Why Cyber Resilience is the New Cyber Insurance

PCSC 2026 Newsletter: Edition 2

For our member organizations, a data breach isn't just a technical glitch, it’s a threat to resident safety and regulatory compliance. The insurance market has become increasingly restrictive, often demanding textbook security protection before even offering a quote.

Following are some ideas risk managers should consider when assessing their cyber resilience.

The 3 Pillars of Resilience:

1. The Human Element: Over 70% of breaches in the non-profit sector still begin with a phishing email to a staff member. Employees may benefit from shared training resources that turn employees from vulnerabilities into your organization’s strongest line of defense.

   
   

2. MFA is No Longer Optional: Multi-Factor Authentication (MFA) is now the baseline. If your organization hasn't implemented phishing-resistant MFA, like hardware keys or biometrics, you risk becoming uninsurable in the open market.

   
   

3. Incident Response (IR) Testing: It’s not about if, but when. Use this quarter to run a Tabletop Exercise. Does your leadership know who to call if your electronic health records (EHR) go dark at 2:00 AM on a Sunday?

   
   

Consider using this checklist to help build cyber resilience in your organization.

1. Administrative & Governance

[ ] BAA Audit: Do we have signed Business Associate Agreements (BAAs) for every vendor that touches Resident Protected Health Information (PHI)?

[ ] Cyber Insurance vs. Captive Coverage: Have we reviewed our specific sub-limits for "Social Engineering" (phishing) and "Ransomware Extortion"?

[ ] Incident Response Plan (IRP): Is our IRP printed in physical form? (Digital copies are useless if your servers are encrypted).

2. Technical Defenses

[ ] Phishing-Resistant MFA: Are we using app-based or hardware-key Multi-Factor Authentication for all remote access and email?

[ ] Endpoint Detection & Response (EDR): Do we have "Always-On" monitoring that can isolate a laptop the moment it behaves suspiciously?

[ ] Offline Backups: Are our backups immutable, meaning they cannot be deleted or changed, and stored offsite/off network?

3. Human & Operational

[ ] Tabletop Exercise: When was the last time the Executive Team stress-tested their response to a simulated ransomware attack? 

[ ] Staff Training: Is cyber-safety training part of our standard onboarding for every new hire?  Is role specific training updated as employees move into new positions?

[ ] Access Control: Do we immediately revoke digital access for staff members the moment they are offboarded?

Cyber threats are constantly evolving and it’s important your policy also evolves to respond to these threats. If you would like to receive a cyber policy check-up, please contact Brian Thompson at 484-437-4004 or brian@resourcepartnersonline.org.