What type of insurance does a church need?

Churches typically need a custom church insurance program that includes property insurance, general liability, pastoral professional liability, sexual misconduct and abuse coverage, workers’ compensation (if the church has employees), and commercial auto coverage. Church insurance is designed to account for worship services, volunteers, youth programs, counseling, and community outreach activities.

Why is church insurance different from regular business insurance?

Churches face risks that standard commercial business insurance policies are not designed to handle, including volunteer-led operations, youth and children’s ministries, pastoral counseling, mission trips, and shared facility use. Many business policies exclude or limit these exposures, which is why specialized church insurance is necessary.

How much does church insurance cost?

The cost of church insurance depends on factors such as congregation size, property value and age, number of employees and volunteers, programs offered, and prior claims history. The goal is to match coverage to how the church actually operates rather than choosing the cheapest policy available.

Does church insurance cover sexual misconduct and abuse claims?

Church insurance can cover sexual misconduct and abuse claims if the coverage is properly included. Most insurers require written abuse prevention policies, background checks, and training procedures for coverage to apply. Without these safeguards, coverage may be limited or excluded.

Are church volunteers covered by insurance?

In many cases, volunteers are covered under the church’s general liability insurance while acting on behalf of the church. Coverage gaps can occur when volunteers drive personal vehicles, participate in off-site events, or engage in activities that require special endorsements.

Are pastors and church leadership covered by insurance?

Church insurance programs often include pastoral professional liability insurance for counseling-related claims and directors and officers (D&O) insurance for board members and leadership. These cover allegations related to counseling services, leadership decisions, and governance matters.

Can a church be sued even if it is a nonprofit?

Yes. Nonprofit status does not prevent a church from being sued. Churches can face claims related to slip-and-fall accidents, employment disputes, youth programs, counseling services, and leadership decisions.

When should a church review its insurance coverage?

Churches should review their insurance coverage annually and whenever there are major changes such as building renovations, new programs, staff changes, or expanded community use. Regular reviews help ensure coverage keeps pace with church operations.

Church Cyber Liability Insurance: Why Your Congregation Can’t Afford to Go Without

Feb 10

Written By Jake Lubinski

Imagine logging into your church’s email on a Monday morning and discovering that someone has impersonated your pastor, sent emails to your entire congregation asking for urgent “gift card donations,” and accessed your online giving platform, all over the weekend. It sounds far-fetched, but more than 70% of religious institutions have reported attempted or successful cyber incidents in the past two years. Church cyber liability insurance exists specifically to protect your ministry when the digital world goes wrong.

If your church collects online donations, stores member contact information, or uses email for any kind of communication (and in 2026, what church doesn’t?), you have cyber risk. And your general liability policy almost certainly doesn’t cover it.

What Is Church Cyber Liability Insurance?

Church cyber liability insurance is a specialized coverage designed to protect your congregation from the financial fallout of cyberattacks, data breaches, and other technology-related incidents. Think of it as the digital equivalent of your property insurance, except instead of protecting your building from fire, it protects your data, your finances, and your congregation’s trust from hackers.

This coverage typically falls into two categories. First-party coverage handles your church’s direct losses, the cost of investigating what happened, notifying affected members, restoring corrupted data, and getting your systems back online. Third-party coverage protects you when someone else suffers harm because of a cyber incident at your church, for example, if a member’s financial information is stolen from your donation records and they experience identity theft.

Most standard church insurance policies, including general liability, property, and even umbrella policies, contain explicit exclusions for cyber-related losses. That means without a dedicated cyber liability policy, your church is essentially self-insuring against one of the fastest-growing risks in the nonprofit sector.

Why Churches Are Prime Targets for Cybercriminals

You might think hackers wouldn’t bother with a church. After all, you’re not a Fortune 500 company or a government agency. But that assumption is exactly what makes churches attractive targets.

Churches collect valuable personal data. Every time a member fills out a visitor card, signs up for a small group, enrolls their child in vacation Bible school, or makes an online donation, your church is collecting personally identifiable information, names, addresses, email addresses, phone numbers, dates of birth, and in many cases, bank account or credit card numbers.

