If you serve on the board of a nonprofit in Northern Virginia or the Washington DC area, cybersecurity is now part of your fiduciary duty — whether you feel qualified to oversee it or not. The days when boards could reasonably delegate technology entirely to staff and forget about it are over.
This is not about becoming a technical expert. It is about asking the right questions, ensuring adequate resources, and holding someone accountable. The same governance principles that apply to financial oversight apply to cybersecurity: you do not personally prepare the audit, but you are responsible for ensuring one happens and that findings are addressed.
Why Cybersecurity Is a Board-Level Issue
Three converging forces have made cybersecurity an unavoidable governance responsibility for nonprofit boards:
- Legal liability is real. The duty of care requires directors to stay reasonably informed about material organizational risks. A board that never discusses cybersecurity cannot claim it exercised reasonable oversight when a breach exposes donor records or client data.
- Funders and regulators expect it. Government grantors (federal, Virginia, DC, Maryland) increasingly require evidence of cybersecurity governance. Private foundations are adding data security requirements to grant agreements. If your board cannot demonstrate oversight, you may lose funding eligibility.
- The mission depends on it. A ransomware attack that takes down your systems for two weeks does not just cost money — it interrupts services to the communities you serve. For human services nonprofits across NoVA serving vulnerable populations, system downtime can literally harm people.
The Governance Standard: You do not need to understand encryption algorithms. You need to verify that someone competent is responsible for cybersecurity, that they have adequate resources, that risks are being assessed regularly, and that the organization can recover from an incident. That is governance.
The Board's Five Core Cybersecurity Responsibilities
1. Ensure a Risk Assessment Exists and Is Current
A cybersecurity risk assessment identifies what data your organization holds, where it lives, what threats exist, and how protected (or exposed) you are. Every nonprofit should have one — and it should be updated annually at minimum.
The board's role is not to conduct the assessment. It is to:
- Confirm that a qualified person or firm conducted it within the past 12 months
- Receive a summary of key findings in language the board can understand
- Verify that identified risks have mitigation plans with timelines and owners
- Approve budget allocation to address critical findings
For nonprofits in Northern Virginia handling donor PII, client case data, or government grant information, this is non-negotiable. If you cannot point to a current risk assessment, your governance has a gap.
2. Allocate Adequate Cybersecurity Budget
Cybersecurity consistently ranks among the most underfunded areas in nonprofit organizations. Boards bear responsibility for this because they approve budgets.
Benchmarks for nonprofits in the DC metro area:
- Organizations under $2M budget: 3-5% of overall budget allocated to IT, with at least 20% of that specifically for security (training, tools, assessments)
- Organizations $2M-$10M: Dedicated IT/security line item of $40,000-$120,000 annually
- Organizations over $10M: Consider dedicated security staff or a managed security services contract
If your IT budget is zero dollars or "whatever we can scrape together," the board has failed its oversight duty. Cybersecurity costs money — and it costs far less than a breach.
Funding Opportunity: Several federal and private programs fund nonprofit cybersecurity improvements. The Nonprofit Security Grant Program (NSGP), state-level Cybersecurity Grant Programs, and foundations like Craig Newmark Philanthropies specifically fund security upgrades. Your IT partner should help you identify and apply for these. See our full grants guide.
3. Establish and Approve Key Policies
The board should review and approve foundational cybersecurity policies — not write them, but ensure they exist and are reasonable. Essential policies include:
- Acceptable Use Policy — defines how staff may use organizational technology
- Data Classification and Retention Policy — what data do we keep, for how long, and at what protection level
- Incident Response Plan — what happens when something goes wrong (including board notification triggers)
- Vendor Security Policy — minimum security requirements for technology vendors handling your data
- Backup and Recovery Policy — how often, where stored, how quickly can we recover
These policies should be reviewed annually by the board (or a designated committee) and updated when the organization's technology, size, or risk profile changes.
4. Require Regular Reporting
Governance without information is performative. The board needs regular cybersecurity reporting to fulfill its oversight function. A practical cadence:
- Every board meeting: 5-minute status update — any incidents, any policy changes, any emerging risks, training completion rates
- Quarterly: Written report covering metrics (phishing test results, patch compliance, backup test results), budget tracking, and upcoming initiatives
- Annually: Comprehensive risk assessment review, insurance coverage adequacy, policy refresh, strategic technology roadmap
The reporting should come in language board members can act on — not technical jargon. If your IT provider cannot explain risks in plain English, that is a red flag about the provider.
5. Ensure Adequate Insurance Coverage
Cyber insurance is no longer optional for nonprofits holding sensitive data. The board should:
- Verify that a standalone cyber insurance policy exists (general liability typically excludes cyber events)
- Confirm coverage limits are adequate for the organization's data exposure (consider number of records, type of data, regulatory environment)
- Review policy exclusions — many policies exclude unpatched systems, lack of MFA, or failure to maintain basic controls
- Ensure D&O coverage extends to cyber-related claims against board members
Board Cybersecurity Governance Checklist
- Current cybersecurity risk assessment on file (dated within 12 months)
- Cybersecurity is a standing agenda item at board meetings
- Annual cybersecurity budget reviewed and approved by the board
- Incident response plan exists and names board notification triggers
- Key policies (acceptable use, data retention, vendor security) approved by board
- Cyber insurance policy in place with adequate coverage limits
- D&O insurance covers cyber-related claims
- Staff security awareness training completion tracked and reported to board
- Designated board member or committee assigned cybersecurity oversight
- Annual board education session on current cyber threats (15-30 minutes is enough)
- Vendor security review conducted for any provider handling sensitive data
- Backup and disaster recovery capability tested and results reported to board
Common Mistakes Nonprofit Boards Make
- "We're too small to be a target." Attackers automate. They do not manually select targets based on size. If you have a domain, email addresses, and a bank account, you are a target. Period.
- Confusing compliance with security. Filling out a funder's security questionnaire does not make you secure. Governance means ensuring the answers on that questionnaire are actually true — and backed by evidence.
- Delegating without accountability. "Our ED handles technology" is not governance. The board must receive reporting and verify that responsibilities are being fulfilled, just like financial oversight.
- Ignoring insider risk. Nonprofits experience high staff turnover and rely heavily on volunteers. Offboarding procedures, access reviews, and separation of duties matter enormously in this environment.
- One-time effort mentality. Cybersecurity is ongoing — threats evolve, staff change, technology updates. A risk assessment from 2023 is not current. Annual reviews are the minimum standard.
For Board Chairs in NoVA: If cybersecurity has never appeared on your board agenda, start with a single action: add a 15-minute "cybersecurity status" item to your next meeting and ask your ED to present. That one step transforms your governance posture from absent to engaged. Build from there.
What Should Your Board Do Next?
If your board has not formally engaged with cybersecurity yet, here is a realistic three-meeting roadmap:
- Next meeting: Add cybersecurity to the agenda. Ask the ED three questions — do we have a risk assessment? Do we have cyber insurance? Who is responsible for security day-to-day?
- Following meeting: Review whatever assessment exists (or commission one if it does not). Receive a plain-English summary of top risks and cost estimates for mitigation.
- Third meeting: Approve a cybersecurity budget allocation, designate a board oversight owner (individual or committee), and establish a quarterly reporting cadence.
JPert INC works with nonprofits across Northern Virginia and Washington DC to provide the technical execution and board-ready reporting that makes governance practical. We can present directly to your board, conduct the risk assessment, and deliver quarterly reports your directors can actually understand and act on.
Contact us for a board-friendly assessment — we will evaluate your current state and provide a clear, jargon-free roadmap your board can govern against.