What should NFP boards know about cybersecurity?


Many board members might be unfamiliar with the technical realm of cybersecurity. Yet, it’s increasingly essential that boards help ensure cybersecurity in their organizations.

Headshot of Scott Peyton

“It's important for not-for-profits to truly understand that they are under threat. It's not a matter of ‘if,’ it's a matter of ‘when’ you’re going to have a breach.”

Scott Peyton

Grant Thornton Risk Advisory Partner


“It's important for not-for-profits to truly understand that they are under threat,” said Grant Thornton Risk Advisory Partner Scott Peyton.


“It's not a matter of ‘if,’ it's a matter of ‘when’ you’re going to have a breach,” Peyton said. Many not-for-profits have limited staff, technology and other resources devoted to cybersecurity. They have come to rely on third-party providers for much of their technology and cybersecurity infrastructure.


However, organizations often have personal and financial information from donors, volunteers, alumni and other stakeholders. “That information is very attractive to a threat actor,” Peyton said. “Not-for-profits need to approach cybersecurity with a realization that they absolutely are in the crosshairs of threat actors.”




Manage four responsibilities


Every not-for-profit board member has important knowledge, and an essential role in helping the organization mitigate cybersecurity risks.


“Board members understand the mission,” Peyton said. “They understand the risks that could prevent the organization from achieving that mission — and, once they understand cybersecurity, it's just another domain of risk.”


To help mitigate the risks of cybersecurity threats, boards have four responsibilities.




1. Understand cybersecurity’s impact


Board members should be responsible to:

  • View cybersecurity as an enterprise risk issue, not just an IT topic.
  • Understand cybersecurity’s impact on the organization’s operations and regulatory compliance.
  • Understand cybersecurity’s impact on the organization’s brand and reputation.

What information should boards receive? “The true cybersecurity posture that NFP boards need can go far beyond the cybersecurity reporting we see many CIOs and CISOs provide,” Peyton said. “Cybersecurity board reporting can be very high-level — it’s all green lights, all thumbs up — or else, it’s a novel with 400 pages of detail.”


“The board cannot honestly translate these types of cyber reporting into something that's manageable, understandable and relatable,” Peyton said. “As a board member, you need to translate information into organizational risk and business operations. That is the crux.” Most board members won’t have a technical understanding of cybersecurity, but they need to have a common understanding that lets them ask important, high-level questions about risk.


“For instance, what are the risks around a ransomware attack? With ransomware, your organization loses access to your systems and data,” Peyton said. “You don't need to understand technically how a threat actor is able to successfully perpetrate the act but, if it does happen, what's the impact and how does the organization respond?” Boards might not understand the technical details, but they need to understand the high-level issues well enough to evaluate whether strategies are in place to respond.



2. Set expectations for management


Board members should be responsible to:

  • Allocate adequate time for management to discuss cybersecurity issues on a periodic basis.
  • Ensure management has defined clear accountability and responsibility for the cybersecurity program.
  • Ensure sufficient resources are allocated to managing cybersecurity risks.

Any organization has limits on its budget for cybersecurity. “So, the expectation of management is, ‘Do the best you can with the resources you have, and here are the minimum standards that we expect,’" Peyton said.


Board members should expect management to understand the threats and residual risks, creating a cybersecurity program that backs up, protects and monitors the organization’s data. Management needs to form a cybersecurity program that includes strong policies, procedures, awareness and training. These elements need to be well-defined, well-orchestrated and holistic. Your program cannot simply implement a solution and assume that it covers all your risks.


“For a board member, the most valuable thing to understand is the list of operational and reputational risks and the maturity of your risk mitigation in response to these risks,” Peyton said. This understanding can be especially complex for not-for-profits when they rely heavily on third parties, where organizational risk profiles are often different from the corporate world. That’s why it’s important to understand your organization’s unique risk profile, rather than assuming that solution providers can sufficiently mitigate your risks.


Even if your organization relies heavily on cybersecurity solutions, it needs to select, coordinate and configure those solutions to meet its unique needs and threats. Your organization also needs to take advantage of its investment in solutions by ensuring that the right people are monitoring, reporting and acting upon the information.



3. Provide oversight to cybersecurity risk management


Board members should be responsible to:

  • Periodically review management’s assessment of the organization’s cybersecurity risks, along with the risk treatment plan and progress.
  • Monitor the cybersecurity program’s current maturity and target maturity levels, including management’s plans for training staff and conducting simulations or exercises.
  • Periodically review open audit or regulatory compliance issues and related remediation actions.
  • Review management’s actions in addressing third-party or vendor risks.

