Cybersecurity: Five Questions Not-For-Profit Boards Should Ask to Minimize Risks

    There are an increasing number of high-profile cybersecurity breaches in the news, and the financial stakes for these breaches continue to grow at an alarming rate. A 2017 study conducted by the Ponemon Institute revealed that the average cost of a data breach to U.S. companies has been more than $6 million over the last four years, and may be on track to approach $8 million.1 The escalating costs of these cybersecurity breaches is devastating for not-for-profit organizations, which continue to be a primary target of hackers because of the treasure trove of personal data and credit card information that they store. One security breach alone could erode donor confidence and compromise future donations.  

    The disconnect between risk identification and risk mitigation

    Despite the financial and reputational implications that cybersecurity risks pose to not-for-profits, these organizations still struggle to move beyond having an awareness of cybersecurity risks to creating an actionable plan designed to mitigate this risk.

    CohnReznick’s 2017 Not-for-Profit Governance and Financial Management Survey revealed that 37 percent of not-for-profit organizations identify cybersecurity as one of the top 3 risks to their organizations which is an increase from 22 percent in 2016. However, only an average of 14 percent of not-for-profit organizations surveyed incorporate cybersecurity into their annual risk assessment process and only 52 percent of respondents reported having a cybersecurity breach response plan. 2  Clearly, a chasm exists between not-for-profit organization’s concerns for, and need for, better cybersecurity. This directly hinders a strategic plan of action for mitigating cybersecurity risk. 

    chart how concerned are you about cybersecurity

    What can a NFP board do to mitigate cybersecurity risks? - Begin by posing five key questions

    To progress beyond merely identifying cybersecurity risks, and begin mitigating risks, not-for profit boards and audit committees can play a pivotal role in helping an organization understand cybersecurity risks, as well as driving the change needed to help effectively protect the organization. This can be accomplished through an open discussion with management and asking the following questions: 

    When did we perform our last cybersecurity assessment, and what did it cover?

    An annual assessment is critical and should align to a recognized framework, such as provided by the National Institute of Standards and Technology (NIST), and the Center for Internet Security (CIS). This is imperative. Not doing so could leave significant gaps in your cybersecurity program. Also, from a legal perspective, you would fare far better during a breach investigation if you could show that an attempt was made to match your security program back to a standard, rather than having an ad-hoc approach.

    Have we identified critical data, and do we know where it resides?

    Asset management is essential, as is understanding all forms of data your organization uses—personally identifiable information (PII), financial information, corporate data, etc. It is not possible to adequately design an effective cyber defense unless you have given this consideration. 

    How would we recognize if a breach occurred?

    Organizations of all sizes struggle with their ability to identify malicious activity on their systems, because they lack the tools and processes to capture and review system logs for anomalous activity that could indicate the presence of a hacker. Organizations should consider deploying Security Information and Event Management (SIEM) technologies, or similar tools that log system information, correlate events, and detect malicious events. Then, processes must be instituted to review the information and take the needed action.

    Have we assessed internal and external vulnerabilities?
    Hackers may probe an organization’s network for weeks or months to understand the network layout and probe for vulnerabilities. If you don’t know where your vulnerabilities are, hackers will. We advise performing regular internal and external assessments to understand how a hacker may circumvent defenses and obtain access to critical data. When conducting this exercise, organizations need to think through various scenarios that could compromise their systems (e.g., denial of service, information disclosure, spoofing identity, etc.) and always remember that oftentimes, humans are the weakest link in the chain.

    Do our security program and policies match our risk profile and tolerance?

    This is arguably the most important question, as it gauges the alignment of an organization’s existing cybersecurity program to those of its stakeholders’ expectations. While your organization may not be able to answer all of the above, by understanding these fundamental cybersecurity issues, boards can help raise their organization’s awareness regarding cybersecurity gaps and help design an appropriate remediation plan.

    Minimum precautions

    At a minimum, organizations should conduct a cybersecurity assessment for their organization and its technology infrastructure to at least minimize the impact of the breach. This includes a crisis management/ communication plan to assure donors and other stakeholders, in the event of a breach, that a comprehensive plan exists and your organization is ready to act upon it. Most importantly, it’s important to realize that cyber-risk is real, and growing. Any not-for-profit organization and its board that does not take cybersecurity seriously may be headed for big trouble.

    About CohnReznick’s cybersecurity services

    CohnReznick provides cybersecurity solutions that are dynamic, scalable, and “right-sized” for our clients. CohnReznick’s security professionals average more than 15 years in the field and hold key certifications. Our professionals have deep experience assisting organizations in implementing and complying with information and cybersecurity requirements using NIST 800-53, ISO 27001, COBIT, CIS, and other industry leading standards and frameworks.

    About CohnReznick’s Not-for-Profit and Education Industry Practice

    CohnReznick has a dedicated Not-for-Profit and Education Industry Practice that works closely with the boards, management, and financial leaders for not-for-profit and educational organizations. Our clients include associations, foundations, educational institutions, not-for-profit affordable housing developers, religious and cultural organizations, and social service and charitable agencies.

    1 Source: Ponemon Institute 2017 Cost of Data Breach Study report 

    2Source: CohnReznick 2017 Not-for-Profit Governance and Financial Management Survey

    Subject matter expertise

    • Bhavesh Vadhani
      Contact Bhavesh Bhavesh+Vadhani
      Bhavesh Vadhani

      CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

    • John Alfonso
      Contact John John+Alfonso
      John Alfonso

      CPA, CGMA, Partner - Not-for-Profit & Education Industry Leader

    • Close


      Let’s start a conversation about your company’s strategic goals and vision for the future.

      Please fill all required fields*

      Please verify your information and check to see if all require fields have been filled in.

      Please select job function
      Please select job level
      Please select country
      Please select state
      Please select industry
      Please select topic
    This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.