The last few years have seen charities of all sizes rely more heavily on digital operations, including fundraising. However, along with the many benefits comes the increased risk of cybercrime.

For the majority of people, even the thought of stealing from a charity would be abhorrent. But, the reality is that cybercriminals do not discriminate when it comes to their victims.

With the increased use of online fundraising activity and digital operation—in part due to the pandemic—over half of UK charities (51%) now hold electronic records on their customers and 37% enable people to donate online.1 This brings with it increased vulnerabilities and a greater responsibility to keep this data safe.

Why are cyber-attacks in the charity sector being underreported?

Despite many charities now having a larger digital footprint, a recent survey by the Charity Commission has highlighted some concerning statistics for charities regarding their cyber awareness.

The Charity Commission’s report found that one in eight charities experienced cybercrime last year.1 And, according to the UK government’s Cyber Security Breaches Survey 2022, out of the organisations that did report attacks, 26% of charities estimate they were attacked at least once a week.2

The indication that only 34% of charities impacted by criminals are reporting breaches to the regulator suggests two things: firstly, many organisations are underestimating the seriousness of a data breach; and secondly, that there is a significant underestimation of the online fraud actually happening within the sector today.

Why are cyber-attacks in the charity sector being underreported?

The nature and impact of cyber-attacks

Cybercrime in the charity sector can take many forms, such as phishing and ransomware attacks, online invoice fraud, disgruntled employees (insider attacks) and attacks by ‘hacktivists’ targeting the organisation if they disagree with its purpose or are motivated by a specific cause.

The impact of a cyber incident for a charity can be devastating. Recovering from an attack can be costly in terms of network and data recovery, fines and potential liability claims. If the incident response is too slow, it can lead to prolonged disruption to services which can impact the organisation and, crucially, its service users.

A further consequence of a cyber incident is that it can lead to significant reputational damage for the organisation and its directors. This damage can far outlast the impact of the incident itself.

Why are cyber-attacks in the charity sector being underreported?

When should you report a cyber-attack?

If a cyber-attack or other cyber incident (for example, due to human error) results in a data breach, you must report it to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it.

The definition of a ‘data breach’ is a breach of security leading to “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”3

If your organisation has experienced a serious incident of online fraud, it is also important to consider contacting the Charity Commission. This can help the regulator to identify trends and patterns of online fraud, and help prevent others from falling victim to similar incidents.

How can charities protect their organisation?

There are some simple actions you can take to improve your organisation’s cybersecurity, including using Multi-Factor Authentication, ensuring all virus software is up to date, and making off-site (cloud) back-ups of your data. Employee cybersecurity training should also be conducted and updated regularly.

Partnering with a cyber risk management specialist can be invaluable as they will be able to highlight your digital vulnerabilities and help you put the necessary systems and protocols in place. Gallagher’s Cyber Risk Management Practice can help charities strengthen their defences through a range of services, including cybersecurity auditing, testing and training.


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.