Security tends to be minimal. Most churches don’t have a dedicated IT department or cybersecurity budget. Volunteer-run networks, shared passwords, outdated software, and personal devices connecting to the church Wi-Fi all create vulnerabilities that professional cybercriminals know how to exploit.

Trust is high, suspicion is low. Church communities are built on trust. When a congregant receives an email that appears to come from the pastor asking for help with a “confidential financial matter,” they’re far more likely to respond than the average person. This makes churches especially vulnerable to phishing and business email compromise attacks.

Online giving has expanded the attack surface. With more than 70% of churches now accepting digital donations, there are more entry points for hackers than ever before. Every online giving platform, every payment processor integration, and every accounting software connection is a potential vulnerability.

The numbers tell the story: ransomware attacks against nonprofits have nearly doubled since 2023. In December 2024, First Baptist Church of High Springs fell victim to a BlackLock ransomware attack. In August 2024, Greater Mt. Calvary Holy Church in Washington, D.C. was hit by the RansomHub ransomware group. And in one of the most costly church cyber incidents on record, an Ohio church lost $1.75 million when hackers compromised their email system and impersonated a contractor requesting payment.

What Does Church Cyber Liability Insurance Cover?

A comprehensive church cyber liability policy typically includes several key coverage areas. Data breach response costs cover expenses when member or donor data is compromised, forensic investigation, legal counsel, notification to affected individuals, credit monitoring services, and public relations assistance. These costs add up fast, and even $50,000 to $100,000 in breach response costs could be devastating for most congregations.

Ransomware and cyber extortion coverage helps when hackers encrypt your church’s files and demand payment. It can pay for negotiation experts, data recovery specialists, and in some cases, the ransom itself.

Business interruption coverage compensates for lost income if a cyberattack knocks out your online giving platform, disrupts your livestreaming capabilities, or shuts down your administrative systems.

Legal defense and regulatory fines coverage provides legal representation following a data breach, and can cover resulting fines or settlements. Third-party vendor breach coverage protects you when a platform your church uses, like an email or donation provider, gets hacked. And data restoration coverage pays for recovering your systems and data after an attack.

Massachusetts Churches Face Additional Legal Obligations

If your church is in Massachusetts, you need to pay particularly close attention to cyber liability. The Commonwealth has some of the most stringent data protection laws in the country, and they apply to churches just as they do to businesses.

Massachusetts General Law Chapter 93H requires any entity that owns or licenses personal information of Massachusetts residents to notify both the Attorney General and the Office of Consumer Affairs and Business Regulation in the event of a data breach. You must also notify all affected individuals.

The Written Information Security Program (WISP) requirement is particularly important. Massachusetts regulations require organizations that store personal information to maintain a comprehensive written information security program. If your church suffers a breach and doesn’t have a WISP in place, the penalties can be severe, up to $5,000 per violation.

Having cyber liability insurance doesn’t just protect you financially, many policies include access to breach coaches and legal experts who can help you meet Massachusetts notification requirements quickly and correctly.

How Much Does Church Cyber Liability Insurance Cost?

Church cyber liability insurance is remarkably affordable relative to the protection it provides. Most small to mid-size churches can expect to pay between $500 and $3,000 per year for coverage with limits ranging from $50,000 to $1 million. The exact cost depends on church size, the amount of personal data you collect, your cybersecurity practices, and coverage limits.

For most small to mid-size Massachusetts churches, you’re looking at roughly $75 to $250 per month, about the cost of one catered leadership meeting. When you consider that a single data breach could cost tens or hundreds of thousands of dollars, the math is clear.

Practical Steps to Protect Your Church Today

While insurance is essential, it works best as part of a broader cybersecurity strategy. Here are steps every church should take:

Develop a Written Information Security Program (WISP). In Massachusetts, this isn’t optional, it’s legally required if you store personal information. A WISP doesn’t have to be a hundred-page document. It should outline what personal data you collect, where it’s stored, who has access, how it’s protected, and what you’ll do if a breach occurs.

