The seven exposures every nonprofit board now faces
If you serve on a nonprofit board in 2026, your personal exposure is bigger than it was in 2020 and the carriers have noticed.
The average nonprofit D&O claim resolves at roughly $35,000. One in ten exceeds $100,000. Legal defense costs alone routinely cross $100,000 before a case is decided on the merits — meaning even a claim the board ultimately wins can cost six figures to defend. Sixty percent of nonprofit D&O triggers in 2026 are now employment-related, not the governance disputes that defined the category for decades. The Supreme Court's April 29, 2026 unanimous opinion in First Choice Women's Resource Centers, Inc. v. Davenport has reshaped how state attorneys general approach nonprofit governance investigations, which is changing the carriers' underwriting posture.
The seven exposures every nonprofit board now needs to think about — and the seven a competent broker should be auditing against — are:
- Directors and officers liability (D&O)
- Employment practices liability (EPLI)
- Sexual abuse and molestation (SAM)
- Cyber liability and donor data exposure
- Employee dishonesty and embezzlement
- Volunteer coverage
- IRS Form 990 governance compliance
This guide walks through each one and explains what every board member should be asking before signing off on the next renewal.
What D&O insurance actually covers
Nonprofit D&O insurance covers the personal liability of board members, officers, and the nonprofit organization for claims arising out of their roles in governing the entity.
Standard D&O policies have three coverage parts. Side A covers individual directors and officers when the organization cannot or does not indemnify them — typically the most important part for board members personally. Side B reimburses the organization when it does indemnify its directors and officers. Side C covers the organization itself for claims brought directly against it.
For nonprofits, Side A is the part board members should care about most. If the nonprofit goes insolvent or refuses to indemnify, Side A is what keeps a board member's personal assets out of the claim. Verifying that Side A coverage is adequate — and that it isn't eroded by the organization's defense costs — is one of the first things a competent broker checks.
D&O policies are claims-made-and-reported. The claim has to be made and reported during the policy period. Prior-acts coverage (retroactive date) and tail coverage (extended reporting period) matter for board members who join or leave mid-cycle.
Why incorporation isn't enough
Most nonprofit board members operate under the assumption that the corporate form protects them personally. It doesn't — at least not in the ways that matter most.
Incorporation protects board members from being personally liable for the nonprofit's contractual debts and operational obligations. It does not protect them from:
- Breach of fiduciary duty claims by donors, members, or other directors
- Employment claims by current or former staff (wrongful termination, discrimination, harassment, retaliation)
- Regulatory claims by state attorneys general or the IRS
- Claims by program beneficiaries alleging mismanagement of the mission
- Claims by other directors alleging the board failed in oversight
The Volunteer Protection Act and various state-level volunteer protection statutes provide some additional shielding for unpaid volunteer directors — but the protection is partial, narrowly drawn, and routinely disregarded by plaintiff attorneys who name volunteer directors anyway and force the defense to litigate the immunity question. Even when the statute eventually shields the director, the defense costs to get there are not trivial.
D&O insurance fills the gap incorporation does not. Without it, board members are personally exposed.
Incorporation protects you from the nonprofit's debts. It does not protect you from the claims that actually get filed.
EPLI — the 60% of D&O that's really employment
The single biggest shift in nonprofit D&O over the last five years is the rise of employment-related triggers.
About 60% of nonprofit D&O claims in 2026 are employment matters — wrongful termination, discrimination, harassment, retaliation, constructive discharge, ADA violations, FMLA mishandling. The underlying allegation may name the executive director who fired the employee, but the claim usually pulls in the board for failing to supervise, failing to investigate, or failing to set adequate employment policies.
Standard D&O policies often have employment-related claim exclusions that send these matters to a separate EPLI policy. The most common structure for nonprofits is either a combined D&O/EPLI policy form or two stand-alone policies layered together. Either structure works; what matters is verifying that there's no gap between the two coverages where an employment-driven claim could fall through.
The Risk Assessment for any nonprofit should include a read of the personnel manual, the employment policies, the termination protocol, and the documentation standards. The carrier reads these in the renewal questionnaire. The board should know what's in them before signing the renewal.
Sexual abuse and molestation coverage
Sexual abuse and molestation (SAM) coverage is one of the hardest-to-place coverages in the 2026 nonprofit insurance market.
Standard D&O and GL policies typically exclude or sublimit SAM claims. Nonprofits that work with minors, vulnerable adults, students, residential populations, or any group where abuse exposure exists need explicit SAM coverage — either as a separate policy or as a substantial endorsement to the GL form.
