New laws push cyber security onto the board agenda for not-for-profits

Australia’s not-for-profit (NFP) sector is under growing pressure to strengthen cyber security, as escalating attacks coincide with new legislation that makes data protection a board-level responsibility.

BDO Cyber Security Leader, Leon Fouche, said the combination of rising incidents and tougher compliance requirements marks a critical turning point for the sector.

“Cyber criminals have realised NFPs hold valuable data but often lack the same defences as corporates,” Leon said.

“Just one breach can undo years of hard work and destroy the trust that underpins every organisation. Protecting data now means protecting the mission.”

The Cyber Security Act 2024 requires larger NFPs to report ransomware payments within 72 hours and disclose incidents in sectors such as aged care and health.

Privacy Act reforms and the Notifiable Data Breaches Scheme add further obligations, while the Australian Charities and Not-for-profits Commission (ACNC) now treats cyber security as a governance responsibility for boards.

Meanwhile, the Australian Cyber Security Centre warns that attacks on small and medium-sized organisations, including most NFPs, are rising, with the average cost of an incident exceeding $46,000.

Recent cases have seen aged care services disrupted, donations diverted through compromised staff emails, and donor data exposed via third-party fundraising platforms.

“These reforms make it clear cyber security is no longer just an IT issue,” Leon said.

“It belongs on the governance agenda alongside finances and compliance.”

Despite limited resources, Leon said there are achievable steps every NFP can take: enabling multi-factor authentication, training staff and volunteers to recognise phishing, backing up data securely, and reviewing supplier protections.

“As NFPs adopt cloud platforms and AI-driven tools, their risk profile is expanding,” Leon said.

“The organisations that act now will be the ones that maintain donor confidence and continue serving vulnerable communities.”
 


For media enquiries:

Tate Papworth 
Manager, Media 
E: Tate.Papworth@bdo.com.au 
Ph: 0433411189