Cyber-attacks are a big problem for charities. They’re sophisticated in their approach, cause intentional harm, are increasing in frequency every day, and they don’t care about the size or nature of your organisation.
Having the most up-to-date cybersecurity protocols is no longer a luxury but a must-have.
However, what has been acknowledged, and to some extent now addressed with the new Cyber Security Code, is that you might have good cybersecurity strategies in place, but who is actually managing and monitoring them? Who is responsible for implementing them throughout the organisation and ensuring that they are not only fit for purpose, but also adhered to?
For charities, does the responsibility lie with your charity manager or your board of trustees?
The good news is the recently launched code now offers clear guidance on where responsibility should lie (in the boardroom with your Trustees) and on best practices for managing and maintaining cyber resilience going forward, which we’ll explore further throughout this post.
What is the Cyber Governance Code?
The Cyber Governance Code is a new voluntary code that aims to “help set a higher standard” in supporting businesses in protecting themselves from cyber threats.
For charities, it has become vital to not only be aware of the various and frequent cyber-attacks out there but also to protect from these, protecting your data and finances in the most responsible way.
Specifically, the code is designed to promote best practice and good governance, supporting boards and Trustees in managing cybersecurity risks by setting out what actions boards should take, why, and how to take them in order to maintain and build cyber resilience.
What does this mean for charities?
Cyber-attacks not only disrupt everyday business operations and activity, but they also reduce competitiveness, damage reputation by diluting trust, and, most painfully, they steal money designated for your beneficiaries.
Now, with the Cyber Code in effect, trustees will be responsible for taking on the role of managing and maintaining cybersecurity and building resilience, moving cybersecurity to become a core part charity governance.
This means for charity boards, trustees should be asking:
- How can we trust the technology we have in place? What assurances do we have that it is safe?
- Who is responsible for managing this technology? Maintaining and updating?
- Are you aware of your suppliers and external companies you work with, and their cybersecurity protocols? How will they also protect your data and information?
For trustees wishing to implement elements of the code, focus will be on:
Risk management – how, as a board, will you identify, prioritise, and mitigate risks that you have identified within your risk register, with technology?
Strategy – how will you align your digital strategy, including your cybersecurity strategy, with your business plan and objectives?
People – make sure to include all your teams in discussions, strategies, and protocols that you put in place, and that you have the right people with the right skills to help manage cyber resilience within the charity.
Incident response – think about how you respond to attacks and incidents, and most importantly, how is this reported and reviewed?
Practical steps for charities
Helping to abide by the code, charities should:
Carry out regular risk assessments, building cyber threats and attacks into these assessments. By doing this, you help to make everyone within the charity aware of what to look for, showing the mitigations put in place, how the risk will be managed, incident planning strategies, and also resource allocation.
Develop a cyber strategy that sits alongside and comfortably in your overarching business plan. What do you need? How will it be managed? Who is responsible for reporting?
Define clear roles and responsibilities at board level and from your trustees. Clearly determine who the named person/people are responsible for managing, monitoring, and reporting on cyber governance.
Get full engagement from all trustees and your team. With full buy-in, everyone will be aware of what a cyber threat looks like, items to report on, and most importantly, who to report such incidents to. This means clearly defining and communicating your cybersecurity strategy and providing training and education to promote awareness and foster positive behaviour.
Carry out formal reporting and updates on reporting during board and trustee meetings. Incorporate cybersecurity and governance as a standard agenda item.
What the Cyber Governance Code means for small charities
Although the Cyber Governance Code is voluntary, it is recommended for anyone who operates within the digital space, holds sensitive information, and more to get on board.
Building cyber security into already robust governance, charities can better position themselves to manage cyber governance and risk, promoting success, and allowing time for charities to learn, adapt, and build.
Scrutiny over cyber governance is increasing as risk matched with regulatory influence continues at a pace. Taking a proactive approach now and taking initial steps, at board level, to identify with the Cyber Governance Code will help charities to build resilience and sustainability – key areas as we move into 2026.
