Cybersecurity is a governance issue, not just an IT problem
There was a time when cybersecurity was firmly in the domain of IT departments. Board members could reasonably claim it was a technical matter best left to technical staff. That time has passed.
In 2026, cybersecurity is a governance issue that sits squarely within the board's fiduciary responsibilities. The frequency, sophistication, and financial impact of cyberattacks have reached a point where board-level oversight is not just advisable -- it is expected by regulators, insurers, donors, and the public.
Nonprofit organizations are not exempt from this reality. In fact, they are often more vulnerable than their for-profit counterparts. Nonprofits frequently operate with smaller IT budgets, less technical staff, and legacy systems that are harder to secure. At the same time, they hold sensitive data -- donor information, beneficiary records, financial data, and employee details -- that makes them attractive targets.
This article provides board members with a practical framework for understanding their cybersecurity governance responsibilities, the questions they should be asking, and the governance structures that support effective cyber risk oversight.
For a broader look at governance trends, see our article on the future of board governance.
The nonprofit cyber threat landscape
Why nonprofits are targets
There is a persistent misconception that cybercriminals only target large corporations with deep pockets. The reality is quite different. Cybercriminals are opportunistic, and they often prefer targets with weaker defenses over those with higher-value assets. Nonprofits frequently fit this profile.
Several factors make nonprofits attractive targets. They often maintain databases of donor financial information, including credit card numbers and bank details for recurring gifts. They may hold sensitive beneficiary data, particularly organizations working in health, social services, or child welfare. Staff may use personal devices for work purposes without adequate security protocols. And the organization may rely on volunteers who access systems without formal security training.
The types of attacks nonprofits face include phishing schemes targeting staff and board members, ransomware attacks that encrypt organizational data and demand payment for its release, business email compromise (BEC) attacks that impersonate executives to authorize fraudulent wire transfers, and data breaches that expose sensitive constituent information.
The cost of a cyber incident
The financial cost of a cyber incident extends well beyond the immediate response. Organizations that experience a breach face expenses that may include forensic investigation, legal counsel, regulatory notification requirements, credit monitoring for affected individuals, system remediation, and increased insurance premiums.
But the financial costs, significant as they are, may be secondary to the reputational damage. For nonprofits that depend on public trust, a data breach affecting donors or beneficiaries can undermine confidence in ways that take years to rebuild. Donors whose financial information is compromised may never give again. Beneficiaries whose personal data is exposed may lose faith in the organization's ability to protect them.
The governance failure in a cyber incident is often not the breach itself -- breaches can happen to any organization despite reasonable precautions -- but the failure to have adequate prevention, detection, and response capabilities in place. This is where board oversight becomes critical.
The board's cybersecurity governance role
Fiduciary duty and cyber risk
The three fiduciary duties -- care, loyalty, and obedience -- all have cybersecurity dimensions. The duty of care requires board members to exercise reasonable diligence in overseeing the organization's operations, which in 2026 unambiguously includes cyber risk management. The duty of loyalty requires directors to act in the organization's best interests, which includes protecting its data assets and the privacy of its constituents. The duty of obedience requires compliance with applicable laws, which increasingly include data protection regulations.
Board members who fail to provide adequate cybersecurity oversight may face personal liability in the event of a significant breach. While directors and officers (D&O) insurance provides some protection, it typically requires that directors have exercised reasonable governance diligence -- which is difficult to demonstrate if cybersecurity has never appeared on a board agenda.
For more on fiduciary duties, see our complete guide to nonprofit board governance.
What cybersecurity governance looks like in practice
Cybersecurity governance does not require board members to understand the technical details of encryption algorithms or firewall configurations. It requires them to exercise oversight -- to ensure that competent people are managing cyber risk, that adequate resources are allocated, that appropriate policies are in place, and that the board receives regular reporting on the organization's security posture.
In practical terms, board-level cybersecurity governance involves:
Regular reporting. The board should receive periodic reports on the organization's cybersecurity status. These reports should be written for a non-technical audience and should cover the current threat landscape, the organization's security investments and capabilities, any incidents or near-misses that occurred since the last report, and the status of planned security improvements.
Policy oversight. The board should ensure that the organization has adopted and maintained essential cybersecurity policies, including an information security policy, an acceptable use policy, an incident response plan, a data retention and disposal policy, and a business continuity plan.
Risk assessment. The board should ensure that the organization conducts periodic cybersecurity risk assessments and that the results are reported to the board along with management's plan for addressing identified vulnerabilities.
Budget review. The board should evaluate whether the organization is investing adequately in cybersecurity relative to its risk profile. This includes technology investments, staffing, training, insurance, and third-party security services.
Incident response readiness. The board should understand the organization's incident response plan and its own role in that plan. Some incidents -- particularly those involving significant data breaches or regulatory notifications -- will require board involvement.
Essential cybersecurity questions for board members
Questions about organizational readiness
Board members do not need to be cybersecurity experts to provide effective oversight. They do need to ask the right questions. Here are essential questions that every board member should be prepared to raise.
