Charity Cybersecurity FAQ: Common Questions from UK Charities
Charity cybersecurity generates consistent questions — from trustees unsure of their governance obligations, to finance managers worried about BEC fraud, to IT leads trying to achieve Cyber Essentials on a limited budget. This FAQ addresses the most common questions from UK charities.
38% of UK charities experienced a cybersecurity breach or attack in the last 12 months — yet most could be prevented with basic controls.
Charity Cybersecurity Frequently Asked Questions
Frequently Asked Questions
Are charities required to complete the NHS DSPT?
Yes, if your charity accesses NHS systems or patient data. This includes charities providing health or social care services under NHS contracts, those with access to NHSmail, the Summary Care Record, or any NHS shared care record system. The DSPT completion deadline is 30 June each year, and charities must achieve at least Approaching Standards to maintain NHS system access. NHS England provides simplified DSPT pathways for smaller social care providers.
Do we need to report a cyber incident to the Charity Commission?
Yes, if it is a serious incident. Charities with income over £25,000 must report serious incidents to the Charity Commission — including significant data breaches, ransomware attacks that disrupt operations, or cyber-enabled fraud. Report as soon as reasonably practicable after becoming aware of the incident (ideally within 24 hours). This is separate from the ICO notification requirement under GDPR — both may apply simultaneously for a significant cyber incident involving personal data.
What is the cheapest way to significantly improve our security?
Enable Multi-Factor Authentication on all accounts — this single control prevents the majority of account-based attacks (phishing-enabled account takeover, credential stuffing) that lead to BEC fraud and ransomware. It is free using Microsoft or Google authenticator apps, takes less than an hour to configure, and dramatically changes the risk profile of your charity. The second most impactful free action is implementing a payment verification rule: any new payee or bank detail change requires a phone call to a known number before the payment is made.
Are we required to appoint a Data Protection Officer?
Possibly. You are required to appoint a DPO if you process special category data (health, mental health, ethnicity, sexual orientation, religious beliefs) on a large scale, or if you conduct large-scale systematic monitoring of individuals. Most health, mental health, domestic abuse, and social care charities will meet this threshold. Smaller charities with limited data processing may not — but should still appoint a named Data Protection Lead with clear responsibility for data protection compliance. If in doubt, seek legal advice.
We've received a ransom demand — what do we do?
Do not pay immediately. Contact the NCSC (0300 020 0973) and your cyber insurer immediately. Report to Action Fraud. Notify the Charity Commission if services are disrupted. Begin the ICO breach notification assessment if personal data was involved. Focus on activating your backup and recovery capability. The NCSC strongly advises against paying ransoms — it does not guarantee data recovery and funds criminal activity. Charities with tested offline backups can recover without payment.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.