A cybersecurity program does not run on its own. “To provide oversight from a board perspective, you need to ask questions like, ‘Where do we stand with risk mitigation? What are the risks we're seeing? How does the risk landscape change over time?’” Peyton said.


Your program needs to adapt to changes in the cybersecurity threat landscape and the operating plane. Sometimes, organizational changes or expansions can introduce new risks — including new cybersecurity exposures — that need to be mitigated with the changes. However, new cybersecurity threats often arise from external factors. That’s part of why it’s important to constantly monitor cybersecurity incidents and manage any new issues.



4. Provide oversight to incident management


Board members should be responsible to:

  • Understand management’s crisis preparedness for a cybersecurity breach, including lessons from cybersecurity incidents or from simulation exercises.
  • Evaluate management’s decision in purchasing a specific cyber-insurance policy.
  • Encourage management to establish a relationship with law enforcement.

It’s important to be ready to respond when incidents happen — because they will. That means your program needs to include perimeter defense along with network segmentation that stops intruders from accessing all of your network once they’re inside. Your program also needs to include backup and encryption. Finally, your organization should consider cyber insurance.


“Cyber insurance is getting more expensive, and sometimes it can be outside the reach of not-for-profits, but it needs to be considered,” Peyton said. “I think it's important for every not-for-profit to go through that thought process, because I think you need it unless you absolutely can't afford it.”


Like any insurance policy, cyber insurance comes with conditions. It’s critical to understand that your policy will have minimum actions and requirements your organization must meet in order to file a claim. If someone in your organization — even a third party or a volunteer — fails to protect data and leaves it open to attack, your insurance claim might not be covered. That means management must understand the policy’s coverage limitations and help ensure that the organization always meets the required standards. “You have to hold up your end of the bargain,” Peyton said. “That often gets lost between the legal team that negotiates the contract, the insurance policy and the IT team, particularly over time. A year later, the policy's still there, but you’ve changed cybersecurity vendors or had staff or other changes who may inadvertently drop the ball on the policy requirements.”




Create a structure


To help ensure comprehensive and consistent cybersecurity over time, the board should consider a responsibility structure. Organizations that have a large board might form a subcommittee to provide cybersecurity oversight.



Peyton said that ongoing maintenance of a cybersecurity program at a not-for-profit typically depends on two critical factors: expertise within the organization and effective third-party support. “Somebody within the organization needs to be knowledgeable. That person is generally going to be the one most responsible for understanding the cybersecurity risks and what's in place. Then, not-for-profits might rely heavily on third parties — people that monitor their networks, configure their systems and help in the event of an incident.”


Board members should recognize when there is a heavy reliance on third parties and ask about the data that third parties can access and the process of third-party due diligence. Inquire about service level agreements and whether there are gaps in how third parties are performing versus their agreements. “All of that is going to be very important for the board to probe, prompting management to make sure they've gone through due process with the third parties,” Peyton said.


When your organization has defined the appropriate responsibility structure for its cybersecurity program, the responsible parties can help the board build and maintain its cybersecurity awareness.




Build awareness


Board awareness about cybersecurity can begin with an initial educational session that gives board members a shared understanding of threats, trends and the organization’s cybersecurity program. This initial session should be followed by regular cybersecurity briefings that cover risks and responses.


Sample cybersecurity agenda for a board briefing




Bring it back to risk


“Once the board understands cybersecurity, then it's just one more conversation about risk,” Peyton said. “It’s a matter of asking, ‘How do we guide the organization to be successful in achieving our mission, while allocating financial and human capital to address this risk within our limitations?’”


Boards need to recognize cybersecurity as a risk domain, and know enough to ask the right questions. Management should be able to respond with a cybersecurity program guided by industry frameworks like NIST-CSF or CIS Top 20 Controls, along with leading practices.


As with any risk, mitigation must begin with awareness and understanding. Digital threats continue to grow and evolve. So, not-for-profit boards now need to recognize the realm of cybersecurity and their responsibility to help keep an organization on track to mission achievement. 



Dennis J. Morrone

Dennis Morrone is the National Managing Partner of Grant Thornton's Not-for-Profit & Higher Education Practices.

Iselin, New Jersey

  • Not-for-profit & higher education
Service Experience
  • Advisory
  • Operations and performance
  • Audit & Assurance
  • Finance Transformation
  • Employee Benefit Plan Audits
  • Lease accounting
  • Transaction advisory

Our not-for-profit and higher education featured industry insights