Nonprofits and Cybersecurity: Understanding and Managing the Risks of Cyber Threats
With cybercrime striking everywhere from government agencies to Major League Baseball, each new hack is making headlines, launching inquiries, and triggering lawsuits. Although most of the focus has been on private sector companies and governmental agencies, nonprofit organizations are not exempt (no pun intended) from cyber threats or their consequences. And sadly, it’s only getting worse.
As far back as 2007, donor information was compromised when hackers breached the security systems at Convio Inc., accessing information for nearly 100 charitable organizations. Last year, Goodwill Industries disclosed that its payment processor was victimized by the same type of malware that struck Target Corp. and, in early 2015, the Urban Institute suffered an attack that compromised the data of hundreds of thousands of nonprofits that used the Urban Institute’s system to file their Form 990. Even JP Morgan Chase’s affiliated charity, the Chase Corporate Challenge, has suffered a cyberattack.
Why are hackers so interested in nonprofits? It’s simple. Like their for-profit counterparts, nonprofits collect and maintain confidential and/or sensitive information such as donor data (including addresses, credit card information, and other personal identifying details), personal information about program participants or recipients of assistance, non-public grantee information, protected educational or medical data, and employee records. Nonprofit data can also be jeopardized by a third party vendor with inadequate data security – a donation processing service, IT consultants, payroll services, data storage, and outside professionals.
The potential consequences of a cyberattack are significant – reputational damage and litigation, and possibly regulatory inquiries. And, as the incidence of cyberattacks continue to increase, it is critical for nonprofit organizations and their fiduciaries to focus on cybersecurity risk management.
The starting point for this process should be developing, implementing, and monitoring a cybersecurity program with Board oversight and engagement. While the specifics will vary for each organization, the program should generally include:
- identification and review of the types of sensitive information held by the organization;
- development of appropriate policies for securing the organization’s sensitive
- information, including record retention policies and policies for reporting privacy incidents or complaints;
- training for staff and volunteers, if applicable;
- assessment and evaluation of the risk of cyber threats (including review of third-party vendors);
- establishment of a process for identifying breaches; and considering purchasing an insurance policy to cover cyber risks.
It is also critical to develop a plan for responding to a cyberattack or data breach before it happens. This plan should lay out the organization’s protocols forinvestigating and confirming the breach or attack (including the retention of counsel to protect the attorney client privilege and work product doctrine), identifying the information obtained or released (and the method used or weakness exploited), securing the organization’s network systems and data, and initiating crisis management and communications.
Whether your organization is looking to put together a cybersecurity program or undertaking a review of an existing program, it is important to remember that there is no one-size-fits-all approach to cybersecurity – the most effective program is one that is tailored to the specific needs, circumstances, and culture of your organization.