By Ryan Windt | Head of Growth Marketing | Updated June 2026
Churches, synagogues, mosques, and other religious organizations are not the first entities that come to mind when people think about cybercrime targets. That assumption is exactly why they get hit so often.
Religious organizations collect and process more financial data than most people realize: weekly giving, online donations, payroll for staff, vendor payments, building fund contributions, and school tuition where applicable. They hold personal information on congregants including contact details, giving history, and in many cases counseling records and sensitive pastoral communications. They typically operate with small administrative staffs, limited IT resources, and a culture of trust that makes social engineering attacks unusually effective.
Wire fraud targeting religious organizations is well-documented and alarmingly common. The FBI has issued specific advisories about business email compromise attacks on houses of worship, where attackers impersonate senior clergy or finance committee members to redirect payment transfers. Construction projects, which many congregations undertake, create large one-time wire transfers that are particularly attractive targets.
This guide covers the cyber risks specific to religious organizations, what coverage actually looks like, and how to get a policy that fits the way a faith community operates.
Why Religious Organizations Are Targeted
Wire Fraud and BEC
Business email compromise attacks on religious organizations follow a consistent pattern. An attacker compromises or spoofs the email account of a senior pastor, rabbi, imam, or board chair and sends a message to the administrator or bookkeeper requesting an urgent wire transfer. The request is framed as a confidential matter, often tied to a building project, a mission trip, or a pastoral emergency. The social dynamics of a faith community, where trust in leadership is high and questioning a senior figure’s request feels inappropriate, make these attacks particularly effective.
Large wire transfers connected to capital campaigns and construction projects are especially targeted because the amounts are significant, the transfers are unusual enough that the organization may not have established verification procedures, and the timing pressure of a construction draw creates urgency that discourages due diligence. For a full explanation of how this coverage works, see our post on social engineering and funds transfer fraud coverage.
Donor and Congregant Data
Religious organizations hold personal data on their congregants that is both sensitive and extensive. Giving records, membership information, contact details, family composition, and in some cases counseling notes and pastoral care records are all held in systems that may not have the security controls that a comparable commercial organization would apply to similar data.
State breach notification laws apply to religious organizations the same as they apply to businesses. If a church’s donor database is compromised and congregant personal information is exposed, the organization has the same notification obligations as a company of comparable size. The cost of breach response, including forensic investigation, legal counsel, and notification, does not scale down because the organization is a house of worship.
Ransomware
Ransomware attacks on religious organizations have increased as attackers have expanded their targeting beyond large enterprises. Smaller organizations with limited backup infrastructure and no dedicated IT staff are attractive targets because they are less likely to have the recovery capability to restore systems without paying. A church that loses access to its membership management system, its giving records, and its administrative files faces significant operational disruption even if the ransom demand is modest by enterprise standards.
School and Childcare Operations
Many religious organizations operate schools, preschools, or childcare programs that collect student and family data subject to FERPA, state student privacy laws, and in some cases HIPAA if health records are maintained. That data creates regulatory exposure that goes beyond what a congregation-only organization faces, and it often sits in systems that were not designed with security as a priority.
What Cyber Coverage Looks Like for a Religious Organization
Funds Transfer Fraud Coverage
Given the frequency of wire fraud attacks on religious organizations, funds transfer fraud coverage is the single most important coverage component to evaluate. Key questions: what is the sublimit on funds transfer fraud relative to the policy’s headline limit, what verification procedures does the policy require before a transfer is covered, and does coverage apply to transfers authorized by a compromised email account as well as transfers made in response to a spoofed email.
Sublimits on this coverage are common and often set well below the policy limit. A $1 million policy with a $100,000 funds transfer fraud sublimit provides $100,000 of coverage for the most likely attack scenario a religious organization faces. For more on how sublimits work across a policy, see our post on cyber insurance sublimits.
Data Breach and Privacy Liability
First-party breach response coverage pays for forensic investigation, legal counsel, and notification to affected individuals following a data breach. Third-party liability coverage responds to claims brought by congregants or others whose data was compromised. Both components are relevant for religious organizations that hold congregant personal information, giving records, and school or childcare data. For a full explanation of how these coverage layers work together, see our post on first-party vs. third-party cyber coverage.
Ransomware and Extortion
Ransomware coverage pays for extortion demands and system restoration costs following a ransomware attack. For religious organizations, the system restoration component is often more relevant than the ransom payment itself, because the cost of rebuilding an administrative environment from scratch, including membership databases, giving records, and financial systems, can be significant relative to the organization’s budget. For more on what ransomware coverage actually covers, see our post on ransomware and cyber insurance.
Business Interruption
Business interruption coverage applies to financial losses from operational downtime following a cyber incident. For religious organizations, which may not have conventional revenue in the commercial sense, extra expense coverage is often the more relevant component: the costs of manual workarounds, temporary administrative support, and expedited system restoration while normal operations are disrupted.
The most common cyber loss for a religious organization is not a sophisticated attack. It is a bookkeeper or administrator who receives a convincing email from someone they trust and wires money to an account controlled by an attacker. Prevention requires procedures. Coverage requires a policy that specifically addresses this scenario.
How Religious Organizations Are Underwritten
Religious organizations are generally underwritten as small to mid-sized nonprofits, with adjustments for the specific risk characteristics of faith communities. The underwriting process is less intensive than for commercial organizations of comparable size, and coverage is broadly available for organizations with reasonable security practices. Here is what underwriters look at.
