Charity Commission Cybersecurity Requirements: What Trustees Must Have in Place
In 2023, the Charity Commission published updated guidance making explicit what has always been implied: cybersecurity risk management is a trustee responsibility, not an IT department concern. Trustees who fail to ensure their charity has appropriate safeguards for donor data, beneficiary information, and operational systems may be in breach of their fiduciary duty. The Commission has used evidence of poor cyber governance as grounds for inquiry in several cases. For charity leaders, this is the starting point: cyber risk is a governance issue that belongs in the boardroom, not the back office.
The Charity Commission's 2023 guidance explicitly states that trustees are responsible for cybersecurity as a matter of charity governance — not just operational management.
What the Charity Commission Expects from Trustees
Charity Commission guidance on cybersecurity expects trustees to: understand the cyber risks facing their charity and ensure those risks are actively managed; ensure the charity has appropriate policies and procedures for data security; take reasonable steps to protect sensitive beneficiary, donor, and staff data from loss, theft, or misuse; respond promptly and appropriately to cyber incidents including making statutory reports to the Commission where required; maintain adequate cyber insurance appropriate to the charity's risk profile; and satisfy themselves — not just the IT team — that cybersecurity controls are effective. This does not require trustees to be technical experts, but it does require them to ask the right questions, understand the answers, and hold management accountable for implementation.
Reporting Serious Cyber Incidents to the Charity Commission
Charities with an annual income over £25,000 are required to report serious incidents to the Charity Commission, including significant cybersecurity incidents. A serious cyber incident typically includes: a data breach affecting beneficiaries, donors, or employees; a ransomware attack that disrupts the charity's operations; fraudulent activity enabled by a cyber compromise (such as phishing-enabled payment fraud); or a cyberattack that threatens the charity's ability to carry out its charitable purposes. The Commission expects prompt reporting — ideally within 24 hours of the incident becoming apparent — and will assess whether the charity had adequate prior safeguards. Incidents that result from demonstrable governance failures (no trustee oversight, no policies, no incident response capability) attract greater scrutiny.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.