Do Nonprofit Board Members Face Cyber Security Risk?

By: Eugene Fram      Free Digital Image

Nonprofit board members may seem far afield from the concerns of nonprofit directors, except for the giants in the area, like AARP. However, think about this hypothetical scenario.

A group of high school students hacked into the computer system of a local nonprofit offering mental health services and gain access to records of clients, perhaps even placing some of the records of other teenagers on the internet.

What due care obligations did the board members need to forestall the above situation? A move to recruit board member’s  with special expertise in information technology or cyber security would be nonproductive. A nonprofit board members has broader responsibilities such as the overview of management, approval of budgets, fostering management and staff growth etc. Similarly, when social media became a prominent issue a few years ago, boards debated the advisability of seeking directors with that specific kind of background. Today, a consultant with management is likely to provide guidance to directors on these issues.

After listening to a group of cyber security experts discuss for-profit challenges in this area, I have the following suggestions on how nonprofit boards might respond to similar types of challenges.

1. Carefully “wall off” all confidential information – Have management be certain that private information such as health records, are encrypted and separated from operating data that may be considered public in a nonprofit environment.
2. Review Directors & Officers (D&O ) and other liability policies – Determine whether or not the D&O  policy adequately protects board members and managers from Computer Science (CS) intrusions . (It likely does not, but I understand that some carriers may offer some protection along with smaller policies.)  Most general liability policies do not protect the organization against CS.
3. Board Encouragement – Devote some meeting time, perhaps 10 minutes, to a discussion of the CS topics so that management and staff are aware of the board’s concerns on the subject and will take action when necessary. Appropriate due care actions, like frequent password changes, should become routine. Some checklists are available online, suggesting questions directors might pose to raise awareness on the topic and avoid potential CS breaches.*
4. Can third party payer help? – Many nonprofits deal with third party payers with sophisticated CS systems and may offer the nonprofit some advice or assistance.
5. Education and training of employers – Many CS crimes have been successful because employees have violated or forget to effectively protect their working accounts and information. Proper education and training can help reduce these types of lapses.
6. Finance & Audit Committees – Recent data indicate that only 20% of nonprofits have a CS vulnerability assessment in place and only about the same proportion have a plan  in place should a CS breach take place . *  Due care responsibilities seem to be missing among a large portion of nonprofits.

If a nonprofit, like the one described, is attacked, not only will records be compromised, but also the reputation of the agency will be destroyed, probably along with the nonprofit organization itself.  Large business and nonprofit organizations may be able to survive such an attack, but the typical nonprofit probably may not be in the the same position.

*https://communityit.com/nonprofit-cybersecurity-stats-10-numbers-to-know/#:~:text=Only%