How Much Do Nonprofit Board Members Need to Know About Cybersecurity?
Cybercrime falls under risk management, which is one of many areas that boards are responsible for overseeing. Technology has advanced to such a degree that many boards, especially nonprofit boards, are finding that IT issues are quickly extending beyond their areas of expertise. Having a general knowledge of cybersecurity risks isn’t nearly enough for board directors to implement adequate oversight. The challenges are sure to increase as technology and the risks that accompany it continue to evolve. Board portal management software systems ensure that nonprofit boards’ planning and risk management strategies remain safe from cybercriminals.
Acknowledging Cybersecurity Risks in the Nonprofit Realm
No organization, whether it makes a profit or not, is exempt from the possibility of cyberattacks. Some of the biggest data breaches surfaced in the media in 2013 and 2014. Hackers successfully tapped into the systems of Target and Neiman Marcus stores, as well as the US Office of Personnel Management in 2015. The breaches affected millions of people.
The Identity Theft Resource Center is a nonprofit organization in the United States that keeps track of statistics on cyberattacks. According to their research, fewer than 200 companies reported data breaches, compared with over 1,300 such reports in 2017.
As part of their oversight duties, boards should be aware of what cybercriminals are looking for. Hackers aim to steal money and data. In pursuit of their crimes, they can also disrupt businesses, injure key managers or board members, and destroy a company’s reputation.
Boards also need to be aware of risks and potential loss caused by regulatory investigations, loss of intellectual property and other types of financial risks.
Accountability in the Boardroom for Cybersecurity Risks
Board directors and managers share responsibility for managing cybersecurity risks. Boards bear the ultimate accountability for data breaches or other cybersecurity risks. The board’s role is to ensure that the senior managers are taking steps to identify and mitigate risks and support their efforts.
How nonprofit boards approach risk depends on many factors. The type of industry and the organization’s tolerance for risk are two of the main factors.
In many nonprofits, the board as a whole takes responsibility for overseeing cybersecurity issues. When the board’s duties prove too much to handle this issue effectively, boards may delegate oversight to a board committee, such as an audit committee or risk management committee. It’s important for boards to recognize that members of the audit committee may also be out of their league in adequately understanding cybersecurity issues. Audit committee members may lack expertise on cybersecurity and its current trends.
Not having proper expertise on the board doesn’t relieve the board’s responsibility for overseeing cybersecurity matters. Boards need to act beyond merely placing the topic of cybersecurity on their agendas. They need to know the risks exist, have a plan for managing them and be able to respond in the event of an unanticipated data breach.
Board Member Cybersecurity Expertise: How Much Is Enough?
The CEOs or senior managers of nonprofits are essentially the front-line risk managers for the organization. As risk managers, management and other staff need to practice enterprise-wide risk management.
Part of the management’s and the staff’s responsibility is to communicate and inform the board about the initiatives they took to protect the organization against cybercrime. In turn, boards must respond to management and staff by ensuring that they have the tools to do their jobs. Boards must allocate funds adequately in the budget and ensure that managers have the proper amount and caliber of staff to protect the company.
Boards should expect, and insist on, getting quarterly briefings from management on cybersecurity issues. In addition, boards need to ask questions and to inquire about progress. These discussions should prompt board directors to do their own research and learn more about cybersecurity trends, which they can utilize in changing priorities as technology advances and needs change.
The potential for cybersecurity risk and the dollar value of losses may motivate boards to appoint an IT expert to help reduce their risks. Adding IT staff can prove to be too costly for some boards. Nonprofits that have high risks for cyberattacks, such as financial companies, health companies and companies that do large amounts of business online, may need to hire additional IT staff.
For smaller nonprofits that lack the budget to employ IT or cybersecurity departments, boards may enlist the help of a cybersecurity expert by appointing someone to their board. They may also find some assistance for cybersecurity management by seeking out third-party advisers, such as attorneys or other experts from audit or communications firms.
Boards must be keenly aware that while they can certainly delegate the task of managing risks, they are the front-line people for overseeing all types of risks and will be held accountable in the event of a crisis.
Understanding Cyber Risks
Board oversight of cyber risks requires them to understand the legal risks stemming from federal, state and local governments. Nonprofits need to prepare a response plan that complies to applicable laws.
As part of a cybersecurity response plan, boards must work with managers to identify and prioritize their assets. The next step is to plan to avoid or mitigate risks. Boards may be able to mitigate some risks by purchasing insurance policies to cover them, but they also need to be aware that not all risks are insurable.
Some risks bring nonprofits opportunities. Boards will need to weigh the opportunities against any associated risks as part of their strategic planning process. Boards’ oversight must extend to risks that third parties present, as well as emerging risks.
Cybersecurity Plans for Nonprofits
BoardEffect’s board portal is a viable tool for documenting boards’ plans for mitigating risks. The portal stores the board’s agendas and meeting minutes, as well as other pertinent documents that could prove that the board performed due diligence in their oversight duties of cybersecurity matters.
A board portal is also a good place for the board to store their crisis plan. Board members will be able to access it through the portal at any time of day or night in the event that they need to plan to respond quickly. Boards should have detailed written response plans in the event of a data breach in which they prioritize the appropriate times to notify customers, report the incident to law enforcement and make a public announcement.
Cyber risk is omnipresent, and that isn’t going to change any time in the near future. Boards practice appropriate oversight by being vigilant and keeping IT security first in every decision they make. Boards must take ownership of cyber risks at the top and ensure that risk management becomes part of the corporate culture. Data breaches can and do happen. What matters most is how board members respond to them.