Once Again! Do Nonprofit Directors Face Cyber Security Risks?
By: Eugene Fram Free Digital Photo
Viewer Favorite: Updated & Expanded
The cyber security (CS) debacles faced by Target, Sony Pictures and others may seem far afield from the concerns of nonprofit directors, except for the giants in the area, like AARP. However, think about this hypothetical scenario.
A group of high school students hacked into the computer system of a local nonprofit offering mental health services and gain access to records of clients, perhaps even placing some of the records of other teenagers on the internet.
What due care obligations did the board need to forestall the above situation? A move to recruit directors with special expertise in information technology or cyber security would be nonproductive. A nonprofit director has broader responsibilities such as the overview of management, approval of budgets, fostering management and staff growth etc. Similarly, when social media became a prominent issue a few years ago, boards debated the advisability of seeking directors with that specific kind of background. Today, a consultant with management experience in the area is likely needed to provide guidance to directors on these social media issues.
Following are suggestions on how nonprofit boards might ask questions to “expand the nonprofit’s most successful technology initiatives and (assess) when to pull the plug on lagging ones. (According to McKinsey & Company,) board directors are more likely to gain (digital) fluency if they routinely ask these five critical questions (related) to the IT organization’s performance.” *
- How well does technology enable (the nonprofit) to meet its core mission?
- What value is the (nonprofit) getting from it most important IT projects?
- How long does it take IT to develop and deploy new features and functionality?
- How efficient is IT at rolling out technologies and achieving desired outcomes?
- How strong is our supply of next generation IT talent, (should one or two key people leave)?
In addition, following are what experts advise to prevent the hacking type of debacle mentioned above:
- Carefully “wall off” all confidential information — Have management be certain that private information such as health records, are encrypted and separated from operating data that may be considered public in a nonprofit environment
- Review D&O and other liability policies — Determine whether or not the D&O policy protects directors and managers from CS intrusions. (It likely does not, but I understand that some carriers may offer some protection along with smaller policies.) It is clear that most general liability policies do not protect the organization against CS.
- Board Encouragement — Devote some meeting time, perhaps 10 minutes, to a discussion of the CS topics so that management and staff are aware of the board’s concerns on the subject and will take action when necessary. Appropriate due care actions like frequent password changes should become routine.
- Can third party payer help? — Many nonprofits deal with third party payers with sophisticated CS systems and may offer the nonprofit some advice or assistance.
- Education and training of employers — Many CS crimes have been successful because employees have violated or forget to effectively protect their working accounts and information. Proper education and training can help reduce these types of lapses.
- Finance & Audit Committees — Current data indicate that only 24% of nonprofits have a standalone audit committee and 47 percent have a combined finance/audit committee. ** In my opinion, neither of these committees have time or expertise to help the nonprofit board stay on message in regard to CS problems. Perhaps nonprofits need to review the responsibilities of these two committees?
If a nonprofit, like the one described, is attacked, not only will records be compromised, but also the reputation of the agency will be destroyed, probably along with the nonprofit organization itself. Sony and Target may be able to survive such an attack, but the typical nonprofit may not.
*Aditya Pande & Christoph Schrey (2016) Five questions boards should ask about IT in a digital world, McKinsey & Company, July.
**BoardSource (2015) “Leading With Intent: A national Index of Nonprofit Board Practices,” January.