The SAM market has tightened severely. Capacity has shrunk, retentions have risen, and carriers are demanding meaningful documentation of:
- Background-check policies for staff and volunteers, applied consistently
- Two-deep supervision rules (no one-on-one situations without a second adult)
- Documented reporting protocols for suspected abuse
- Annual training on abuse prevention and recognition
- Physical-environment controls (line-of-sight windows, locked rooms, etc.)
Nonprofits that cannot document these controls are being declined or sublimited heavily. Nonprofits that can are getting placement but at significantly higher retentions than five years ago. We covered the underlying dynamic in our briefing on the SAM coverage crisis no one is solving.
Volunteer coverage — narrower than boards think
Most boards assume their volunteers are covered. Most policies cover them less than the board assumes.
Standard nonprofit GL and EPLI forms typically include volunteers as insureds for activities performed on behalf of the organization. The inclusion is real but narrow:
- Volunteers driving on nonprofit business are often not covered by the nonprofit's auto policy — they're driving their personal vehicles under their own coverage, and if their personal auto policy excludes business use, the gap is uncovered
- Volunteers handling money or sensitive information may not be covered by the employee dishonesty bond unless specifically added
- Volunteers working with vulnerable populations need explicit SAM coverage extensions
- Volunteers acting outside the scope of the volunteer role are usually not covered at all
The fix is a volunteer file the broker has read. We covered the underwriting side in the volunteer file the SAM underwriter is now reading and the standard coverage gaps in your volunteers aren't covered the way you think.
Donor data and the new state AG environment
Donor data is now a regulated asset and the regulatory environment has tightened materially.
State attorneys general — particularly in California, New York, Massachusetts, and Washington — have built nonprofit donor-data compliance into their enforcement priorities. A donor-list breach that would have produced an apology email five years ago now triggers state-level notice obligations, potential fines, and in some states private rights of action by affected donors.
The cyber liability policy is the financial backstop for that exposure. But the cyber policy only works if the nonprofit has the controls the policy assumes — multi-factor authentication on donor database access, documented incident response plan, vendor management for third-party fundraising platforms, encryption at rest and in transit. Many nonprofit cyber claims are denied at the controls layer, not the coverage layer. We covered this in the donor-list breach is now a regulatory event.
Employee dishonesty and embezzlement bonds
The embezzlement statistics in the nonprofit sector are not improving.
About one in three nonprofits will experience an employee dishonesty event in its lifetime. Median losses run $80,000 to $120,000. The events are concentrated in small to mid-size nonprofits where segregation of duties is hardest to enforce — the bookkeeper who reconciles the bank statement is often the same person who writes the checks, signs the checks, and reports to the board on the financials.
An employee dishonesty bond (sometimes called a fidelity bond) covers theft by employees, including the executive director and CFO. Limits and retention should be sized to the organization's annual operating budget and the dollar amounts that pass through accounts a single employee can access. Coverage should explicitly include volunteers who handle funds.
The Risk Assessment for any nonprofit should include a review of the internal controls environment alongside the bond. A bond without controls is more expensive over time than controls with a smaller bond. We covered the pattern in the embezzlement epidemic hiding in plain sight.
IRS Form 990 and contemporaneous documentation
The IRS Form 990 is a public document and the carrier reads it.
Question after question on the Form 990 doubles as an underwriting signal: does the organization have a written conflict-of-interest policy, does it have a whistleblower policy, does it have a document retention policy, does it maintain contemporaneous documentation of board and committee meeting minutes. "Contemporaneous" is defined by the IRS as the later of the next meeting or 60 days after the meeting.
A "no" answer on any of these questions is a flag the carrier's coverage counsel reads before the first claim ever lands. The fixes are mostly administrative — adopt the policies, document them, make sure the board reviews them annually. The carriers reward the discipline because it correlates with lower claim frequency. Boards that treat 990 governance questions as an annual chore are leaving rate on the table at every renewal.
Filing the 990 late or failing to file three years in a row triggers automatic revocation of the nonprofit's 501(c)(3) status by the IRS. We covered the timeline in three years and you're gone.
Board minutes as defense exhibits
The single strongest defense exhibit in a contested nonprofit D&O claim is the board minute that documented the deliberation behind the contested decision.
