Mitigating Risk, While Serving the Community

Amy Pieper, Senior Vice President, Director of Nonprofit Services
November 9, 2023

Nonprofit organizations often serve as the backbone of our communities. They ensure we have access to quality healthcare and educational opportunities, are venues to enjoy the arts, and provide services to offer shelter, hunger relief and care for some of our most vulnerable citizens. 

As if this wasn’t a large enough responsibility, nonprofit organizations must also protect their donors, resources, and clients from the impacts of cyberattacks and fraud. 
Imagine this scenario: It’s Monday morning and you need to prepare for the first of several meetings with clients seeking assistance for their families’ healthcare needs. You sign onto your computer login and immediately receive a message that your organization’s network has been locked down with a demand a ransom be paid to regain access. Would you — or your organization — know what to do? 

Understanding the threats to your organization So, what makes charitable organizations an easy mark for cyberattacks? Nonprofit and non-governmental organizations (NGOs) raise an estimated $30 billion annually. These organizations collect and house sensitive data about clients, including financial and heath information, which makes for a prime target for cybercriminals. However, these entities often lack the financial resources for cybersecurity infrastructure in comparison to corporations. In fact, 80% of charitable organizations do not have any cybersecurity plan.1 

A look at recent notable cybercrimes against nonprofits and NGOs show that attackers target organizations of any size. 

  • In January 2022, the International Committee of the Red Cross announced its servers were hacked, which left the personal information of more than 515,000 people worldwide compromised.2

  • A Pennsylvania foodbank was defrauded out of nearly $1 million in 2020 when cybercriminals targeted it with an email phishing attack.

  • In 2021, hackers stole $650,000 from a California-based nonprofit that provides affordable housing for low-income households by attacking the email system of a third-party vendor.4 

Types of cyberattacks

Attempts to defraud or attack an organization can take many forms. Data breeches from ransomware, a computer program that blocks access to the target’s data until a ransom is paid, are on the rise. According to one report, there were 89 million ransomware attacks globally during second quarter 2023, which was a 74% increase over the previous quarter.5



Social engineering is a type of cyberattack designed to infiltrate an organization’s network by tricking someone via a trojan horse action or program. The trap usually involves using an emotional response, such as urgency, curiosity, or fear on an unsuspecting person that allows the cybercriminal access into a network. There are several types of social engineering attacks — business email compromise, phishing, pretexting, scareware, SMS (text message) fishing and tailgating — all designed to grant attackers network access where they can wreak havoc. 

Safeguarding your organization  With cyberattacks becoming more prevalent, it is imperative that you take all precautions that you can to prevent this activity, but also have a plan on what to do if your organization becomes a target. Here are five steps that can help protect your organization and your key stakeholders: 

1. Review your organization’s needs, and only provide access to sensitive information to employees that need it for their roles. If your organization uses third-party vendors, confirm these partners have their own cybersecurity strategies in place. 

2. Develop training policies that educate staff on the types of attacks cybercriminals use and implement a testing strategy that requires all associates to complete testing on a periodic basis. 

3. Ensure your organization’s data records require sufficient password guidelines and consider multi-factor authentication as another step to protect access to your system. Also, having a data backup and recovery solution in place could help curtail extensive downtime should your network be subject to a cyberattack. 

4. Make sure your organization has a business continuity plan that includes routine scenario trainings for all relevant staff so that each employee knows what to do at the first sign of a problem. One key part to this plan is to make sure the organization has cybersecurity insurance coverage. Work with your insurance carrier to identify and fix gaps so your systems 

5. Work with banking partners that have experience dealing with payments fraud. According to the 2023 AFP Payments Fraud and Control Report, 79% of organizations are likely to seek assistance from banking partners for guidance on how to minimize the impact of a fraud event.6 Some organizations consider it a best practice to conduct regular reviews of fraud solutions with their banking partners or incorporate a fraud solution demonstration as part of the review process when seeking a new partner. 


Commerce Trust, a division of Commerce Bank, has been a financial partner to nonprofit organizations for more than seven decades. We serve more than 270 nonprofit clients, representing $11.6 billion in assets under administration as of September 30, 2023. 

1 “Nonprofits and cyberattacks: Key stats that boards need to know,” boardeffect.com, June 9,2023.
2 “Cyberattack on Red Cross compromised sensitive data on over 515,000 vulnerable people,” NPR, Jan. 20, 2022.
3 “Philadelphia hunger group loses nearly $1M in cyberattack,” The Associated Press, Dec. 1, 2020.
4 “Hackers stole $650,000 from nonprofit and got away,” The Wall Street Journal, June 7, 2021.
5 “Ransomware attacks skyrocket in 2023,” Infosecurity Magazine, July 26, 2023. 6 2023 AFP Payments Fraud and Control Report, Association for Financial Professionals, April 2023

Non-depository investments offered in connection with Commerce Bank and its affiliates are not guaranteed, are not FDIC insured, and may lose value.
Information provided is effective as of October. 18, 2023, is subject to change, and is presented for the purpose of general education, information or illustration only, not to be considered as the opinion of Commerce Trust or Commerce Bank regarding any individual investment, investment account or market behavior. Neither Commerce nor any of its affiliates have made any recommendation or given any advice as to the terms, beneficial interests or profitability of any investment or market activity which may be referenced here, and this information may not be relied upon as such. Investors are always fully responsible for any investment transaction you choose to enter into, and you shall not rely only on the information presented from Commerce as a basis for investment decisions.
Commerce Trust does not provide legal advice to its customers.
Data contained herein from third-party providers is obtained from what are considered reliable sources. However, its accuracy, completeness or reliability cannot be guaranteed.

RELATED ARTICLES

ABOUT THE AUTHOR

amy pieper
Amy Pieper, CTFA Senior Vice President, Director of Nonprofit Services Commerce Trust
Amy is the director of nonprofit services for Commerce Trust, and she is located in Kansas City. She and her team are responsible for delivering holistic financial and advisory services that are specific to the unique needs of nonprofit agencies across Commerce Trust’s eight state geographic footprint.

Amy and her team focus on understanding the unique opportunities and challenges that each nonprofit may face and then providing resources to help them meet their objectives and grow in service to the community. Prior to joining Commerce Trust in 2014, Amy acquired more than 20 years of industry experience.

Amy earned her Bachelor of Science in business administration from the University of Missouri and is a graduate of the Cannon Personal Trust School. Amy holds the designation of Certified Trust and Financial Advisor. She currently serves as trustee and secretary for the Watkins Mill Association, is a board member of Support Kansas City. Amy formerly served on the board of the American Heart Association, Liberty Hospital Foundation Regional Advisory Council, the planned giving committee of Kansas City Hospice & Palliative care, the finance committee at Church of the Annunciation and is a past-president of the Kansas City Chapter of Corporate Fiduciaries.

Amy is married to Dennis, a middle school social studies teacher and her husband of 25 years. They have two children, Sydney and Preston. In their spare time, they enjoy traveling (especially anywhere they can soak up history), attending Mizzou Football games in the fall, and staying involved with their parish.