Why Nonprofit Boards Must Take the Lead on Cybersecurity Governance

Cybersecurity is no longer just a technical concern buried within IT departments. For nonprofits, it has become a central governance issue that directly affects mission delivery, stakeholder trust, and regulatory compliance.

Nonprofits are increasingly targeted by cyberattacks. According to NetHope’s “2025 State of Humanitarian and Development Cybersecurity Report,” 70% of nonprofits reported an increase in their cyber risk profile in 2025.

Yet many still lack dedicated leadership and sufficient budgets to address growing security, privacy, and compliance demands. The consequences extend far beyond technical disruptions. A breach can expose donor records, client data, or financial systems, erode public trust, interrupt program delivery, and trigger regulatory scrutiny or litigation.

A stark example occurred in May 2025 when Kettering Health, a nonprofit hospital system in Ohio, suffered a ransomware attack that shut down hundreds of digital applications across its network. Staff reverted to paper records for weeks, elective procedures were canceled, and patient care was delayed. The organization later faced lawsuits over compromised data and service disruptions. Incidents like this underscore how cyber threats now directly impact mission continuity and financial stability, making them a core responsibility of board-level oversight.

Why Nonprofits Are Vulnerable

Nonprofits hold a significant amount of sensitive data. Donor records, financial information, and personally identifiable information all make these organizations appealing to attackers. Yet compared to private-sector entities, nonprofits often operate with fewer resources dedicated to cybersecurity.

This imbalance creates opportunity for attackers. Cybercriminals are aware that nonprofits may have less mature controls, outdated systems, or limited monitoring capabilities. Many nonprofits rely on hourly workers, volunteers, and third-party platforms, further expanding their digital footprint and potential points of entry.

The impact of a breach can be severe. Beyond financial losses, nonprofits risk reputational damage, erosion of donor confidence, disruption of services, and potential regulatory penalties tied to data protection requirements.

The Cybersecurity and Infrastructure Security Agency emphasizes that organizations of all sizes, including nonprofits, must treat cybersecurity as a critical business risk — not simply a technology issue.

From IT Issue to Board Responsibility

Cybersecurity is no longer an isolated IT challenge. It has evolved into a board-level governance imperative that intersects with nearly every aspect of operations. Boards are responsible for protecting organizational assets, ensuring compliance, and safeguarding the resources that support their mission. Donor databases, payroll systems, and client records often contain sensitive information subject to data privacy laws and, in some cases, the Health Insurance Portability and Accountability Act (HIPAA). A successful attack can lead to financial losses from ransomware payments, regulatory fines, increased insurance premiums, legal fees, and long-term reputational harm that reduces donations and volunteer support.

Just as boards oversee financial controls and compliance frameworks, cybersecurity risks must be identified and managed at the organizational level. Through its Cybersecurity Framework, the National Institute of Standards and Technology encourages organizations to integrate cybersecurity into their overall risk management and governance processes.

Boards should ensure that responsibility for cybersecurity is clearly defined and designate leadership with the authority to coordinate efforts across the organization.

What Boards Should Do Now

Forward-thinking boards should embed cybersecurity into their core governance practices by taking a variety of steps.

Integrate cyber risk into governance processes. Make cybersecurity a regular agenda item in board and finance committee meetings. Require periodic risk assessments that map vulnerabilities across financial, operational, and program systems, using accessible frameworks such as the National Institute of Standards and Technology’s Cybersecurity Framework.

Establish clear accountability and reporting. Designate a board liaison or committee to receive regular updates on threats, incidents, and mitigation progress.  Demand plain-language dashboards showing key metrics, such as phishing test failure rates, patch compliance, and incident response readiness.

Approve and monitor policies and resources. Review and update acceptable-use policies, incident response plans, and data-retention guidelines. Ensure budgets allocate funds for basic protections like multi-factor authentication, regular backups, and staff training. Boards should also evaluate the need for cyber liability insurance as part of overall risk management.

Promote organization-wide awareness. Mandate annual training for staff, volunteers, and board members on recognizing red flags such as suspicious links or requests for wire transfers.  

Some organizations may choose to engage a virtual chief information security officer — an outsourced cybersecurity executive who delivers high-level strategy, governance guidance, risk assessments, policy development, and ongoing oversight on a flexible basis. This approach provides experienced leadership without the expense of a full-time employee, which can be particularly valuable for organizations with limited budgets. While not the only option, a virtual chief information security officer can bridge the gap between technical execution and board-level strategic needs, helping tailor controls to the nonprofit’s specific risk profile and compliance obligations.

Additional steps may include participating in sector-based information-sharing networks, conducting periodic third-party security audits, and building internal capacity through targeted training. Many nonprofits can also leverage free or low-cost resources to establish foundational cybersecurity programs.

These risks increasingly surface in audits, compliance reviews, and donor expectations around data security. Boards that treat cybersecurity as a governance priority rather than a technical afterthought demonstrate prudent stewardship and strengthen the organization’s long-term resilience.

In an environment where cyberattacks are rising and resources remain limited, nonprofit boards cannot afford to view security as someone else’s responsibility. By exercising active oversight and considering leadership models such as a virtual chief information security officer alongside layered defenses, boards play a critical role in protecting the data, funding, and trust that sustain their missions. The Kettering Health example underscores the urgency for proactive governance today to prevent costly crises tomorrow.

The preceding content was provided by a contributor unaffiliated with NonProfit PRO. The views expressed within may not directly reflect the thoughts or opinions of the staff of NonProfit PRO.