Cyber criminals have gotten wise to the fact that not-for-profits sit on a relative goldmine of sensitive data, including employee health information, Social Security numbers, donor information, and billing information.

Not-for-profits need to treat their data as if it were that valuable in order to make sure it’s protected. Failing to do so could come with steep consequences. Breached donor information, for example, may damage future fundraising efforts because donors may lose faith in the organization’s ability to protect private information.

Board members play a vital role in their not-for-profit’s risk management strategy, and cybersecurity is no exception. The board can help their organization understand the importance of information security and the severity of problems that could accompany a breach. But board members need to know a few things about the threat from which they are trying to protect their organization.

The Not-for-Profit Data Landscape

First and foremost, not-for-profit boards and audit committees should have an idea of the types of information that could be at risk for cyber criminals and information security breaches. They should be able to answer three basic questions:

  • What data does the not-for-profit store?
  • Where is the data stored?
  • Is the data stored securely?

From there, board members will have a better sense of whether the security measures and protocol in place are sufficient to protect the information in today’s risk environment.

One area board members should be monitoring with particular attention is the use of third-party providers. Not-for-profits may not know where the third party stores the data or what security measures the provider has in place to protect that data. Boards and not-for-profit management teams should work together to understand their service providers’ data security controls and whether those procedures provide the level of security the organization feels is appropriate for its data.

A Not-for-Profit’s Information Technology Vectors and Vulnerabilities

The surface threat for information security continues to increase. Twenty years ago, information security exposures and risks came almost exclusively at the point of internet connection. Today’s environment includes several potential entry points, including:

Boards should work with their not-for-profits to understand how the organization protects those different entry points into its information systems. For example, if employees can use their personal devices to access their email, is the application that they’re using to view their email secure?

The Backbone of the Not-for-Profit’s Information Security Strategy

Another important point board members will want to understand is how not-for-profits architected their information security protocol. Was a standard framework used? There are several that could be useful for a nonprofit or small organization, including the SANS Institute’s CIS 20 Critical Security Controls framework.

If an organization has not used a standard framework and it holds a significant amount of sensitive information, the board may want to recommend an information security assessment. Comparing the organization’s approach to a standard framework could indicate gaps in an organization’s approach where the organization has unaddressed vulnerabilities. Information security assessments can also ensure that cybersecurity strategies are aligned with the highest value information and can provide additional confidence in the organization’s information security and controls over its data.

Details About the Cybersecurity Incident Response Plan

The final point that board members should be aware of is how the not-for-profit reviews controls and communicates potential cybersecurity breaches. Board members should understand:

  • Would the organization be able to detect a breach?
  • How often does management review incidents and breaches?
  • When was the last information security incident?
  • When would the board find out about an information security incident?

Not-for-profit organizations should be able to provide this information not only for their internal information security protocols but also for any of the service providers they use to store or manage their sensitive data. Too often organizations do not have a full grasp on their service providers’ information security incidents, which puts the not-for-profit organization at risk of not meeting its notification obligations. When a breach happens, there are a variety of notification communications that may be required, depending on the state in which you operate and the type of data compromised.

When External Help May Be Needed

A board’s cybersecurity discussion with its not-for-profit organization may indicate that the not-for-profit needs additional support to get its information security protocols up-to-date. An external provider may be able to step in to “right size” an approach to the organization’s needs.

Information security is not a one-size-fits-all model, and a sound strategy will depend on many layers of governance and oversight. For more information, please contact us.

Related Reading


Myth-Busting the Revenue Recognition Standard

Published on September 25, 2019