By Melanie Lockwood Herman
Risk is top-of-mind for many nonprofit boards these days. Board members understandably want to grasp the top risks facing an organization and have confidence that the management team is prepared to weather the downside risks it cannot avoid. And based on our work with nonprofits across a wide spectrum of missions, the risk of a data breach occupies a spot on most ‘top 10 risks’ list.
What should a board be asking, talking about, and focused on when it comes to data breach risk and cyber threats? How can management teams keep their boards apprised of cyber threats without opening the door to unproductive excursions into day-to-day management and operations?
Key Cyber Risk Discussion Topics for the Board
The NRMC team recommends being proactive in educating your board about cyber threats and the strategies you have established to mitigate the risk of a data breach. How? Anticipate the questions board members are likely to ask and prepare thoughtful, responsive answers. We hope the following questions will be helpful as you prepare to engage with your board on a tricky but timely topic.
- What is the risk of a data breach? Education-focused topics are becoming standard components of nonprofit board agendas. Board members increasingly recognize that deepening their understanding of critical issues is key to discharging their fiduciary and governance roles. Consider inviting a third-party expert to brief the board on the evolving landscape of cyber threats and data privacy. An educational segment is an excellent precursor to sharing information on what your nonprofit is doing to mitigate the risk of a breach.
- What is the organization’s exposure to cyber threats and data breaches? Segue from a general briefing on the landscape of cyber threats to how these threats potentially impact your nonprofit. For example, explain how and why your agency collects and uses Personally Identifiable Information (PII) or Protected Health Information (PHI). When describing your exposure to privacy breaches, remember to humbly acknowledge that data is at risk from third-party attacks as well as insider missteps!
- What strategies are in place to guard against the risk of a data breach? Share an overview of the myriad strategies your team has adopted to reduce the likelihood of a breach, detect a breach quickly, and reduce the overall cost and disruption of a breach. Keep in mind that merely saying that “we’ve backed everything up” won’t convey readiness to cyber-savvy board members, nor is “backing up” a robust strategy.
- What will we do if we experience a data breach or attempt to access protected or confidential information? Describe the strategies and approaches you’ve put in place to respond upon learning of a potential or actual data breach. Explain third-party advisors’ roles, such as counsel, loss control reps at your insurance carrier, or IT consultants. Also, provide an overview of how your cyber liability policy, if you have one, is expected to support your response and the extent to which the policy will cover some of the financial aspects of a breach. Be sure to clarify what the policy doesn’t cover. Depending on your coverage, those exclusions might be acts of war, loss of equipment, failure to implement security measures, and loss of future revenue, among others.
- What is the cost of the protections and cybersecurity strategies we have put in place? The board will want to understand and gauge whether your nonprofit has made an appropriate investment in protective and preventative strategies. Be prepared to describe the staff time commitment, the investment in tools and tech protections, and the scope and cost of your cyber liability insurance policy.
Make it Visual
Today’s management teams are increasingly using dashboards and graphics to illustrate progress towards goals, financial health, and more. A risk dashboard or maturity model is a potentially useful tool to exhibit how your team is evolving its risk management practices related to cyber threats.
For example, using the Radar option in Excel, you can create a Spider Diagram contrasting specific cyber threats to your nonprofit’s ‘readiness.’ The diagram shows where the most significant gaps lie and opportunities for further investment. In the adjacent example, the greatest gaps between exposure and readiness are in two areas: systems failure and fraud/phishing loss. Sharing a visual such as the one below could be helpful if an upcoming board decision relates to allocating additional resources to close the gaps.
Because cyber risk is present for nearly every nonprofit, leaders should work with their boards to establish a transparent reporting process that will allow the board to effectively discharge its important oversight role. The NRMC team hopes that by using the education, discussion, and reporting tips presented in this article you will be able to empower your board to strengthen its oversight role, including its focus on how cyber risks could impact your organization’s strategic objectives.
Melanie Lockwood Herman is the Executive Director of the Nonprofit Risk Management Center. She welcomes your questions about the board’s risk oversight role and NRMC’s consulting services at 703.777.3504 or Melanie@nonprofitrisk.org.
Additional Resources on Boards and Cyber Security
- “How Much Do Nonprofit Board Members Need to Know About Cybersecurity”
- “Staying Cyber Aware in a Crisis: Smart Tips for Nonprofit Boards”
- “3 Questions Boards Want Answered About Cyber Security”
- “Cybersecurity: Emerging challenges and solutions for the boards of financial-services companies”
- “What Boards are Doing Today to Better Oversee Cyber Risk,”