onprofit bserver FALL 2014 How to protect your nonprofit from cybercrime Yes, you do need investment policies

Transcription

1 N onprofit O FALL 2014 bserver How to protect your nonprofit from cybercrime Yes, you do need investment policies Have your bylaws kept pace with your nonprofit s growth? From overhead to impact Attitudes about nonprofit spending are changing

2 How to protect your nonprofit from cybercrime In July, Goodwill Industries learned from a credit card company that some of its customer data might have been stolen. The Maryland-based charity, whose 2,900 stores fund job programs, has been working with fraud investigators to learn the extent of the breach. But regardless of the size of any financial losses, the nonprofit has taken a hit to its reputation, thanks to widespread media coverage of the incident. Data thieves and other cybercriminals don t limit their attacks to large, high-profile organizations. Any nonprofit that has a computer network or collects financial or personal information in other words, most nonprofits risks data theft. If you don t already have effective policies and sophisticated protections in place, your organization could be the next headline. Ample opportunity Nonprofits generally have limited administrative personnel and often lack dedicated IT staffers. They also typically have smaller budgets for technology solutions such as firewalls, antivirus programs and intrusion protection. It s no surprise, then, that the nonprofit sector is one of the most frequently compromised by hackers. It provides cybercriminals with opportunity. Key data and systems should be backed up regularly and stored in a safe offsite location. Your nonprofit s network probably contains a wealth of data to entice hackers. For example: u Donor information, including names, addresses, credit card numbers and bank account information, u Personnel data, such as employee Social Security numbers and direct deposit information, and u Accounting records related to payroll, payables, banking, investments and other financial functions. Hospitals and other nonprofit health care organizations that collect and store patient data, including medical records and insurance information, are particularly vulnerable. Colleges and universities are also popular targets because of their multiple networks and many users including students who participate in risky online behavior such as illegal file downloading. While identity and financial data theft are still the primary objectives of most hackers, nonprofits increasingly need to worry about extortion schemes. A cybercriminal, for example, might steal and encrypt valuable data and demand ransom for the encryption key. 2

3 Fighting back Most nonprofits are already familiar with protections such as firewalls and antivirus programs. And as long as you keep your programs current and download updates as soon as they become available, you can count on some measure of cybersecurity. But your defense strategy should extend to include policies and procedures, such as datahandling rules. Overworked staffers may neglect to weed out old files, but it s important to provide procedures for disposing of sensitive data that s no longer needed. And key data and systems should be backed up regularly and stored in a safe offsite location. Because nonprofit employees often share responsibilities, be sure to create accountability for specific jobs. Training for staffers, volunteers and board members is critical, too. For example, your network s users should be made aware of such issues as scams, the proper use of laptops and mobile devices, and the risks of social engineering, where criminals manipulate people into volunteering passwords and other information. The insurance solution Even if you can t put a monetary value on the data your nonprofit collects, a cybersecurity breach can cost your organization plenty in legal fees, staff time and reputation. Traditional insurance policies such as general liability and directors and officers liability typically don t protect against such attacks. So you might want to consider buying cyber liability coverage. This type of policy can cover damage to both first parties (your organization) and third parties (donors, grantmakers, clients and other stakeholders), including costs associated with litigation, forensic and regulatory investigations, crisis management, reputation repair, credit monitoring, data restoration and business interruption. Note, however, that such coverage particularly a comprehensive policy with a high dollar amount can be expensive. Before buying a policy, consider the potential risks and costs of an actual data breach. You might also consider taking proactive steps against an attack by hiring a white hat hacker. This consultant uses the latest techniques to test your network and devices for holes so that you can plug them. Time and money Of course, a robust cybercrime-fighting program takes time and at least a small bite out of your nonprofit s budget. Convincing your board that such expenditures are necessary may be tough. Increasingly, nonprofits are creating technology committees led by tech executives or other knowledgeable board members. If your board lacks tech expertise, make recruiting someone who understands the need for cybersecurity and how to achieve it a priority. Your tech committee might be tasked with creating policies, determining budgets, evaluating software and products such as cyber liability insurance (see The insurance solution at right), and planning how your organization would respond to a cyber attack. If your tech committee plans to act as first responders to a cybersecurity incident, be sure to include a public relations expert in the group. The timing and wording of communications can significantly affect how the media and your organization s stakeholders respond to an event. Build a better fortress Data is likely one of your nonprofit s most valuable assets, and it s important to protect it as you would physical property. If your current cybersecurity policies and practices are a little skimpy, it s time to work with your board and outside experts to build a better fortress. Q 3

