The charity sector, despite its humane mission, is not immune to cyber threats. Charities collect and manage valuable information, including user details, financial records, and personal data of beneficiaries, making them prime targets for cyber breaches or attacks. In the last 12 months, UK charities have encountered approximately 924,000 cybercrimes of various types1.

The impact of cyber threats on digital operations and service delivery of charities:

  • 32% of UK charities reported some form of cyber security breach or attack in the last 12 months1.
  • 38% of cyber-attacks on charities affected the service, resulting in 19% adverse outcomes2.
  • 39% of charities report seeking information or guidance on cybersecurity from outside their organisation1.

Our Gallagher Cyber Risk Management team has identified the most frequent cyber threats faced by the charity sector and provided practical advice to avoid these:

Phishing attacks

Phishing remains one of the most common types of cyber breaches or attacks, with 83% of charities reporting a phishing attack in the last 12 months1. Cybercriminals often impersonate organisations or individuals to trick employees into divulging sensitive information such as login credentials or financial details.

Gallagher Cyber Risk Management remedial advice: Prioritise employee training on recognising suspicious emails and requests for sensitive information. Keep software updated regularly, implement email filtering systems to stop phishing attempts, and enable multi-factor authentication for added security.

Data breaches

Charities often handle sensitive user information, including their financial details and personally identifiable information. Data breaches resulting from cyberattacks can lead to exposure of sensitive data, potentially violating regulations.

Gallagher Cyber Risk Management remedial advice: Implement strong access controls and encryption for sensitive data, conduct backups, update systems on regular basis, scrutinise third-party vendors rigorously, and establish robust incident response strategies.


Cyber criminals encrypt an organisation’s critical data and demand a ransom for its release. Given the importance of data integrity for charities, ransomware can potentially disrupt the organisation’s operations and break user trust.

Gallagher Cyber Risk Management remedial advice: Educate staff on identifying phishing emails and suspicious links, implement a robust backup strategy, segment networks to restrict access to sensitive data, and stay updated on the latest ransomware trends and techniques.

Supply chain attacks

Charities depend on third-party vendors for services such as fundraising platforms, IT support, and cloud services. However, these vendors can introduce vulnerabilities into the organisation’s infrastructure, which becomes a potential entry point for cyber attackers. Only 26% of charities have undertaken cyber security risk assessments in 20231.

Gallagher Cyber Risk Management remedial advice: Implement vendor security assessments, use secure communication channels such as encrypted emails or secure file transfer protocols, monitor supplier activity on your network, and establish clear contractual obligations.

Insider threats

While charities typically have passionate staff, insider threats cannot be ignored. Unhappy employees or volunteers may intentionally or unintentionally compromise the organisation's security by leaking sensitive information or engaging in malicious activities.

Gallagher Cyber Risk Management remedial advice: Implement monitoring tools to track employee actions, establish clear policies and procedures for handling sensitive information, limit access to sensitive and confidential data, and provide regular security awareness training to employees.

Range and ramifications of cyber threats

Cyber-attacks on charities can take different forms, such as phishing, ransomware, online invoice fraud, insider threats, and activism-driven hacking. The repercussions of these incidents extend beyond immediate financial losses to network and data recovery expenses, potential fines, and liability claims. However, the reputational damage that undermines stakeholder trust and stymies service delivery could potentially be more harmful.

The significance of incident reporting

Reporting a cyber incident immediately upon its discovery is a regulatory obligation and a critical step to mitigate damage and aid the fight against cybercrime. The Information Commissioner's Office (ICO) mandates reporting of data breaches within 72 hours — and stresses the importance of promptly acknowledging and addressing cybersecurity lapses. Beyond compliance, reporting facilitates pattern recognition and establishes preventative measures across the sector.

Fortifying charities against cyber risks

Charitable organisations are responsible for ensuring their system's security and enabling optimal risk management strategies in light of impending cyber-attacks. Charities can considerably enhance cybersecurity by implementing simple measures, including multi-factor authentication, updating anti-virus software, and maintaining cloud backups. The focus should also be placed on updating staff and conducting regular cybersecurity training to minimise the risk of cyber-attacks. Collaborating with experts in cyber risk management can help charities identify vulnerabilities, enforce protections, and stay ahead of evolving cyber threats.

To find out more, please get in touch with Gallagher's Charities SME & Mid-Market Team or call us on 0121 407 4101. We’re here to support you.


1 Cyber security breaches survey 2024. 9 Apr 2024.
2 Cyber threat report: UK charity sector. Jan 2023. PDF File.


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.
Arthur J. Gallagher Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: Spectrum Building, 55 Blythswood Street, Glasgow, G2 7AT. Registered in Scotland. Company Number: SC108909. FP650-2024. Exp 24.04.2025