The defense attorney reads the minutes first. The carrier's coverage counsel reads them. The state AG investigator reads them. The plaintiff's deposition outline is built around them. By the time those four parties have read the minutes, the strength of the defense is mostly decided.
The discipline standard is contemporaneous documentation showing a deliberate process — including any directors who dissented or abstained. The presence of a recorded dissent shows real deliberation; the absence of any dissent on a unanimous-by-default minute is what plaintiffs use to argue rubber-stamp governance.
The board minute that decided the D&O claim was usually written months or years before the claim landed. We covered the pattern in the board minute that decided the D&O claim.
The defense in an employment-related D&O claim is the file. The exposure is the absence of the file.
Questions every board should ask before signing the next renewal
Whether your broker is PFTN or someone else, these are the questions worth raising at least 90 days before renewal:
- Have you produced a written Risk Assessment covering all seven exposures listed above?
- What's our Side A limit and is it adequate to protect personal assets if the organization can't indemnify?
- Have you read the personnel manual, the bylaws, and the committee charters?
- If we have any abuse exposure, what's the SAM coverage limit and what controls is the carrier requiring?
- Is our cyber policy aligned with the controls we actually have, or are there assumed controls we don't meet?
- Is the employee dishonesty bond sized to our cash exposure, and does it cover volunteers who handle funds?
- How are we answering each governance question on the Form 990, and what does the carrier's coverage counsel see?
- What's our retention level and how does it relate to our financial position?
A broker who can answer all eight cleanly is running a discipline model. One who can't is running a transactional model and the renewal will reflect that.
Frequently asked questions
What is nonprofit D&O insurance?
Nonprofit directors and officers insurance covers the personal liability of board members, officers, and the nonprofit organization itself for claims arising out of governance decisions, fiduciary duties, employment practices, and certain regulatory matters. It pays defense costs and damages for covered claims that the corporate form does not shield individuals from.
Doesn't incorporation protect nonprofit board members?
Incorporation provides protection from contractual liabilities of the entity, but it does not shield individual directors from personal liability for breaches of fiduciary duty, employment-related claims, regulatory violations, or claims brought by donors, employees, or beneficiaries. D&O insurance fills the gap that incorporation does not.
What is the average cost of a nonprofit D&O claim?
Roughly $35,000 to resolve, with one in ten claims exceeding $100,000. Legal defense costs alone routinely cross $100,000 before any case is resolved on the merits. The 2026 nonprofit D&O environment has seen employment-related claims rise to about 60% of all D&O triggers.
What is EPLI and why does my nonprofit need it?
Employment practices liability insurance covers wrongful termination, discrimination, harassment, retaliation, and related employment claims. About 60% of nonprofit D&O claims are actually employment claims in disguise — meaning the underlying allegation is employment-related even though the claim is brought against the board. Combining D&O with EPLI or an integrated form is the standard structure for nonprofit programs.
Does standard nonprofit D&O cover sexual abuse claims?
Standard D&O policies typically exclude or sublimit sexual abuse and molestation (SAM) claims. Nonprofits that work with minors, vulnerable adults, or any population where abuse exposure exists need explicit SAM coverage — usually as a separate policy or a substantial endorsement. The SAM market has tightened significantly and underwriters are demanding documented background-check policies, two-deep supervision rules, and reporting protocols.
Are volunteers covered under our nonprofit insurance?
It depends on the policy form. Most nonprofit GL and EPLI policies include volunteers as insureds for activities performed on behalf of the organization, but the inclusion is often narrower than boards assume. Volunteers driving on nonprofit business, volunteers handling money or sensitive information, and volunteers working with vulnerable populations may require explicit coverage extensions or separate volunteer-specific policies.
What is the IRS Form 990 contemporaneous documentation requirement?
IRS Form 990 asks whether the organization maintains contemporaneous documentation of board and committee meeting minutes, where "contemporaneous" is defined as the later of the next meeting or 60 days after the meeting. A "no" answer is a flag on the D&O file before the first claim ever lands — both the IRS and the carrier's coverage counsel read this answer.
How do I find a good nonprofit insurance broker?
Look for a broker who understands the seven exposures every nonprofit board now faces — D&O, EPLI, cyber, SAM, employee dishonesty, IRS 990 compliance, and volunteer coverage. The broker should provide a written Risk Assessment that addresses all seven, read the bylaws and committee charters as part of designing the program, and run a year-round calendar with quarterly check-ins on board minutes, employment policies, and donor data handling.
— Ryan Mefford, President & Risk Advisor