4 Yes, you do need investment policies So you think investment policies are only for nonprofits with millions to invest? Not true. If your organization holds funds in reserve for example, to cover emergencies or meet long-term goals it s prudent to have investment policies. Such policies will help ensure that you manage reserve funds responsibly according to their purpose and take steps to minimize investment risk. Pooling funds Creating investment policies begins by identifying and defining the purpose of different funds or investment pools. Some nonprofits maintain only one pool of reserves, lumping operating with reserve funds and combining short-term restricted with long-term designated funds. If this is the case with your organization, you need to differentiate these pools according to their purposes, time horizons and any restrictions that may apply to them. To ensure you re properly categorizing the funds, consult legal and accounting documents, such as your organization s bylaws, donor agreements and cash flow models. Making rules After you ve identified separate investment pools, create written investment policies and guidelines for each one. A pool s purpose and time horizon will be critical. Short-term pools are used to pay operationsrelated bills, and their funds may be needed at any time on short notice. For such a pool, your investment objectives should include safety, liquidity and, possibly, yield. Typically, the best and safest short-term investments are money market funds, Treasury bills, certificates of deposit and short-term, high-quality bonds. Long-term pools include endowments, contingency reserves and allocations for making major improvements. Here, the investment objectives generally are growth and capital preservation, which may be achieved by investing in highquality equities, long-term bonds and some short-term investments. If you re seeking a constant income stream, you may want to stagger bond purchases so that an interest payment comes due every month. For all of your pools, consider whether you want to prohibit certain investments that conflict with your nonprofit s mission or a donor s wishes. A cancer research charity, for instance, might ban tobacco company stock from its portfolio. Allocating assets In addition to identifying each pool s specific return objectives and permissible investments, address each asset class s minimum and maximum allocations. For example, your investment committee may decide that equities should represent no less than 30% and no more than 60%. Such asset allocation guidelines are important when determining a portfolio s potential risks and returns. Studies have shown that asset allocation decisions account for more than 90% of a portfolio s total return far exceeding the importance of individual security selection. Promoting diversity Occasionally, more financially conservative or less investment-savvy board members may recoil at the idea of buying stocks for a nonprofit s portfolio. Remind them that portfolios with a small percentage invested in common 4

5 stocks historically have produced higher returns with less risk of loss than portfolios consisting entirely of fixed-income investments. You should include in your nonprofit s portfolio different assets whose price movements generally don t follow each other. For example, intermediate maturity bonds and mortgagebacked securities do little to diversify a portfolio because their price movements generally are related to interest rate movements. However, intermediate maturity bonds typically have a low correlation with the price movements of common stock, so combining the two in a portfolio can reduce overall risk. If your board or investment committee contains knowledgeable investors for example, CPAs, bankers or financial planners you might allow them to make asset-allocation decisions. Otherwise, work with a professional money manager, at least initially. Once you ve chosen investments, your nonprofit may be able to monitor performance, adjust weightings and make trading decisions on its own. Note that your investment policies should state who is authorized to make such decisions. Do it now Don t wait for your organization to receive a major gift before writing investment policies. The sooner you start thinking about responsible money management, the better prepared you ll be when you one day have stewardship of a large endowment. Q Have your bylaws kept pace with your nonprofit s growth? Over time, your nonprofit is likely to experience considerable change its constituency and support may grow, its goals and priorities may shift and you ll probably need to revisit your organization s bylaws. They should be detailed enough to address all organizational issues but flexible enough to provide institutional stability. If your bylaws no longer achieve this delicate balance, or perhaps never did, consider working with your professional advisors to amend them. First things first Bylaws are the rules and principles that define your governing structure, serving as an architectural framework for your organization. Although bylaws aren t required to be public documents, consider making them available to the public to increase accountability and transparency. Your bylaws might cover such topics as the size and function of your board, the election of new directors and the use of grant money. Without being too specific, they should provide procedures for resolving internal disputes, such as the removal and replacement of a board member. Back to the drawing board Before you attempt to revise your nonprofit s bylaws, make sure you have the authority to do so. Most bylaws contain an amendment paragraph that defines the procedures for changing them. 5