Financial Controls
Given the prevalence of wire fraud attacks, underwriters pay particular attention to whether the organization has financial controls that require verification of payment requests through a second channel. A policy requiring a phone call to confirm any wire transfer request above a threshold amount, using a known phone number rather than one provided in the email, is a straightforward control that both reduces risk and improves the underwriting conversation. Organizations that cannot describe any verification procedures for payment requests will face more scrutiny.
Email Security
Email is the primary attack vector for religious organizations. Underwriters ask about email security controls including multi-factor authentication on email accounts, DMARC configuration that prevents domain spoofing, and whether staff have received any training on identifying phishing and social engineering attempts. These are not difficult controls to implement, and they are increasingly expected even for small organizations.
Backup Practices
Whether the organization has backups of its critical systems, how recently those backups were tested, and whether they are stored in a location separate from the primary environment are standard underwriting questions. For a religious organization, critical systems typically include the membership management database, giving records, financial systems, and any school or childcare administration platforms.
Third-Party Platforms
Most religious organizations use third-party platforms for online giving, membership management, and communications. Underwriters may ask about which platforms are in use and whether they are reputable vendors with their own security programs. The security of a church’s donor data is only as strong as the weakest platform it uses to collect and store that data.
Sizing Coverage for a Religious Organization
Coverage limits for religious organizations should be sized to the actual financial exposure, not to a percentage of operating budget. The relevant exposures are the largest single wire transfer the organization might execute, the cost of notifying all congregants and school families in the event of a data breach, the cost of restoring all administrative systems from scratch, and any regulatory exposure from school or childcare operations.
For most congregations, $500,000 to $1 million in coverage addresses the realistic exposure from a single incident. Larger organizations with significant construction activity, school operations, or multi-site footprints may need higher limits. For a framework on how to think through limit selection, see our post on how much cyber insurance you need.
Deductibles for religious organization cyber policies are typically modest, which matters for organizations with limited cash reserves. For more on how deductibles work in cyber policies, see our post on cyber insurance deductibles explained.
How Religious Organization Cyber Coverage Relates to Other Policies
Many religious organizations carry a religious institution package policy or a nonprofit package that includes some crime coverage. Crime coverage addresses employee theft and certain types of fraud but typically does not cover cyber-enabled fraud, ransomware, data breach response costs, or third-party privacy liability. Assuming that crime coverage addresses cyber risk is one of the most common gaps in religious organization insurance programs.
General liability policies exclude cyber losses in almost all modern forms. A data breach or wire fraud loss will not be covered under a GL policy. Standalone cyber insurance is the only policy form designed specifically to respond to these losses. For more on how general liability and cyber interact, see our post on whether general liability covers a cyberattack.
Frequently Asked Questions
Does a church really need cyber insurance?
If the organization processes online donations, holds congregant personal information, operates a school or childcare program, or executes wire transfers for any purpose, the answer is yes. The cost of a single wire fraud incident or a data breach notification process typically exceeds the annual premium for a cyber policy by a significant multiple. The question is not whether the risk exists but whether the organization has thought through how it would absorb a loss if it occurred without insurance.
Is wire fraud covered under a standard cyber policy?
Funds transfer fraud coverage is included in most cyber policies but is almost always sublimited. The sublimit, not the headline policy limit, is the relevant number for evaluating how much wire fraud protection you actually have. Review the sublimit carefully and confirm whether it applies to transfers authorized by a compromised email account, which is the most common attack pattern against religious organizations. For more detail, see our post on whether cyber insurance covers business email compromise.
What if the organization cannot afford cyber insurance?
Cyber insurance for small religious organizations is less expensive than most people expect. A congregation with modest operations and reasonable security practices can typically obtain meaningful coverage at a premium that is manageable relative to the risk it addresses. Getting a quote costs nothing and provides a baseline understanding of what coverage would look like. For guidance on what the application process involves, see our post on how to get cyber insurance.
Does cyber insurance cover a school operated by a religious organization?
School operations can be covered under a cyber policy, but the application needs to reflect the school’s data and operations accurately. Student data subject to FERPA and state privacy laws, health records, and tuition payment processing all need to be disclosed and addressed in the coverage. A policy written only with congregation operations in mind may not adequately cover school-related exposure.
How is a religious organization different from a nonprofit for cyber insurance purposes?
Religiously affiliated organizations are generally underwritten similarly to nonprofits, with adjustments for the wire fraud exposure specific to faith communities and the school or childcare operations that many congregations run. The nonprofit cyber insurance market is broadly applicable to religious organizations. For more on nonprofit cyber coverage, see our post on cyber insurance for nonprofits.
Related Resources
• Cyber Insurance for Nonprofits
• Social Engineering and Funds Transfer Fraud Coverage
• Does Cyber Insurance Cover Business Email Compromise?
• What Ransomware Insurance Actually Covers
• Cyber Insurance Sublimits Explained
• How Much Cyber Insurance Do I Need?
• Cyber Insurance for Small Businesses
SeedPod Cyber works with religious organizations, faith communities, and the nonprofits that serve them to build cyber insurance programs that fit how they actually operate. Contact us | Learn about our coverages | See who we work with