Cyber risks nonprofits should consider treating as financial risks

Cybersecurity is often viewed primarily as a technology responsibility handled by an organization’s IT team or third-party providers.

As nonprofit operations become more digital and funding depends increasingly on online engagement, the risk of cyber incidents interrupting cash flow, delaying programs or eroding donor trust rises. Increasingly, nonprofit leaders are treating cybersecurity as an operational priority that shapes financial resilience beyond technology systems.

Click to learn more about Huntington Bank’s approach to nonprofit banking and financial support.

Why nonprofit cybersecurity has become a financial leadership priority

Cyber threats have grown in both scale and intent, and nonprofits are increasingly part of that environment. In 2025, Americans lost more than $20 billion to online scams, with phishing emails and account takeovers among the most common methods used¹.

70% of nonprofit organizations say their exposure to potential cyber threats increased over the past year, up from 51% in 2024².

Within the nonprofit sector, many organizations are increasingly becoming a target for cybercriminals because they store highly sensitive information, including donor profiles and payment details, without having a dedicated cybersecurity team ready to act.

This reflects a broader pattern across industries. While many business leaders remain confident in their day-to-day operations, uncertainty continues to influence planning decisions. According to the Huntington Bank 2026 Beyond Business Report, 63% of respondents cited economic and operational disruption as a top concern³.

Risks that emerge unexpectedly and escalate quickly tend to test organizational resilience across people, processes, technology and finances, with financial impacts often emerging first. For nonprofits operating with limited cash reserves and a high degree of accountability to donors and communities, these risks deserve the same level of attention as more familiar financial exposures.

The financial impact of a cyber incident

For nonprofits, a cyber incident is rarely a short inconvenience. What begins as an operational disruption can quickly evolve into a broader financial challenge with lasting consequences.

Initially, the impact is often immediate. Leadership may suddenly lose access to accounting systems or online banking. Payroll may be delayed. Staff may be unsure whether donor funds were deposited correctly or whether transactions were authorized. These situations can place pressure on cash flow, particularly for organizations operating with tight funding cycles. Even short delays can affect employees, vendors and program delivery.

The average cost of a data breach impacting nonprofit organizations is $200,000⁴.

Over time, the financial effects may extend beyond the initial disruption. Recovery efforts may require unplanned spending related to investigating the cyber incident and legal support.

Additionally, donor confidence can be affected when sensitive information is exposed. In fact, a survey found that 28% of respondents stated they would not donate to a nonprofit again if their data was compromised; 52% said they would hold off donating until the issue was resolved⁵. In this context, cybersecurity and financial risks are closely connected.

Taken together, these short-term disruptions and longer-term pressures illustrate why cybersecurity incidents should be viewed as financial risks that can affect liquidity, fundraising and operational stability well beyond the moment of the cybercrime.

Where nonprofit cybersecurity risk tends to concentrate

Even as cyber threats continue to evolve, phishing emails and text messages remain a common entry point. These messages often impersonate nonprofit leaders or trusted partners to initiate fraudulent payments or obtain access credentials.

Managing organizational access controls remains a challenge. Shared passwords, inconsistent use of multi-factor authentication (MFA) and broad administrative permissions make it easier for a single compromised account to affect multiple systems. Financial and donor platforms are especially attractive targets because they connect directly to funds, while third-party systems used for fundraising and payroll can quietly accumulate risk when access permissions are not actively reviewed or managed.

Reframing nonprofit cybersecurity as a financial control

Cybersecurity is no longer a technical function to be delegated. For nonprofits, it must become part of the organization’s resilience and governance strategy.

Viewed through a financial lens, a cybersecurity program supports internal controls, including role-based access control (RBAC). These controls help determine who can access systems, approve transactions and release payments. It also connects to resiliency planning, ensuring the organization can continue paying staff, vendors and program costs if systems are disrupted.

A cybersecurity program helps leadership teams maintain control during moments that might otherwise feel rushed or uncertain.

Preparing for a cyber incident before one happens

In her work with community, industry and governmental organizations, Amber Buening, Security Outreach Director at Huntington Bank, emphasizes that preparedness starts with protecting access, approvals and financial records that keep operations moving.

Nonprofits can reduce risk by prioritizing a few practical areas:

• Protect access to critical systems. Enable multi-factor authentication (MFA) for email, banking and donor platforms, and regularly review who has access to vital accounts and systems, especially financial ones.
• Safeguard the ability to make and receive payments. Ensure accounting and payment systems can be accessed securely by more than one trusted staff member, confirm backup processes exist if primary access is disrupted and require verification for any requests to change payment instructions.
• Ensure critical systems and business data are backed up regularly and securely. Prioritize essential data such as financial records, donor information, payroll and other data required for daily operations and continuity.
• Build awareness. Provide staff and volunteers with simple guidance on recognizing phishing attempts and reporting suspicious activity. Establishing a strong security culture at your organization can help protect against attacks and mitigate damage.
• Create or strengthen your resiliency plan. Bolster your organization’s approach to responding to cyber threats or other operational disruptions. Clearly define who makes decisions, who communicates with vendors and banks and who approves payments if an incident occurs.

When expectations are clear and access is controlled, leadership teams are better positioned to respond calmly rather than react under pressure. For some nonprofits, cyber liability insurance may also serve as a complementary recovery tool when it’s aligned with preparedness planning.

Cybersecurity supports nonprofit financial resilience

As nonprofit operations continue to become more digital, cybersecurity increasingly shapes financial resilience. Treating cybersecurity as part of your financial management helps leaders protect access to funds, maintain confidence in operations and continue serving their communities during disruption.

Nonprofits that integrate cybersecurity into broader governance and internal controls are better positioned to respond calmly when access is interrupted or systems are unavailable.

Huntington Bank works with nonprofit organizations to support financially focused risk management across treasury, fraud prevention and operational planning. Aligning cybersecurity with a financial strategy can help nonprofits strengthen resilience and prepare for what lies ahead.