The Australian Institute of Company Directors (AICD) has been quite clear in its messaging lately: cybersecurity is no longer just an IT issue – it’s a Board-level governance issue. They recommend that Boards consider cybersecurity as a standing item on their agendas, not merely something to be discussed after an incident. On the surface, this makes a lot of sense. The frequency and impact of cyberattacks continue to rise, and Boards need to be confident that the organisation’s defences, response plans, and risk appetite are appropriately set and maintained.

However, while I can see the value of this approach in larger or more complex organisations, I can’t help but wonder whether it might be a bit much for smaller not-for-profits (NFPs). Many of these organisations operate with limited resources, both in terms of staff and funding, and often rely heavily on volunteers. Imposing a requirement to discuss cybersecurity at every single Board meeting might risk crowding out other critical governance discussions – strategy, stakeholder engagement, service delivery – areas that are arguably just as essential to their mission and members.

Of course, I’m not arguing that cybersecurity should be ignored; large and small corporations getting “pwned” are a weekly occurrence in the news cycle. But a more proportionate approach might be sensible for smaller NFPs. For example: ensuring an annual review of cybersecurity risks, having a clear incident response plan, and having employees, volunteers and members maintain basic cyber hygiene (like strong passwords, two-factor authentication, and data backups) might provide a reasonable balance between governance diligence and operational reality.

As with most governance practices, the key is likely tailoring recommendations to the size, complexity, and risk profile of the organisation – not blindly adopting every best practice wholesale. Cybersecurity deserves attention, but for small NFPs, that attention needs to be pragmatic, not performative.