STAND OR DELIVER: Managing the risk of ransomware attacks on charities

Cyber criminals, the twenty-first century equivalent to the highwaymen of yesteryear, don’t offer charities the stark alternative of “their money or their life”, but instead their money or their data, the lifeblood of many charities.

Ransomware attacks present a critical risk of their services grinding to a halt for weeks if not months – even if data is restored - as well as swingeing fines for personal data breaches in multiple jurisdictions. 

The threat may be modern, but the proper approach of any charity led by its trustee board remains to act reasonably and honestly, in seeking to avoid exposing its assets, beneficiaries or reputation to undue risk. The new Chair of the Charity Commission is mindful that the commission regulates a sector led by volunteers overall with good intentions who are doing their best, often in difficult circumstances, but has reiterated that when encountering those who are grossly negligent it won’t hesitate to use its powers effectively and robustly to ensure wrongdoing stops.

The responses to a survey of charities published by the commission in October 2022 just before Charity Fraud Awareness Week this year revealed that:

  • one in eight charities (12%) had experienced cybercrime in the previous 12 months
  • only 24% have a formal policy in place to manage the risk
  • only around half (55%) of charities report that cyber security was a fairly or very high priority in their organisation.

Stuart Sivieri, Head of Business Management for the Cyber Defence Centre at Grant Thornton, contrasted this low precedence of cybercrime among charities with the key takeaway from the Allianz Risk Barometer of January 2022, that cyber perils outrank Covid-19 and broken supply chains as the top global business risk. 

He explained that it may take 3-6 weeks before a charity is again operating in a safe environment following a ransomware attack, and up to 6 months for a charity to fully recover – and this is always assuming the charity is aware that it has been subject to an attack. He highlighted how threat actors – largely organised crime groups – target supply chains and how charities should factor this into their cyber risk management: many in the sector will have been impacted by prominent ransomware attack on cloud software supplier Blackbaud in May 2020.

Picking up on Stuart’s striking visual illustration of how a data breach can easily span the globe, Sarah Tedstone, Data and Privacy Partner at Shoosmiths, highlighted how suffering a ransomware attack could lead a UK charity to dealing with up to 30 data regulators around the world, all with their own legal regimes and demands for information about the implications of a breach and a charity’s response to it in the wake of the attack. Charities should think about employees, donors and their supply chains.

Timelines are critical and actions and decisions can be fast-paced and a charity needs a breach response plan with clear lines of internal reporting. Determining whether there has been a breach and whether external reports are needed are issues to be decided by the right people in a charity which may mean assembling a dedicated team. And instructing lawyers at any early stage can provide an important advantage of “legal privilege” in the context of analysing the incident and, in due course, implementing lessons learned.

Sarah explained that the recent £4.4million fine the ICO has issued to Interserve Group represents a clear warning to organisations that the biggest cyber risk they face is not from hackers themselves but from complacency towards internal data protection compliance, which could lead to a double whammy of a cyber-attack and subsequent enforcement action. Charities should start with an up-to-date risk-assessed protection compliance plan with clear key priorities about appropriate technical and organisational measures. They should also document where their cyber protection work is in progress – this can be reassuring to regulators who adopt risk-based approaches and should readily acknowledge that no organisation can do everything, all at the same time. 

Jonathan Taylor (“JT”), Director and Head of Charities and Care at Innovation Broking, explained how only a limited number of insurers will offer cover for ransomware attacks and how effective policies will only be available to those charities which can demonstrate good governance, in particular robust measures in place to mitigate the risk of ransomware and other cyberattacks, such as Multi-Factor Authentication (“MFA”). As in any walk of life, you get what you pay for: cheaper than market rate premiums will probably be too good to be true when it comes to making a claim on a policy.

Charities should take advantage of web-based resources and tools which some insurers provide so that they can be insurance-ready and calculate how much a ransomware attack might set back their operation. JT’s renewal pointers were clear: engage early; meet the underwriter; understand your cyber security; check your statement of fact (which may come back to haunt you); and ensure you know what would be covered by your policy.

Paul Rao, Head of Not for Profit at Grant Thornton and Susie Wakefield, Head of Commercial Insurance at Shoosmiths, joined the speakers for the concluding panel discussion and reiterated some of the key messages conveyed at the conference: charity boards should seek assurance that their policies and processes are appropriate and are implemented, and charities should read the small print and work with their insurers from the outset. Good governance is essential, in particular where affordable insurance premiums are not available, and prevention rather than cure and self-insurance may be the only options for some charities.   

We were left with Stuart Sivieri’s concluding remark that charities will never be 100% protected from ransomware attacks – ultimately many cyber breaches are a result of human error. As the boxer Mike Tyson famously said, “Everyone has a plan until they get punched in the mouth.”

But charities can make it as difficult as possible for threat actors to succeed and so minimise the risks which the modern highwaymen of cyber space present. 


This information is for educational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. © Shoosmiths LLP 2024.

Watch recordings from the event


Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.