6 Then consider creating a bylaw committee made up of a cross-section of your organization s membership or constituency. This committee will be responsible for reviewing existing bylaws and recommending revisions to your board or members for a full vote. It s important that your bylaw committee focus on your nonprofit s mission, not organizational politics. A bylaw change is appropriate only if you want to change your nonprofit s governing structure. Wanting to change how you operate suggests that you may have drifted from your original mission. In this case, you may need to reorganize your operations rather than rewrite your bylaws. Toeing the line If your nonprofit is incorporated, you ll need to ensure that any bylaw changes conform with your incorporation articles, which spell out your nonprofit s purpose and outline its allowable activities. For example, the purposes clause in your bylaws must match that in your incorporation articles. Any new bylaw provision or language changes contrary to the objectives and ideals included in your incorporation documents may invalidate the revisions. Bylaw provisions that suggest you ve strayed from your original mission can also jeopardize your federal tax-exempt status. Make sure your bylaw amendments are consistent with your tax-exempt purpose. And notify the IRS if they represent a structural or operational change by reporting the amendments on your Form 990. Also review your state s statute that governs nonprofits, because it may contain mandatory provisions that affect your bylaws. In the absence of bylaws, your state may dictate a proper course of action. If you don t coordinate your bylaws with such a statute, you may unwittingly hinder your management s ability to operate. An opportunity Revising your bylaws is more than just altering the language of rarely visited documents. The process provides you with an opportunity to look closely at how your nonprofit is evolving and whether such evolution is consistent with your original mission. Q From overhead to impact Attitudes about nonprofit spending are changing It came as a welcome surprise to many in the nonprofit community when, in 2013, three of the largest charity watchdog groups GuideStar, Charity Navigator and the Better Business Bureau s Wise Giving Alliance publicly addressed the overhead myth. Urging donors to pay attention to other factors of nonprofit performance: transparency, governance, leadership, and results, the open letter went one step further, stating that many charities should spend more on overhead. This last statement isn t news to nonprofits struggling to pay administrative and fundraising costs while trying to maintain their reputations for fiscal responsibility. But it may mark the beginning of an attitude shift among watchdogs, donors, grantmakers and the media. Spend money to make money In the past, watchdog groups were notorious for giving overhead ratios significant weightings in their rankings of charities. While such a practice can help potential donors weed out spendthrift organizations, it also tends to unfairly penalize nonprofits making reasonable expenditures for 6

7 current needs and strategic investments in their future. As the saying goes, you have to spend money to make money. Your donors may be using such impact-based yardsticks as What difference does this organization make in our community? Recognizing this reality, the White House Office of Management and Budget recently issued guidance stating that at least 10% of federal dollars awarded to nonprofit grantees should pay for indirect (overhead) costs. Calling this move a once in a generation overhaul of federal grants policies, the National Council of Nonprofits explained, New guidance means that nonprofits should be able to focus more on their missions and should be under less pressure to raise additional funds to essentially subsidize governments. The response from nonprofits receiving federal funds has been overwhelmingly positive. produce better outcomes and broader reach over time. Publicly communicating impact is another challenge. One practical solution is to revise such publications as your annual report. Although compliance with Generally Accepted Accounting Principles requires nonprofits to report costs in one of three categories program, fundraising, and general and administrative no one is stopping you from breaking out administrative items and telling the story about how they were used to enhance programs and ultimately affect lives. Advice for change If you re still unsure about how much your nonprofit should spend on overhead and how it can best deploy resources for meaningful impact, talk to your financial advisors. Times are changing for the better and your organization needs to change with them. Q Measuring performance How then should supporters evaluate the performance of charities, if not with overhead ratios? For many, impact is the new buzzword, generally defined as the long-term or indirect effects of more measureable outcomes (such as the number or percentage of individuals served). Impact typically refers to broader societal change and can be much less predictable than outcomes. Already your donors may be using such impactbased yardsticks as What difference does this organization make in our community? Such a shift of perspective is good news, but it may mean that your nonprofit needs to make some cultural changes including at the board level. For example, you might have to convince your board that spending more on such items as executive salaries and marketing programs will This publication is distributed with the understanding that the author, publisher and distributor are not rendering legal, accounting or other professional advice or opinions on specific facts or matters, and, accordingly, assume no liability whatsoever in connection with its use NPOfa14 7