Nonprofits run on trust and on data: donor names and payment details, beneficiary records that can be deeply sensitive (health, immigration, domestic-violence, youth), and the financial systems that process grants and donations. Yet most nonprofits operate with thin IT budgets, volunteer or part-time tech help, and a culture of openness — a combination attackers exploit and underwriters worry about. A breach of donor data does not just cost money; it threatens the donor relationships the organization depends on to exist.
47 controls mapped to what underwriters verify · one-time purchase · instant download
Why cyber insurance is different for nonprofits
Nonprofits run on trust and on data: donor names and payment details, beneficiary records that can be deeply sensitive (health, immigration, domestic-violence, youth), and the financial systems that process grants and donations. Yet most nonprofits operate with thin IT budgets, volunteer or part-time tech help, and a culture of openness — a combination attackers exploit and underwriters worry about. A breach of donor data does not just cost money; it threatens the donor relationships the organization depends on to exist.
The regulatory picture is the same as any business handling personal data: state breach-notification laws apply, organizations taking card donations fall under PCI obligations, and those working with health or government-funded programs may inherit HIPAA or grant-specific security requirements. What’s different is capacity. Underwriters understand nonprofits lack large security teams, so they look hardest at whether the high-leverage, low-cost controls are turned on — the ones that stop the common attacks without a big spend.
The good news for the sector is that the controls that matter most are mostly free configuration, not new tools. MFA across email and admin accounts, email authentication to stop donor-facing spoofing, a tested cloud backup, and annual awareness training for staff and key volunteers cover the bulk of what carriers weight. Underwriters also probe access control — nonprofits accumulate accounts for departed volunteers and board members — and vendor access, since fundraising platforms and outsourced IT touch donor data. A nonprofit that closes those gaps presents as a disciplined risk despite a modest budget.
The regulatory and contractual pressures underwriters expect nonprofits to have already accounted for.
Priority controls
Drawn verbatim from the 47-control Cyber Insurance Prep Checklist — with why each one matters specifically for your vertical.
Require multi-factor authentication on every email account.
Donor and beneficiary data lives in email and CRM; MFA is the single highest-leverage, zero-cost control and the first thing a nonprofit underwriter checks.
Use no shared or generic admin credentials — each admin has a unique account.
Nonprofits accumulate shared logins for volunteers and board members; unique accounts and no shared admin credentials are a frequent, fixable gap.
Publish DMARC set to p=quarantine or p=reject.
Attackers spoof a charity’s domain to defraud donors; DMARC enforcement protects the donor trust the organization runs on, at no software cost.
Keep at least one air-gapped or append-only backup.
Limited budgets make paying a ransom impossible; an air-gapped or cloud backup is how a nonprofit recovers donor and program data without funds it doesn’t have.
Encrypt sensitive customer data at rest (PII, PHI, payment card).
Beneficiary records can be exceptionally sensitive; encryption at rest protects vulnerable populations and answers funder and breach-law expectations.
Provide security awareness training to all employees annually.
Staff and volunteers are the entry point and turn over often; annual awareness training is the low-cost human control carriers expect.
Limit third-party vendor remote access to approved windows, with MFA.
Fundraising platforms and outsourced IT touch donor data; controlling and logging that vendor access is weighted even for small organizations.
These are 7 of the 47 controls. The full checklist covers all of them — required, premium-affecting, and disqualifying — with verification and remediation steps.
Most popular
Best value
Free
By purchasing you agree to our Terms. Digital products are non-refundable once accessed. A checklist supports your application; it does not guarantee an underwriting decision.
Yes. The controls underwriters weight most for nonprofits — MFA, email authentication, unique accounts, a tested cloud backup, awareness training — are largely free configuration inside the email and productivity tools you already pay for. Carriers reward turning these on far more than they reward expensive tooling.
Nonprofits tend to create logins for volunteers and board members and never remove them, leaving dormant accounts and shared passwords that attackers exploit. Unique accounts, prompt deprovisioning, and no shared admin credentials are simple, no-cost fixes that materially improve both security and your application.
Beyond direct costs, the deepest damage is to donor trust and beneficiary safety — a breach of donor payment data or sensitive beneficiary records can erode the relationships and reputation the organization depends on. That reputational exposure is why carriers want donor-facing controls like email authentication and encryption in place.
Law Firms
View requirements ›Accounting & CPA Firms
View requirements ›Healthcare Practices
View requirements ›Dental Practices
View requirements ›Financial Advisors & RIAs
View requirements ›Manufacturers
View requirements ›Construction Firms
View requirements ›Real Estate Firms
View requirements ›MSPs & IT Providers
View requirements ›