Identifying the risks and learning how to avoid them

The Cyber Security Breaches Survey 2023 found that around a quarter of charities had reported being a victim of a cyber breach or attack in the preceding 12 months. Different charities will of course have different levels of cyber use and risk depending on the activities they are carrying out, but almost all use emails, databases or online drives to some extent. More and more activities and services are being offered digitally, including fundraising, which makes the topic of cyber security more important than ever before.

What are the risks of a cyber security breach?

  1. Fraud: either directly against the charity (someone holding themselves out as an individual or organisation the charity deals regularly with) or the fraudsters holding themselves out as the charity to donors or beneficiaries, which may lead to financial loss for either the charity, donors or beneficiaries;
  2. Loss of personal or financial data: where personal data has been lost, a charity needs to consider whether that leads to a risk of harm for those individuals. The severity of this risk may depend on the nature of a charity's activities and its beneficiaries;
  3. Reputational and relational risk: a cyber breach can impact relationships with beneficiaries, employees and partner organisations or funders, who may feel less confident in the charity, particularly if there is significant media attention;
  4. Use of resources: dealing with a cyber security breach draws resources (time, staff and money) away from charitable activities whilst the breach and its consequences are being resolved.

Notifying the regulators

Information Commissioner's Office

There is a legal obligation to report personal data breaches without undue delay, and at a maximum within the first 72 hours from discovery (rather than when the breach actually happened).

The ICO wants to know:

"what has happened;

"when and how you found out about the breach;

"the people that have been or may be affected by the breach;

"what you are doing as a result of the breach; and

"who they should contact if they need more information, and anyone else who has already been notified.[1]

It can be helpful to put together a timeline to keep things clear and establish all of the facts; having that information to hand will help your organisation work through the reporting form.

Charity Commission

A charity which has experienced a cyber security is obliged to report the matter to the Charity Commission. The making of a serious incident report should be seen as indicative of good governance and controls within the charity – demonstrating that the issue has been identified quickly and that the charity is taking steps to mitigate any risk.

Events which are likely to be reportable to the Charity Commission:

  • Any actual or alleged fraud or money laundering;
  • A bogus fundraising scheme is being promoted online, using the charity's name;
  • Charity funds are lost due to an online or telephone phishing scam where trustees or employees were conned into giving out bank details;
  • Actual or alleged cyber crime which either a) gets past the network security systems or b) is caught by the network security systems but appears 'unusual' in nature and you consider it needs bringing to the attention of the Charity Commission;
  • If there is a risk of harm to staff, beneficiaries or others connected to the charity as a result of any breach.

In addition, if an incident of any nature is reported to any other regulator, the Charity Commission will expect to be notified of the incident and that report, though they may not take the lead from a regulatory perspective.

If you consider that there is some element of fraud or criminal activity, the police and/or Action Fraud may need to be notified.

Protecting your charity and minimising the risks

There are a number of steps which charities can take to ensure good governance and mitigate the possible risk of a cyber security attack:

  • Policies and procedures: making sure that your policies in relation to remote working (whether back office staff or staff delivering services in the community), use of devices and social media are up to date and appropriate for your organisation can be a useful tool to educate staff and volunteers;
  • Risk register: the risk register should be reviewed by trustees on a regular basis, to take account of new and emerging risks, to evaluate the level of risk and to assess steps which can be taken to mitigate risk;
  • Insurance: it is worth checking your organisation's insurance policies to see whether or to what extent you are covered for breach recovery and response, and what other assistance they might be able to provide in the event you need it;
  • Third party contracts: data loss can occur through a cyber security breach at a third party organisation which processes date on behalf of a charity. When contracting with a new organisation or reviewing existing relationships, consider what cyber security and data protection obligations they have in place themselves – and whether or not you are sufficiently comfortable with the safeguards they have in place.

Useful resources

Information Commissioner's Office

Charity Commission

Action Fraud

National Cyber Security Centre

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.