Mar 2023 Charity & NFP Law Update
Cybersecurity Problems & Objectives for Non-profit Sector Discussed by Working Group
“Every Canadian non-profit is empowered to securely meet its mission and protect the organization and its beneficiaries from cyber threats.” That is the stated vision for cybersecurity in the non-profit sector in a recent report from The Canadian Centre for Nonprofit Digital Resilience (the CCNDR). Published February 2023 on the CCNDR’s website, the report, titled “Building the Cybersecurity and Resilience of Canada’s Nonprofit Sector: A Vision and Strategy for the Sector” (the “Report”), highlights the challenges facing non-profits from cybersecurity threats, the sufficiency of available solutions, sector-wide strategy and next steps. The Report is based on the results of a working group of 47 participants (the “Working Group”), including representatives “from large and small non-profits, non-profit capacity-builders, non-profit funders, policymakers, academics, cybersecurity experts, and cybersecurity vendors” that met to discuss the problem, and the solution, in May and October, 2022. This Privacy Update briefly summarizes the Report. It is recommended that all charities and non-profits read the full document.
There are “operational, financial, legal and reputational risks with devastating outcomes” for the non-profit sector, according to the Report. Ransomware or phishing attacks, data breaches, and accidental or natural hazards “can put digital information and systems at risk.” While non-profits “adopt systems, software and automated processes” to address these risks, the Report states, they do so without fully understanding them, often due to time and funding constraints, as well as a lack of expertise. “Awareness and attention, funding restrictions, scale, time horizon and outdated systems are key challenges faced by non-profits,” according to the Report. Other issues include a diffusion of responsibility when operating in a federation or association, mandates from funders to collect certain information or use a particular system, the engagement with privacy rights, and limited internet access in rural areas. “Even if they could afford cyber insurance,” the Report notes, “most non-profits would not meet the stringent eligibility requirements.”
Non-profits must have the knowledge, tools, and resources for cybersecurity, according to the Working Group’s vision for the sector. The Report outlines 5 objectives in a sector-wide strategy:
- Non-profit boards, executives, and staff understand their risks and obligations and prioritize cybersecurity;
- Non-profits have an easy on-ramp to cybersecurity, beginning with a relevant risk assessment that prioritizes preventive, focused action at different maturity levels;
- Non-profits have access to a standard against which they can compare themselves and that is accepted by funder;
- Non-profits have funding to implement required cybersecurity practices;
- Non-profits have access to a marketplace of vendors providing quality, cost-effective solutions.
To meet these stated objectives, the Working Group decided to “develop and test several prototypes”, beginning with a risk assessment and on-ramp in the immigrant and refugee-serving sector. “The strategic approach is to go deep into the needs of one sector,” the Report states, to develop successful intervention, “and then scale it to other sectors.” The Working Group also intends to develop a model cybersecurity policy, in partnership with the Islamic Family and Social Services Association, which could then be adopted by other social services organizations.
