Trustee Guide to Cybersecurity: What Charity Boards Must Do and Understand
The Charity Commission has been explicit: cybersecurity is a trustee responsibility. Trustees do not need to be technical experts, but they do need to ask the right questions, understand the answers, and ensure that management is held accountable for implementing appropriate controls. This guide provides the practical framework for trustee-level cybersecurity governance in charities of all sizes.
Only 24% of UK charity boards have received formal cybersecurity briefing in the last 12 months — yet the Charity Commission expects trustees to demonstrate active oversight of cyber risk.
Six Questions Every Charity Trustee Should Be Asking
Trustees should ensure the following questions are asked and answered at least annually: 1) What is our most sensitive data, and what would happen if it was stolen or exposed? (The answer should identify the specific beneficiary groups at risk and the specific harm a breach could cause.) 2) What are our biggest cyber risks, and how are they being managed? (The answer should reference specific threats — ransomware, phishing fraud, supplier breach — and specific controls.) 3) Have we tested our incident response? (The answer should confirm that the team has actually rehearsed what to do in an incident, not just that a plan exists on paper.) 4) Are we GDPR compliant and DSPT compliant where required? (The answer should confirm current compliance status, not just general assurance.) 5) Are our critical systems backed up and can we restore them? (The answer should include the date of the last restore test.) 6) Do we have appropriate cyber insurance?
What Trustees Should Include in Cyber Governance
Trustee-level cyber governance should include: cyber and data risk on the charity's risk register with a clear risk owner (typically the CEO or Operations Director); an annual trustee briefing on the current cyber threat landscape and the charity's security posture (delivered by the IT lead or an external specialist); review of any significant incidents, near-misses, or data breaches reported in the previous year; confirmation of GDPR compliance status, including DSPT if required; review of cyber insurance coverage and its alignment to actual risk; and a periodic penetration test or security assessment to provide independent assurance. Kyanite Blue provides trustee cybersecurity briefings and governance framework design for charities — giving trustees the knowledge and frameworks to fulfill their governance responsibilities.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.