Following the Charity Commission’s report on how cyber-crime is affecting the charity sector and how ill-equipped the sector may be to combat these threats, Hannah Kubie, partner and Hannah Sterry, paralegal, both at Stone King LLP discuss the causes of these growing concerns and their implications for the charity sector.
With kind permission of Lexis Nexis.
- The Charity Commission has published an insights and actions report following a cybercrime survey of charities. What is the background to this report and what are its most notable findings to be aware of?
For many years, the Charity Commission has been working to raise awareness of the threat of cyber-attacks in the charitable sector. In recent years however, thanks to the growing sophistication of cyber-criminals and increased public awareness in light of high-profile ransomware attacks, charities are now sitting up to take note.
In October 2019, the Charity Commission published a report entitled ‘Preventing Charity Cybercrime Insights+Action’, which includes key insights into the sector and actions to help prevent cyber-crime. Reassuringly, overall awareness of the risk of cyber-crime is on the rise. This is thought largely to stem from increased awareness of the General Data Protection Regulation, Regulation (EU) 2016/67 (GDPR) and the potential for organisations to incur significant fines for cyber-security breaches involving personal data. Over one third of charities have reportedly made changes to their cyber-security processes as a result of the GDPR, affording better protection against cyber-crime.
Interestingly, smaller charities continue to be particularly vulnerable to cyber-crime. These charities often have a small number of experienced trustees with a higher average age (65–74 years old). From their research, the Charity Commission’s report indicates that these individuals have overall lower cyber-awareness, potentially rendering small charities more vulnerable than for-profit organisations of a similar size.
Despite raised awareness, the report has flagged a lack of understanding across the sector, with 36% of charities not knowing which type of cyber-attack they are most vulnerable to. Phishing and malicious emails remain the most common form of attack on charities, however the report highlighted hacking and extortion, to be another key cause for concern. Anecdotally, we see this is a growing area of concern for charities, which may feel they are not in a position to ‘pay off’ an attacker, as may well be commonplace with commercial organisations. With commercially practical guidance on this area being limited, this is a key issue that needs to be addressed further.
- What are some of the reasons as to why cyber-crime has become such an issue for charities?
Technological advances bring wide-ranging benefits to charities. As charities aim to expand their reach and engagement, a digital presence is becoming a key operational consideration, with many making use of social media, cloud computing and digital fundraising platforms. This increased use of technology is not without risk, however. Recent years have seen significant growth in cyber-crime, which is now considered a global threat.
Cyber-criminality does not draw any distinction with third sector organisations, leaving charities of all sizes open to the ever-increasing threat of cyber-attacks. In fact, we understand some charities we work with feel particularly vulnerable as often much is known about them and their technological plans owing to the information contained in their annual reports and, more generally, through public facing engagement with their stakeholders. As cyber-criminals become more sophisticated at trawling the web for information, charities can suffer for their increasing efforts to be accountable and transparent.
The Charity Commission estimates that charities in England and Wales spend nearly £80bn every year. This means that charities, particularly larger, high-income charities, are becoming an increasingly attractive target for cybercriminals. In early 2019, the government’s Cyber Security Breaches Survey 2019 revealed that one in five charities have experienced some form of cyber-breach or cyber-attack in the past 12 months—a figure that is significantly higher for high-income charities. In view of the frequency of attempted cyber-attacks, perhaps the most concerning aspect is the financial cost of lost data or assets through breaches of cyber-security for charities, ranging from £300–£100,000 with an average annual cost of £9,470. For organisations dealing with assets intended for charitable causes, the potential losses can be devastating - not only for the organisations themselves, but also for those that they intend to help.
Another crucial issue is the widespread underinvestment in cyber-security and protection. Underfunding in the charity sector is by no means a new issue (with many charities reluctant to spend donors’ money on governance and protection). However, its effects are particularly evident in the technological sphere. In order to survive in an increasingly digital market, organisations must prioritise cyber-security, to ensure that they are not left susceptible to attack.
Lack of funding is not the only problem however. The current cyber-security market is very much geared towards the commercial sector, meaning that charities may be unable to benefit from technological solutions or cyber-insurance that could offer some much-needed protection. When some charities come to obtain quotes for cyber-insurance, they find that they need to do a lot of updates and fixing before premiums will come down to a reasonable level.
- What actions have been suggested to combat cyber-crime for charities? Will these actions be effective? What more could be done?
Arguably, progress in the fight against cyber-crime is dependent on growing awareness and implementation of robust reporting practices. The Charity Commission’s report has highlighted the need for charities to take a pro-active approach, prioritising detection and prevention. The Charity Commission is taking seriously its responsibility to provide guidance for charity trustees, having produced a wide range of useful resources to ensure best-practice across the sector. It is encouraging to note the positive impact, with more than two thirds of charities having taken action to strengthen their cyber-defences over the past year.
Although it is ‘after the event’, creating a strong culture of reporting is also an important method to enable better understanding and therefore continued progress in the fight against cyber-crime. The system of making serious incident reports to the Commission has had increased emphasis in recent years. Additionally, charities will frequently have to report cyber-crime to the Information Commissioner’s Office where data is concerned and also to Action Fraud where there is alleged or actual fraud.
The Charity Commission’s report has shown that cyber is a pertinent issue within the charity sector, and this will continue to be the case for the foreseeable future. Protection for charities depends very much on the evolution of the global cyber-security market, often beyond the abilities of the Charity Commission or other regulators to influence. It is likely that charities will continue to lag behind their commercial counterparts in the prevention and detection of cybercrime until such time as the market begins producing bespoke solutions tailored to the specific needs of charities. We otherwise fear that the next big charity story to hit the press might well be cyber-crime related.