Nonprofits & NGOs · Guide

Why your funder is asking about cybersecurity — and what to tell them

7 min read

If you're a nonprofit or NGO and your latest grant report included a section on "cybersecurity controls" or "data protection measures" that wasn't there last year — you're not imagining things. Funders are asking these questions more frequently, more specifically, and with higher expectations for the answers.

This isn't a trend that's going away. Here's why it's happening, what funders actually want to hear, and how to build a response you can stand behind.

Why this is happening now

Several forces are converging at once:

High-profile nonprofit breaches are making headlines. When a well-known NGO loses donor records or beneficiary data, every funder in the ecosystem takes notice. Foundation boards are asking their own program officers harder questions about grantee risk.
Regulatory pressure is trickling down. GDPR, state privacy laws, and sector-specific regulations don't just apply to corporations. Funders themselves are subject to data handling requirements, and they're increasingly extending those expectations to the organizations they fund.
Cyber insurance requirements are tightening. Many foundations now carry cyber insurance that requires them to demonstrate due diligence around grantee data practices. Your funder's insurer may be the one actually driving the question.
The threat landscape for mission-driven organizations is real. Nonprofits and NGOs — especially those working in human rights, press freedom, or politically sensitive areas — face targeted threats from state actors, not just opportunistic criminals. Funders are recognizing that the organizations they support are genuinely at risk.

What funders are actually asking

The questions vary in specificity, but they generally fall into a few categories:

1. "Do you have a cybersecurity policy?"

This is the baseline question. Funders want to know you've thought about security at an organizational level — not just that individual staff members are "being careful." A cybersecurity policy doesn't need to be a 40-page document. It needs to cover how you handle sensitive data, who has access to what, what happens when someone leaves, and what you do if something goes wrong.

2. "Have you had a security assessment?"

This is where it gets more pointed. Funders are increasingly asking not just whether you have policies, but whether anyone has verified that your controls actually work. A security assessment — even a focused one scaled to your organization's size — is the most direct way to answer this question with evidence rather than assumptions.

3. "Where is beneficiary/donor data stored?"

Data residency is becoming a real concern, especially for organizations working internationally or handling sensitive population data. Funders want to know: which cloud provider, which jurisdiction, who has access, and what your data retention practices look like. "We use Google Drive" is no longer a sufficient answer.

4. "What would you do in a breach?"

Incident response capability is the area where most nonprofits struggle the most — and where funders are pushing the hardest. They want to know you have a plan, that someone is responsible for executing it, and that you've at least walked through it once. The honest answer for most organizations is "we don't know," which is exactly why the question is being asked.

What a good answer looks like

Funders aren't expecting you to have a Fortune 500 security program. They're expecting you to have thought about this seriously and taken proportionate action. A strong response typically includes:

Evidence of assessment. A report from a qualified third party showing what was tested and what was found — not a self-reported questionnaire.
A prioritized remediation plan. What are you fixing, in what order, and by when? This shows you're treating findings seriously.
Clear data handling practices. Where sensitive data lives, who can access it, how it's protected at rest and in transit, and what your retention policies are.
An incident response plan. Even a lightweight one — with defined roles, escalation contacts, and communication templates — demonstrates maturity.
Staff training. Evidence that your team has received practical, role-appropriate security training — not a checkbox e-learning module.

How to get there without enterprise resources

The gap between "we haven't done anything formal" and "we have a credible security posture" is smaller than most organizations think. It doesn't require a full-time security hire or a six-figure budget.

A focused security assessment, basic hardening of your existing tools, practical staff training, and a documented response plan can typically be completed in a few weeks. If your data handling practices need attention — moving sensitive files to infrastructure with clear residency and access controls — that can often be addressed in the same engagement.

The key is starting with your actual risk profile and your funders' specific expectations, rather than trying to implement a generic security framework designed for organizations ten times your size.

"The organizations we work with are often surprised by how achievable a credible security posture is once you strip away the enterprise complexity and focus on what actually matters for their size and threat model."

Facing funder security questions for the first time?

We help nonprofits and NGOs build a security posture they can document, defend, and actually maintain — scoped to your budget and your real risks.

Schedule a call