THIRD SECTOR PROMOTION

Managing cyber risk in the third sector

Third Sector Promotion Third Sector promotion

Cyber risks should be high on the risk management agenda of third sector organisations as incidents hit the headlines and burden small organisations with increasing frequency.

Cyber risk can be grouped broadly into risks:

Operational cyber risk
Concerns the risk to business continuity if organisations are denied their electronic systems.

Data risk
Never before have organisations been able to hold and transfer so much data with such speed and ease. A significant part of information cyber risk relates to the growing legal regulations and sanctions associated with data.

Financial Cyber Crime
Committed by hacking/spoofing communications such as fund transfer requests, interfering with website payment links

Nowadays, virtually every organisation operates electronically in some way to perform its key services, maintain an online profile, and manage the back office requirements such as accounts, payroll.

It is important to note that cyber risks are not limited to hacking incidents. Exposure to such risks can arise from employee and software errors.

Back in 2015, the Information Commissioner’s announced an investigation into claims that an 87-year-old man’s personal details were sold or passed on by charities up to 200 times. Although many people back then may not have considered this to be a ‘cyber’ incident, with GDPR being implemented last year, this is now considered a major breach, which if it were to occur today could see organisations facing fines of up to €20 million or 4% of their annual turnover, and civil claims brought by each of those affected.

Digital data therefore comes with increasing legal and reputational risk.

Claims examples:
• Stolen laptop – data breach and ICO fine?
• Website vulnerability - caused data breach and ICO fine?
• Charity website defaced – PR incident in national press?
• Ransomware attack?
• Data breach by service user who had access to employee’s phone & apps?
• Accidental email – sensitive data sent to wrong recipient ?

Health & social care providers

Hans Allnutt, partner specialist at the solicitors DAC Beachcroft, explains that "further legal requirements for organisations providing or supporting health, public health and adult social care services arise out of the Health & Social Care Information Centre’s checklist, published in May 2015".

This includes guidance for reporting, managing and investigating cyber security incidents requiring serious incidents to be reported to the Department of Health and the ICO.

Managing cyber risks

The UK Department for Digital, Culture, Media and Sport reports that 42% of charities have sought information, advice or guidance on cyber matters in 2018.
Organisations should continue to look into which preventive (risk management) measures they can effectively use, just as they protect the security of their buildings and property assets.

However, many of the prevailing issues are simply not preventable risks, and are becoming fuelled by dependency on IT, GDPR legislation, and a compensation culture around privacy.

Specialist cyber insurance policies offer policyholders a combination of:
• Incident management – access to legal, cyber and PR experts in the event of an incident
• Your own costs including business interruption or loss of data 
• Claims against you following an incident

An effective insurance policy will help charities, not-for-profit and care organisations to respond to cyber incidents and add confidence to other parties to whom they provide services for, or handle data.

Case study

The financial, reputational and legal exposures of digital data to charities were highlighted when the ICO fined the British Pregnancy Advice Service £200,000 on 28 February 2014.

Like many charities, the BPAS held personal and sensitive data.
Information belonging to 9,900 people who had approached the charity for advice was stolen by a hacker activist who threatened to release the information.

The BPAS was not aware it was storing the information, highlighting the difficulty that organisations face in tracking and controlling the information they process.
The ICO found they had failed to adopt appropriate technical and organisational measures. Despite the fine, the BPAS’s actions were commended by the ICO. The BPAS voluntarily reported the incident and cooperated with the ICO, and it took steps to protect potentially affected data subjects.

All third sector organisations should ask themselves what they would do before, during, and after suffering a similar incident and should prepare accordingly.

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Register
Already registered?
Sign in

Expert Articles: Risk Management

Advice on risk from Markel, a specialist insurance company working with charities, community groups, trustees, social enterprises and care providers.

What is it like to work in the fundraising team at Age UK?

What is it like to work in the fundraising team at Age UK?

Promotion from Age UK

Ahead of Fundraising Week 2019, Laurie Boult, fundraising director, Age UK, tells Third Sector Jobs about the team culture and why it's a great time to join.

All charities have customers

All charities have customers

Promotion from Sponsored by Creative Computing Solutions

By Justin Farmiloe, Sales & Operations Director, Creative Computing Solutions and owner of Just-DONATE.

Managing cyber risk in the third sector

Managing cyber risk in the third sector

Promotion from Third Sector promotion

Cyber risks should be high on the risk management agenda of third sector organisations as incidents hit the headlines and burden small organisations with increasing frequency.

New opportunity to be Deutsche Bank's UK Charity of the Year - for two years

New opportunity to be Deutsche Bank's UK Charity of the Year - for two years

Promotion from Deutsche Bank

From May 18 until June 28, 2019, charities can apply to be Deutsche Bank UK's Charity of the Year for 2020-21.

How to create a strong risk register

How to create a strong risk register

Promotion from Markel

Do your stakeholders realise that regularly tracking risks could help secure finances, get them out of the crisis zone and meet future objectives with greater certainty?

Win an Apple Watch Series 3: Have your say in Haymarket's Annual Jobs Survey

Win an Apple Watch Series 3: Have your say in Haymarket's Annual Jobs Survey

Promotion from Haymarket Media Group

Third sector professionals invited to voice your opinions in the 2019 Jobs Survey from Haymarket Media Group and be in with the chance to win an Apple Watch Series 3 worth £279.

What is it like to work at Co-op?

What is it like to work at Co-op?

Promotion from Co-op

Rebecca Birkbeck, director of community and shared value, tells us about what it's like to work at Co-op and the member pioneer co-ordinator role she's recruiting for.

Charity property: could you be entitled to a huge VAT saving?

Charity property: could you be entitled to a huge VAT saving?

Promotion from Third Sector promotion

When a property is being constructed, VAT is charged at the standard rate. But if you're a charity, health body, educational institution, housing association or finance house, the work may well fall into a category that justifies zero-rating - and you could make a massive saving

How to get the most from your role

How to get the most from your role

Promotion from NFP Consulting

Paul Nott, principal consultant at NFP Consulting, offers advice to help you be the best charity professional you can be.

What is it like to work at Canine Partners?

What is it like to work at Canine Partners?

Promotion from Canine Partners

Megan Knight, HR co-ordinator at Canine Partners, tells us about the team culture and exciting director of marketing and income generation career opportunity currently available.

Follow us on:

Latest Jobs

RSS Feed

Third Sector Insight

Sponsored webcasts, surveys and expert reports from Third Sector partners

Markel

Expert Hub

Insurance advice from Markel

Charity property: could you be entitled to a huge VAT saving?

Charity property: could you be entitled to a huge VAT saving?

Promotion from Third Sector promotion

When a property is being constructed, VAT is charged at the standard rate. But if you're a charity, health body, educational institution, housing association or finance house, the work may well fall into a category that justifies zero-rating - and you could make a massive saving

Third Sector Logo

Get our bulletins. Read more articles. Join a growing community of Third Sector professionals

Register now