Mitigating Risk While Serving the Community

Nonprofit organizations often serve as the backbone of our communities. They ensure we have access to quality healthcare and educational opportunities, are venues to enjoy the arts, and provide services to offer shelter, hunger relief and care for some of our most vulnerable citizens. 

As if this wasn’t a large enough responsibility, nonprofit organizations must also protect their donors, resources, and clients from the impacts of cyberattacks and fraud. 
Imagine this scenario: It’s Monday morning and you need to prepare for the first of several meetings with clients seeking assistance for their families’ healthcare needs. You sign onto your computer login and immediately receive a message that your organization’s network has been locked down with a demand a ransom be paid to regain access. Would you — or your organization — know what to do? 

Understanding the threats to your organization So, what makes charitable organizations an easy mark for cyberattacks? Nonprofit and non-governmental organizations (NGOs) raise an estimated $30 billion annually. These organizations collect and house sensitive data about clients, including financial and heath information, which makes for a prime target for cybercriminals. However, these entities often lack the financial resources for cybersecurity infrastructure in comparison to corporations. In fact, 80% of charitable organizations do not have any cybersecurity plan.¹ 

A look at recent notable cybercrimes against nonprofits and NGOs show that attackers target organizations of any size. 

• In January 2022, the International Committee of the Red Cross announced its servers were hacked, which left the personal information of more than 515,000 people worldwide compromised.²

• A Pennsylvania foodbank was defrauded out of nearly $1 million in 2020 when cybercriminals targeted it with an email phishing attack.³ 

• In 2021, hackers stole $650,000 from a California-based nonprofit that provides affordable housing for low-income households by attacking the email system of a third-party vendor.⁴ 

Types of cyberattacks

Attempts to defraud or attack an organization can take many forms. Data breeches from ransomware, a computer program that blocks access to the target’s data until a ransom is paid, are on the rise. According to one report, there were 89 million ransomware attacks globally during second quarter 2023, which was a 74% increase over the previous quarter.⁵

Social engineering is a type of cyberattack designed to infiltrate an organization’s network by tricking someone via a trojan horse action or program. The trap usually involves using an emotional response, such as urgency, curiosity, or fear on an unsuspecting person that allows the cybercriminal access into a network. There are several types of social engineering attacks — business email compromise, phishing, pretexting, scareware, SMS (text message) fishing and tailgating — all designed to grant attackers network access where they can wreak havoc. 

Safeguarding your organization  With cyberattacks becoming more prevalent, it is imperative that you take all precautions that you can to prevent this activity, but also have a plan on what to do if your organization becomes a target. Here are five steps that can help protect your organization and your key stakeholders: 

1. Review your organization’s needs, and only provide access to sensitive information to employees that need it for their roles. If your organization uses third-party vendors, confirm these partners have their own cybersecurity strategies in place. 

2. Develop training policies that educate staff on the types of attacks cybercriminals use and implement a testing strategy that requires all associates to complete testing on a periodic basis. 

3. Ensure your organization’s data records require sufficient password guidelines and consider multi-factor authentication as another step to protect access to your system. Also, having a data backup and recovery solution in place could help curtail extensive downtime should your network be subject to a cyberattack. 

4. Make sure your organization has a business continuity plan that includes routine scenario trainings for all relevant staff so that each employee knows what to do at the first sign of a problem. One key part to this plan is to make sure the organization has cybersecurity insurance coverage. Work with your insurance carrier to identify and fix gaps so your systems 

5. Work with banking partners that have experience dealing with payments fraud. According to the 2023 AFP Payments Fraud and Control Report, 79% of organizations are likely to seek assistance from banking partners for guidance on how to minimize the impact of a fraud event.6 Some organizations consider it a best practice to conduct regular reviews of fraud solutions with their banking partners or incorporate a fraud solution demonstration as part of the review process when seeking a new partner. 

Commerce Trust, a division of Commerce Bank, has been a financial partner to nonprofit organizations for more than seven decades. We serve more than 270 nonprofit clients, representing $11.6 billion in assets under administration as of September 30, 2023. 

1 “Nonprofits and cyberattacks: Key stats that boards need to know,” boardeffect.com, June 9,2023.
2 “Cyberattack on Red Cross compromised sensitive data on over 515,000 vulnerable people,” NPR, Jan. 20, 2022.
3 “Philadelphia hunger group loses nearly $1M in cyberattack,” The Associated Press, Dec. 1, 2020.
4 “Hackers stole $650,000 from nonprofit and got away,” The Wall Street Journal, June 7, 2021.
5 “Ransomware attacks skyrocket in 2023,” Infosecurity Magazine, July 26, 2023. 6 2023 AFP Payments Fraud and Control Report, Association for Financial Professionals, April 2023

Non-depository investments offered in connection with Commerce Bank and its affiliates are not guaranteed, are not FDIC insured, and may lose value.
Information provided is effective as of October. 18, 2023, is subject to change, and is presented for the purpose of general education, information or illustration only, not to be considered as the opinion of Commerce Trust or Commerce Bank regarding any individual investment, investment account or market behavior. Neither Commerce nor any of its affiliates have made any recommendation or given any advice as to the terms, beneficial interests or profitability of any investment or market activity which may be referenced here, and this information may not be relied upon as such. Investors are always fully responsible for any investment transaction you choose to enter into, and you shall not rely only on the information presented from Commerce as a basis for investment decisions.
Commerce Trust does not provide legal advice to its customers.
Data contained herein from third-party providers is obtained from what are considered reliable sources. However, its accuracy, completeness or reliability cannot be guaranteed.