The government’s latest Cyber Security Breaches Survey shows that 76% of charities with an income of £5m or more reported experiencing a cyber security breach or attack in the year to March 2022.  This figure falls to 62% of charities with annual incomes of £500,000 or more.

Key Points

  • Across the sector, 30% said they had been targeted by cyber criminals in the past year.
  • Phishing was reported as being the predominant type of Cyber-attack, although 10% suffered much more serious malware attacks.
  • The mean average cost to a charity hit by a cyber-attack was £300, which is based on responses from 424 UK charities and more than 1,200 UK businesses.
  • There remains a significant risk in terms of Cyber governance in that only 40% of charities reported having a policy of not paying to undo a ransomware attack. However, another 27% were not aware of any policy or even if one was in place.


More than three-quarters of larger charities have been targeted by cyber criminals in past year | Third Sector (requires free registration)

Cyber Security Breaches Survey 2022 – GOV.UK (

Action Required

Audit Committees and Boards are recommended to seek assurance that IT security remains on the agenda, and to seek assurances checked that systems are patched, monitored, and backed up.  IT Disaster Recovery plans should be regularly reviewed to keep up to date, and subject to table-top exercise testing, ideally using a malware incident scenario such as the NCSC’s “Exercise in a box”.