Charity Trustee Cybersecurity FAQ: What Boards Must Know
Charity trustees increasingly face cybersecurity questions they are uncertain how to answer. This FAQ provides the information trustees need to fulfil their governance responsibilities — without requiring technical expertise.
The Charity Commission expects trustees to demonstrate active oversight of cyber risk — yet only 24% of charity boards have received a cybersecurity briefing in the last 12 months.
Charity Trustee Cybersecurity Frequently Asked Questions
Frequently Asked Questions
What are trustees legally responsible for in cybersecurity?
Trustees have a fiduciary duty to manage the risks to the charity — and the Charity Commission has explicitly stated that this includes cybersecurity risks. Trustees must: ensure the charity has appropriate systems and controls to protect data and operational systems; understand the key cyber risks facing the charity; hold management accountable for implementing appropriate controls; ensure serious cyber incidents are reported to the Charity Commission when required; and maintain adequate cyber insurance. Trustees do not need to be technical experts, but they must ask the right questions and ensure they are getting substantive answers.
What should trustees be asking management about cybersecurity?
At minimum annually: What is our most sensitive data and what would happen if it was breached? What are our biggest cyber risks and how are they being managed? When did we last test our incident response and backup recovery? Are we GDPR compliant and DSPT compliant where required? Do we have appropriate cyber insurance? And when were staff last trained on cybersecurity? The answers should be specific and evidenced — not general assurances. If management cannot answer these questions with specifics, that is itself a governance finding.
What cyber insurance should our charity have?
Whether cyber insurance is appropriate depends on your charity's size, data sensitivity, and financial resilience. For charities with: significant beneficiary data (particularly vulnerable groups); annual income over £500,000; complex IT environments; or limited financial reserves to absorb an incident cost — cyber insurance provides valuable protection. A basic charity cyber policy covering incident response, breach notification, and business interruption typically costs £1,200–£4,000 per year. For smaller charities with limited data assets and strong free controls in place, the investment may be better directed at security controls. Seek advice from a specialist charity insurance broker.
Do we need to tell the Charity Commission about a cyber incident?
Yes, if it is a serious incident. The Charity Commission's serious incident reporting requirement covers incidents that: significantly harm or put at risk beneficiaries, staff, or volunteers; result in significant loss of charitable funds or assets; damage the charity's reputation significantly; involve criminal activity including cyber fraud; or prevent the charity from carrying out its charitable activities. A data breach affecting beneficiaries, a ransomware attack disrupting services, or a cyber-enabled fraud would all typically require reporting. Report as soon as reasonably practicable — ideally within 24 hours. This is in addition to any ICO notification obligation under GDPR.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.