What are our most critical data assets, and how are they protected? Understanding what data the organization holds, where it is stored, who has access to it, and what safeguards are in place is the foundation of cyber risk governance.
When was our last security risk assessment, and what did it find? Regular risk assessments identify vulnerabilities before attackers exploit them. The board should know when the last assessment was conducted, what gaps were identified, and what actions have been taken to address them.
Do we have a documented incident response plan, and has it been tested? Having a plan on paper is not enough. The plan should be tested through tabletop exercises or simulations at least annually, and the results should inform plan updates.
What cybersecurity training do our staff and volunteers receive? Human error remains the most common entry point for cyberattacks. Phishing awareness training, password management education, and clear procedures for reporting suspicious activity are essential.
Are we compliant with applicable data protection regulations? Depending on the organization's jurisdiction and operations, this may include data privacy laws, sector-specific requirements for health or financial data, and donor data protection obligations.
What is our cyber insurance coverage, and does it match our risk profile? Cyber insurance policies vary significantly in their coverage. The board should understand what is covered, what is excluded, and whether the coverage limits are adequate.
Questions about third-party risk
Many nonprofits rely on third-party technology providers for critical functions -- donor management, email, cloud storage, payment processing, and program delivery platforms. Each third-party relationship introduces cybersecurity risk.
What due diligence do we conduct on technology vendors' security practices? The board should ensure that vendor selection processes include security assessment and that contracts include appropriate security requirements and liability provisions.
How do we manage access for volunteers, contractors, and partners? External parties who access organizational systems need appropriate security controls, including limited access rights, multi-factor authentication, and offboarding procedures when their involvement ends.
What happens to our data if a key vendor experiences a breach? Understanding the downstream implications of a vendor breach is essential. This includes knowing what data the vendor holds, where it is stored, and what notification obligations exist.
Building a cybersecurity governance framework
Establishing board-level oversight structures
The board should designate responsibility for cybersecurity oversight. For larger boards, this might involve a technology committee, a risk committee, or an audit committee with cybersecurity in its charter. For smaller boards, it might mean a designated director with technology expertise who provides periodic briefings to the full board.
Whatever the structure, the key principle is that cybersecurity oversight should be explicit, documented, and regular. Ad hoc attention driven by headlines or incidents is insufficient.
Developing a cybersecurity governance calendar
Effective cybersecurity governance follows a predictable rhythm. Consider establishing a governance calendar that includes:
- Quarterly cybersecurity status reports to the board or relevant committee
- Annual cybersecurity risk assessment with board review
- Annual review of cybersecurity policies
- Annual tabletop exercise or incident response simulation
- Annual review of cyber insurance coverage
- Periodic cybersecurity education for board members
Embedding these activities into the board meeting agenda cycle ensures they receive consistent attention. Using a board management platform like nfphub helps track these recurring items and ensures supporting documents are included in board packs.
Creating effective cybersecurity reporting for the board
One of the biggest barriers to effective cybersecurity governance is poor communication between technical staff and the board. IT professionals may report in jargon-heavy language that directors do not understand, or they may present data without context that enables governance decisions.
Effective cybersecurity board reporting should include a brief summary of the current threat landscape and any recent developments relevant to the organization's sector, key metrics such as the number of security incidents, phishing test results, and patch compliance rates, the status of planned security improvements and any budget implications, and specific items requiring board discussion or decision.
Reports should be included in board packs with sufficient lead time for directors to review before the meeting. Complex technical concepts should be explained in plain language, with a glossary provided if needed. Our board governance glossary includes key technology and cybersecurity terms.
Cybersecurity policies every nonprofit board should adopt
Information security policy
The information security policy is the foundational document that establishes the organization's approach to protecting information assets. It should define the scope of the organization's security program, assign roles and responsibilities, establish security standards and guidelines, and set expectations for staff and volunteer conduct.
The board should review and approve this policy, ensure it is updated regularly, and monitor compliance through regular reporting.
Incident response plan
The incident response plan defines how the organization will detect, respond to, contain, and recover from a cybersecurity incident. It should include clear escalation procedures, role assignments, communication protocols for internal and external stakeholders, and regulatory notification requirements.
The plan should identify specific scenarios -- ransomware, data breach, business email compromise -- and provide tailored response procedures for each. It should also define the board's role in incident response, which typically includes authorizing significant expenditures, approving external communications, and providing oversight of the recovery process.
Data protection and privacy policy
This policy defines how the organization collects, uses, stores, shares, and disposes of personal data. It should align with applicable data protection regulations and reflect the organization's values around privacy and stewardship.
For nonprofits that hold donor financial data, beneficiary health or social services data, or other sensitive personal information, this policy is particularly critical. The board should ensure it is comprehensive, compliant with applicable law, and communicated clearly to staff and constituents.
Acceptable use policy
The acceptable use policy defines how staff and volunteers may use organizational technology resources, including computers, mobile devices, email, internet access, and cloud services. It should address password requirements, prohibited activities, personal use of organizational equipment, and procedures for reporting security concerns.
