Maintaining Business Continuity After a Cyberattack: A Quick-Start Plan for Nonprofits

Cybercriminals are opportunists and love an easy target. Unfortunately, nonprofits remain on the short list for hackers due to the personally identifiable information they collect and store on their systems, and the fact that most are operating on a limited dedicated budget for implementing cybersecurity measures to protect against an attack.

Today, many nonprofit organizations have no plan for how they will continue to operate when falling victim to a cyberattack. Not only is it critical for organizations to be aware of cybersecurity issues, but it is also important for them to develop a plan for maintaining continuity during the recovery process.

How a cyberattack impacts business continuity

A cyberattack can cripple an organization. When services suddenly become unavailable, the vital services that nonprofits provide come to a screeching halt, bringing to light just how dependent the organization is on its systems. Data breaches and cyberattacks among nonprofits are increasing. In addition to mitigating cyberattacks, organizations need to develop a business continuity plan (BCP).

Jump-starting a business continuity plan

According to the Nonprofit Risk Management Center (NRMC), far too many nonprofits in the U.S. are vastly unprepared when it comes to creating a BCP. Recognizing that many organizations are challenged as to where to start the BCP process, the NRMC developed a highly simplified, quick-start guide that can be used when facing an interruption to daily operations.

Reach out. In the event of a cyberattack or breach, the organization needs to determine how it can quickly communicate with all key stakeholder groups. This includes creating and maintaining a list of names, email addresses and telephone numbers that will allow quick communications to those in authority regarding operating status, staff availability, cancellations, etc. 

Draft a short must-do list. Most organizations have specific tasks that they must keep doing — despite the interruption of services. The NRMC suggests creating a short list of three to five things the organization feels are critical in determining the most plausible strategy. For many organizations, this may include a plan for how to continue to provide vital services to its most vulnerable clients. 

Know where to scale back. There isn’t a hard-and-fast timeline for just how long it may take to recover from a cyberattack. During the time when systems are down, it’s wise for organizations to shutter and limit resources where possible. The NRMC suggests that every BCP should identify the services, programs and activities that can be temporarily discontinued, delayed and scaled back for the next 45-60 days, and have a step-by-step strategy for making it happen.

Have a plan to resume operations. Create a BCP for bringing back programs that were temporarily shut down. This can include assigning a point person or using volunteers to assist with answering client questions, such as when programs and services might resume. It’s also a good time for organizations to implement a cybersecurity risk plan that includes cyber insurance.


This article outlines a short, quick-start method for developing a BCP. As normal operations resume, the NRMC advises that organizations take away lessons learned during the interruption of services in order to craft a more comprehensive BCP.  And while preventing every cyber incident is impossible, nonprofits can better mitigate the risk with the right layer of insurance protection. If you haven’t already done so, educate your nonprofit clients on the importance of cyber insurance in helping them better recover from a cybersecurity incident quicker and with less downtime.

About Charity First

The incredible services that nonprofits provide come with unique and complex risks that are part of their everyday work in serving the elderly, children and other vulnerable populations. It is why Charity First is committed to providing our retail partners across the country with best-in-class underwriting, consistent and responsive service, and risk management services that include comprehensive cybersecurity coverage that can be customized to meet the individual needs of their nonprofit clients. To learn more about our cyber coverage or other products, please contact us at 800-352-2761 or