
Imagine a large nonprofit has a breach and their donor list gets published, even the super-secret ultra-high dollar donor list. Now imagine that they don’t have any cyber coverage in place. They have to spend the organization’s money to handle the breach, as well as the reputational hit that comes along with it. They also have to assure their donors that the breach has been fixed and it won’t happen again.
Meanwhile, once someone determines they could have bought cyber coverage and didn’t, there’s another problem. There was an error, an omission, or (maybe) a misstatement. They could have bought coverage but didn’t.
Someone on the board told a big donor that they had the coverage, and they didn’t. A donor talks to the insurance agent, who says here’s the signed declination form that tells you, Mrs. Donor, that I tried to sell them cyber coverage, but they were too cheap to buy it.
That’s how cyber insurance could be a D&O issue for a nonprofit that didn’t see the claim possibility coming.