Train your staff and volunteers. Human error causes approximately 88% of all cyber incidents. Regular training on recognizing phishing emails, using strong passwords, and following data handling procedures is the single most effective thing you can do to reduce your risk.

Implement multi-factor authentication (MFA). Require MFA on all church email accounts, financial systems, online giving platforms, and member database access. This one step can prevent the majority of unauthorized access attempts.

Keep software updated. Ensure that all computers, routers, and software used by the church are regularly updated with the latest security patches. Outdated software is one of the easiest entry points for hackers.

Audit your third-party vendors. Review the security practices of every platform your church uses for email, donations, member management, and accounting. Make sure they encrypt data, offer MFA, and have their own cyber insurance.

Limit data collection. Only collect the personal information your church actually needs. The less sensitive data you store, the smaller your target and the lower your risk, and potentially your insurance premium.

Frequently Asked Questions

Does my church need cyber liability insurance?

Yes, if your church stores any personal information about members, donors, or employees, including names, email addresses, financial data, or Social Security numbers, you have cyber risk that standard church insurance policies don’t cover. With more than 70% of churches accepting online donations and nearly all using email and digital record-keeping, virtually every church in 2026 needs dedicated cyber liability coverage.

Does our general liability policy cover cyber attacks?

No. Most general liability policies for churches specifically exclude cyber-related losses, including data breaches, ransomware, phishing attacks, and other digital threats. Some church insurance packages may include a small amount of cyber coverage as an add-on, but it’s rarely sufficient. You need a dedicated church cyber liability insurance policy to be properly protected.

How much does church cyber liability insurance cost?

Most small to mid-size churches can expect to pay between $500 and $3,000 per year for cyber liability coverage with limits ranging from $50,000 to $1 million. The exact cost depends on your church’s size, the amount of personal data you collect and store, your cybersecurity practices, and the coverage limits you select. Many specialized church insurance carriers can bundle cyber coverage with your existing policy at a discount.

What should we do if our church experiences a data breach?

Act immediately. Contact your cyber liability insurance carrier first, most policies include a breach response hotline with 24/7 access to forensic investigators, legal counsel, and crisis management specialists. In Massachusetts, you’re legally required to notify the Attorney General, the Office of Consumer Affairs, and all affected individuals as soon as practicable. Do not attempt to handle a breach on your own, as mistakes in the response process can increase both your legal liability and the harm to affected members.

Are Massachusetts churches required to have a Written Information Security Program?

Yes. Under Massachusetts data protection regulations (201 CMR 17.00), any entity, including churches and nonprofits, that stores personal information of Massachusetts residents must maintain a Written Information Security Program (WISP). This document must outline your data protection policies, employee training requirements, access controls, and incident response procedures. Failing to have a WISP in place when a breach occurs can result in significant fines under the state’s consumer protection laws.

What are the most common cyber threats targeting churches?

The most common cyber threats against churches are phishing emails (often impersonating the pastor or church leadership), ransomware attacks that encrypt church files and demand payment, business email compromise schemes that redirect payments to criminal accounts, and unauthorized access to online donation platforms. Volunteer and staff email accounts are frequently the initial entry point for attackers, making email security and training critical defenses.

Can our church be sued if member data is stolen?

Yes. If your church experiences a data breach and a member suffers identity theft, financial loss, or other harm as a result, they may have grounds for a lawsuit, particularly if the church failed to implement reasonable security measures or didn’t have a WISP as required by Massachusetts law. Directors and officers of the church could potentially face personal liability if they were negligent in overseeing data protection. Cyber liability insurance provides the legal defense and settlement coverage you need in these situations.

Your church works hard to protect its congregation spiritually, physically, and emotionally. Don’t overlook the digital risks that are growing every day. At Hale Street Insurance, we specialize in helping Massachusetts churches find the right cyber liability coverage, along with every other protection your ministry needs. We’ll review your current policy, identify gaps in your cyber coverage, and make sure your congregation is protected in the digital age.

Call us at 978.712.0111 or email support@halestreetinsurance.com to schedule your free church insurance review. You can also get a quote online , it only takes a few minutes.

Jake Lubinski