Skip to Main Content

Managing cyber risk in the third sector

These days, cyber risk should be high on the third sector’s risk management agenda, as incidents burden small organisations with increasing frequency.



Author: Markel UK

We review the different types of cyber risks affecting the third sector and what to do about them.

In 2021 virtually every organisation, even non-governmental and non-profit making ones, operates electronically to some extent in order to perform its key services, whether that’s to maintain an online profile or manage the back-office requirements such as accounts and payroll. Pre-pandemic, cyber incidents were considered the number one business risk on the annual Allianz risk barometer, with 40% of those surveyed expressing concern. The pandemic may have caused cyber risk to drop below business interruption, but it’s still a major issue for many third sector organisations.

Types of cyber risk

By cyber risks we aren’t just talking about the more obvious hacking incidents – exposure to such risks can also arise from employee and software errors. With the implementation of GDPR in 2018, breaches which result in personal details ending up in the wrong hands are now considered major incidents and can see organisations facing fines of up to £17.5 million or 4% of their annual turnover, whichever is greater. Civil claims can also be brought by each of those affected. Digital data therefore comes with increasing legal and reputational risk.

Cyber risk can be grouped broadly into the following categories:

Operational cyber risk

The risk to business continuity if organisations are denied their electronic systems.

Financial cyber crime

Committed by hacking/spoofing communications, such as fund transfer requests and interfering with website payment links.

Data risk

The risk associated with the increasing amount of data that organisations are holding and transferring. A significant part of information cyber risk relates to the growing legal regulations and sanctions associated with data.

Managing cyber risks

Cyber security services, including data risk analysis, data masking (which is the process of hiding classified data with modified content) and vulnerability discovery (the process of researching a piece of software or hardware to evaluate the presence of vulnerabilities), is a fast-growing sector and a trend which is expected to continue and accelerate over the next few years.

A 2021 report carried out on behalf of the UK Department for Digital, Culture, Media and Sport showed that almost 50,000 people are now employed in cyber security and that the number of cyber security firms in the UK increased by 21% on last year. Parliamentary Under-Secretary of State for Digital Infrastructure, Matt Warman, said: “The need for cutting-edge cyber security has never been greater and this resilient sector is growing, diversifying and solidifying its status as a jewel in the UK’s tech crown. With more than 3,800 new jobs created, firms – large and small – are doing vital work keeping people and businesses secure online.”

Organisations should consider preventative measures, such as vulnerability discovery and data masking, to help mitigate risks. The third sector should protect their communications and data in the same way that they protect the security of their buildings and property assets.

Of course, some cyber risks are simply not preventable and are fuelled by our dependency on IT, GDPR legislation, and a compensation culture around privacy. Specialist cyber insurance policies offer policyholders a combination of incident management and access to legal and PR experts, as well as cover for costs such as those caused by business interruption or data issues. An effective insurance policy will help charities, not-for-profit and care organisations to respond to cyber incidents and boost the confidence of the other parties they provide services for.

Topics