Cybersecurity Governance for NFP Boards and Committees
Boards or Committees in NFPs and Charities are facing an imperative shift towards prioritising cybersecurity. With the digital sphere’s burgeoning risks, it is incumbent upon boards to take the helm and steer their organisations into safer waters. The establishment of a cybersecurity sub-committee and the development of a Cyber-safety plan are critical steps that boards must undertake to navigate the complexities of cyber threats.
Initiating a dedicated sub-committee for cybersecurity is a strategic move. This specialised group, ideally comprising board members with some knowledge of IT and cybersecurity, along with external consultants, should be tasked with discerning the NFP’s unique digital risks and ensuring adherence to cybersecurity best practices.
Developing a Cyber-safety Plan:
· Risk Assessment: A meticulous risk assessment is the cornerstone of the plan, with the sub-committee overseeing the evaluation of the organisation’s digital assets, vulnerabilities, and external threats.
· Policy Formulation: The sub-committee should guide the creation of robust cybersecurity policies that address data protection, breach response, and periodic audits, all customised to the NFP’s operational context.
· Educational Initiatives: The board should be responsible for endorsing and funding regular cybersecurity awareness programs for staff to cultivate a culture of digital vigilance.
· Defensive Measures: Critical defences, including encryption, stringent access controls, and multi-factor authentication, must be implemented, with the sub-committee ensuring these measures remain up-to-date and effective.
· Incident Response Planning: The sub-committee must play an instrumental role in formulating a comprehensive incident response plan, detailing swift actions, communication protocols, and recovery measures.
· Cyber Insurance Investment: The board should contemplate investing in cyber insurance to mitigate the financial repercussions of potential data breaches. A review of current policies is advised, to ensure that they include cyber risks.
· Expert Collaboration: Establishing partnerships with cybersecurity experts is essential, with the sub-committee facilitating these relationships to gain specialised support that respects the NFP’s budgetary considerations.
· Ongoing Oversight: Continuous reporting on cybersecurity matters by the sub-committee to the full board ensures persistent awareness and monitoring of the organisation’s cybersecurity health.
· Regulatory Compliance: The cybersecurity plan must align with legal and regulatory requirements, with the sub-committee ensuring the organisation’s compliance to avoid liabilities.
Embracing a proactive stance on cybersecurity, will ensure that boards can lead their organisations toward a secure digital environment. A well-structured cybersecurity sub-committee and a robust plan are the bedrock of this approach, empowering NFPs to preserve the integrity and trust that are the lifelines of their operations in the digital age.
