Your donor management system contains exactly the information identity thieves are looking for: full names, home addresses, email addresses, phone numbers, employer information, donation history, and — if you process online gifts — payment card data. Some systems also store bank account numbers for recurring ACH donations. For healthcare nonprofits, add protected health information. For educational organizations, add student records covered by FERPA.
This data has value on the dark web. And most nonprofits protect it with the cybersecurity posture of a small retail shop — basic passwords, no multi-factor authentication, unpatched software, shared admin credentials, and IT managed by whoever on staff "knows computers."
When — not if — a breach occurs, the costs cascade immediately. Forensic investigation to determine the scope of the compromise: $200,000 to $500,000 for a significant breach. Legal counsel specializing in data breach notification: $100,000 to $300,000. Notification to affected individuals under 50 different state laws (each with its own timeline, content requirements, and penalties): $150,000 to $400,000. Credit monitoring services for affected donors: $100,000 to $250,000. Call center to handle donor inquiries: $50,000 to $150,000.
For a breach affecting 50,000 donor records — not an unreasonable number for a mid-sized nonprofit with a 20-year history — total first-party costs can reach $600,000 to $1.6 million. That's before any regulatory fines, class action litigation, or the immeasurable cost of donor trust destruction.
The average cost per breached record, according to IBM's annual study, is $165. A nonprofit with 10,000 donor records faces a potential breach cost of $1.65 million. The average annual cyber insurance premium for a nonprofit? Approximately $1,740.
Cyber insurance covers what happens after the breach: forensic investigation, breach counsel, notification, credit monitoring, regulatory defense, business interruption while systems are restored, and crisis communications. Some policies also cover ransomware payments (with appropriate OFAC screening), social engineering fraud, and funds transfer fraud — the latter being particularly relevant for nonprofits that process wire transfers for large gifts or grant disbursements.
The gap most nonprofits don't see: their donor management platform (Bloomerang, DonorPerfect, Salesforce Nonprofit Cloud, etc.) has its own cyber exposure. If the platform provider suffers a breach that compromises your donor data, your organization still has notification obligations — but your standard cyber policy may not cover "dependent business interruption" from a third-party vendor breach without specific endorsement.
At PFTN, we build cyber programs sized to your actual data footprint — not a generic small business template. We match coverage triggers to the specific threats nonprofits face: donor database breaches, business email compromise targeting finance staff, ransomware attacks on underfunded IT infrastructure, and social engineering fraud exploiting the trust-based culture that makes nonprofits work. Because the data your donors entrusted to you deserves protection that matches the trust they placed in your mission.