The Cybercrime Response Plan Every Nonprofit Needs: What To Do First

When a cyberattack hits your nonprofit, do you know what to do? Cybersecurity expert Michael Nouguier, Partner at Cybersecurity Services at Richey May, walks us through the essential steps every nonprofit must take—before, during, and after a cyber event. As host Julia Patrick notes, it’s not a matter of if, but when, and being unprepared is no longer an option.

From clarifying what cyber insurance actually covers to practicing realistic incident response exercises, Michael offers a pragmatic and step-by-step guide tailored for nonprofit leaders. He points out, “Failure to plan is planning to fail,” and urges organizations to move beyond hope and into action.

The conversation dissects misconceptions, such as thinking IT alone can handle a breach or believing cyber insurance is a comprehensive solution. Instead, Michael recommends building internal resilience with tabletop exercises that include the board, C-suite, legal, and communications staff. These scenario-based run-throughs help teams build muscle memory and prevent panic when disaster strikes.

Third-party vendors—often a hidden weak spot—are addressed in detail. Michael reminds us, “You are the trusted data collector,” meaning nonprofits must ensure their vendors share the same security culture, including notification clauses and accountability.

What if the worst happens? Michael stresses calm, communication, and preservation of evidence. “Don’t delete anything,” he cautions, as doing so can sabotage forensic investigations and potential fund recovery. He also reminds leaders to report incidents to local authorities and the FBI’s IC3.gov, reinforcing the legal and ethical responsibility to act swiftly and transparently.

Perhaps one of the most human insights is around fostering a blame-free culture. Employees fearing punishment won’t report mistakes, making things worse. “Everyone—even me—has clicked a phishing link,” Michael admits, highlighting the importance of openness and psychological safety within teams.

Ultimately, this is a call to action for nonprofit leaders to shift from avoidance to preparedness. Cyberattacks are not just technical disruptions—they can financially and operationally dismantle an organization. With the right mindset, strategy, and communication plan, your nonprofit can weather the storm and keep its mission alive!