Business continuity and disaster recovery plan
While not exclusively a cybersecurity document, the business continuity plan must address cyber scenarios such as ransomware attacks that render systems inoperable. The plan should define how the organization will maintain critical operations during a cyber incident and how it will recover data and restore systems afterward.
Building a security-aware culture
Staff training and awareness
Technology controls are necessary but insufficient. The most sophisticated security infrastructure can be undermined by a single staff member clicking a malicious link or sharing credentials with a convincing impersonator.
Board governance of cybersecurity should include oversight of the organization's security awareness program. This program should include regular training for all staff and volunteers on recognizing phishing attempts and social engineering tactics, proper handling of sensitive data, password management and multi-factor authentication, procedures for reporting security incidents or suspicious activity, and safe practices for remote work and personal device use.
The board should receive periodic reports on training completion rates and phishing simulation results to gauge the organization's security culture.
Board member security practices
Board members themselves are potential targets for cyberattacks, particularly because they often have access to sensitive board materials, financial information, and strategic plans. Attackers may impersonate board members to request fraudulent transfers or access confidential information.
Board members should practice good security hygiene, including using strong, unique passwords for board-related accounts, enabling multi-factor authentication, accessing board materials only through secure platforms rather than personal email, and reporting any suspicious communications that appear to come from other board members or organizational leadership.
Using a secure board management platform like nfphub for all board communications and document sharing significantly reduces the risk of board-level security incidents compared to relying on email attachments and personal cloud storage.
Cyber insurance considerations
Understanding coverage
Cyber insurance has become an essential risk management tool for organizations of all sizes. Policies typically cover costs associated with data breach response, including forensic investigation, legal counsel, regulatory notifications, and credit monitoring for affected individuals. Some policies also cover business interruption losses, ransomware payments, and liability for third-party claims.
However, policies vary significantly in their terms, conditions, and exclusions. The board should ensure that the organization's cyber insurance coverage is adequate for its risk profile and that coverage limits reflect the potential costs of a significant incident.
Governance requirements for insurance
Many cyber insurance providers now require evidence of specific security practices as conditions of coverage. These may include multi-factor authentication, regular security assessments, employee training programs, and documented incident response plans.
The board should understand these requirements and ensure the organization maintains compliance, since failure to meet policy conditions could result in denied claims at the worst possible time.
Responding to a cyber incident
The board's role during an incident
When a significant cyber incident occurs, the board has a critical governance role. This typically includes authorizing expenditure for incident response activities, including forensic investigation and legal counsel; overseeing external communications, including notifications to regulators, donors, and affected individuals; providing strategic guidance on decisions such as whether to pay a ransom demand; monitoring the recovery process and ensuring lessons learned are captured; and evaluating whether management's response was adequate and what governance improvements are needed.
The board should have a clear understanding of its incident response role before an incident occurs. Discovering roles and responsibilities during a crisis is a governance failure.
Post-incident governance
After a cyber incident has been resolved, the board should conduct a thorough post-incident review. This review should examine what happened, how it happened, whether existing controls were adequate, how the response was managed, and what changes are needed to prevent recurrence.
The review should inform updates to security policies, the incident response plan, and the organization's risk register. It should also inform the board's assessment of whether current cybersecurity investments are adequate.
Documenting the board's oversight of incident response and post-incident improvement is important for demonstrating governance diligence. Maintaining clear records in meeting minutes creates an audit trail that protects the organization and its directors.
Getting started: a board member's cybersecurity checklist
For board members looking to improve their cybersecurity governance, here is a practical starting checklist.
Ensure cybersecurity is on the board agenda. If it is not currently a regular agenda item, work with the chair to add it. Use nfphub's agenda builder to create a recurring cybersecurity update slot.
Request a cybersecurity briefing. Ask management or the organization's IT provider to present an overview of the current security posture, recent incidents, and planned improvements. Ensure the briefing is accessible to non-technical directors.
Review existing policies. Confirm that the organization has the essential cybersecurity policies described in this article and that they are current. If policies are missing or outdated, flag this as a governance priority.
Assess incident response readiness. Ask when the incident response plan was last tested and request that a tabletop exercise be scheduled.
Evaluate cyber insurance. Review the organization's cyber insurance policy to understand coverage, exclusions, and compliance requirements.
Invest in training. Advocate for regular cybersecurity training for all staff, volunteers, and board members.
Adopt secure governance tools. Move board communications and document sharing to a secure platform designed for governance. Platforms like nfphub provide encrypted document storage, secure access controls, and audit trails that support both cybersecurity and governance best practices.
Cybersecurity governance is not about eliminating risk -- that is impossible. It is about ensuring that the board is exercising reasonable oversight, the organization is investing appropriately in prevention and preparedness, and the governance structures are in place to respond effectively when incidents occur. Boards that take this responsibility seriously protect not just their organization's data but its mission, its reputation, and the trust of the people it serves.